]>
Commit | Line | Data |
---|---|---|
a4b7cc35 GKH |
1 | From edaf28e996af69222b2cb40455dbb5459c2b875a Mon Sep 17 00:00:00 2001 |
2 | From: Eric Biggers <ebiggers@google.com> | |
3 | Date: Tue, 9 Apr 2019 23:46:30 -0700 | |
4 | Subject: crypto: salsa20 - don't access already-freed walk.iv | |
5 | ||
6 | From: Eric Biggers <ebiggers@google.com> | |
7 | ||
8 | commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. | |
9 | ||
10 | If the user-provided IV needs to be aligned to the algorithm's | |
11 | alignmask, then skcipher_walk_virt() copies the IV into a new aligned | |
12 | buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then | |
13 | if the caller unconditionally accesses walk.iv, it's a use-after-free. | |
14 | ||
15 | salsa20-generic doesn't set an alignmask, so currently it isn't affected | |
16 | by this despite unconditionally accessing walk.iv. However this is more | |
17 | subtle than desired, and it was actually broken prior to the alignmask | |
18 | being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup | |
19 | and convert to skcipher API"). | |
20 | ||
21 | Since salsa20-generic does not update the IV and does not need any IV | |
22 | alignment, update it to use req->iv instead of walk.iv. | |
23 | ||
24 | Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") | |
25 | Cc: stable@vger.kernel.org | |
26 | Signed-off-by: Eric Biggers <ebiggers@google.com> | |
27 | Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | ||
30 | --- | |
31 | crypto/salsa20_generic.c | 2 +- | |
32 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
33 | ||
34 | --- a/crypto/salsa20_generic.c | |
35 | +++ b/crypto/salsa20_generic.c | |
36 | @@ -161,7 +161,7 @@ static int salsa20_crypt(struct skcipher | |
37 | ||
38 | err = skcipher_walk_virt(&walk, req, true); | |
39 | ||
40 | - salsa20_init(state, ctx, walk.iv); | |
41 | + salsa20_init(state, ctx, req->iv); | |
42 | ||
43 | while (walk.nbytes > 0) { | |
44 | unsigned int nbytes = walk.nbytes; |