crypto: CVE-2017-17805

crypto: salsa20 - fix blkcipher_walk API usage References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=bbda4c57b91619642a94b193531312fe01bc2398 Change-Id: Ib25a70e786140a500ed7bb8360903e10f27d830f Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:15:02 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:23:26 +0200
commit: 51a87e70c1fb375de584f8f951ce36f35a197abe (patch)
tree: 7b94c5e22f3653a5a5acde93c0f1830bb6b62bf8
parent: 9a81c6699785afeba2d3afcdb682652bf7844108 (diff)
download: enea-kernel-cache-51a87e70c1fb375de584f8f951ce36f35a197abe.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 475bc09..97f8d60 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -25,3 +25,6 @@ patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
 #fixed in 4.1.45
 patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
+#fixed in 4.1.49
+patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
diff --git a/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
new file mode 100644
index 0000000..bb08580
--- /dev/null
+++ b/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
@@ -0,0 +1,97 @@
+From bbda4c57b91619642a94b193531312fe01bc2398 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 28 Nov 2017 20:56:59 -0800
+Subject: [PATCH] crypto: salsa20 - fix blkcipher_walk API usage
+[ Upstream commit ecaaab5649781c5a0effdaf298a925063020500e ]
+When asked to encrypt or decrypt 0 bytes, both the generic and x86
+implementations of Salsa20 crash in blkcipher_walk_done(), either when
+doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
+because walk->buffer and walk->page have not been initialized.
+The bug is that Salsa20 is calling blkcipher_walk_done() even when
+nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
+be called when a nonzero number of bytes have been provided.
+The broken code is part of an optimization that tries to make only one
+call to salsa20_encrypt_bytes() to process inputs that are not evenly
+divisible by 64 bytes.  To fix the bug, just remove this "optimization"
+and use the blkcipher_walk API the same way all the other users do.
+Reproducer:
+    #include <linux/if_alg.h>
+    #include <sys/socket.h>
+    #include <unistd.h>
+    int main()
+    {
+            int algfd, reqfd;
+            struct sockaddr_alg addr = {
+                    .salg_type = "skcipher",
+                    .salg_name = "salsa20",
+            };
+            char key[16] = { 0 };
+            algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+            bind(algfd, (void *)&addr, sizeof(addr));
+            reqfd = accept(algfd, 0, 0);
+            setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+            read(reqfd, key, sizeof(key));
+    }
+CVE: CVE-2017-17805 
+Upstream-Status: Backport  
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
+Cc: <stable@vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ arch/x86/crypto/salsa20_glue.c | 7 -------
+ crypto/salsa20_generic.c       | 7 -------
+ 2 files changed, 14 deletions(-)
+diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
+index 399a29d..cb91a64 100644
+--- a/arch/x86/crypto/salsa20_glue.c
+++ b/arch/x86/crypto/salsa20_glue.c
+@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc,
+ 
+        salsa20_ivsetup(ctx, walk.iv);
+ 
+-       if (likely(walk.nbytes == nbytes))
+-       {
+-               salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+-                                     walk.dst.virt.addr, nbytes);
+-               return blkcipher_walk_done(desc, &walk, 0);
+-       }
+-
+        while (walk.nbytes >= 64) {
+                salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+                                      walk.dst.virt.addr,
+diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
+index f550b5d..d7da0ee 100644
+--- a/crypto/salsa20_generic.c
+++ b/crypto/salsa20_generic.c
+@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
+ 
+        salsa20_ivsetup(ctx, walk.iv);
+ 
+-       if (likely(walk.nbytes == nbytes))
+-       {
+-               salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+-                                     walk.src.virt.addr, nbytes);
+-               return blkcipher_walk_done(desc, &walk, 0);
+-       }
+-
+        while (walk.nbytes >= 64) {
+                salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+                                      walk.src.virt.addr,
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:15:02 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:23:26 +0200
commit	51a87e70c1fb375de584f8f951ce36f35a197abe (patch)
tree	7b94c5e22f3653a5a5acde93c0f1830bb6b62bf8
parent	9a81c6699785afeba2d3afcdb682652bf7844108 (diff)
download	enea-kernel-cache-51a87e70c1fb375de584f8f951ce36f35a197abe.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 475bc09..97f8d60 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -25,3 +25,6 @@ patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
25	#fixed in 4.1.45	25	#fixed in 4.1.45
26	patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch	26	patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
27		27
		28	#fixed in 4.1.49
		29	patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
		30


diff --git a/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch new file mode 100644 index 0000000..bb08580 --- /dev/null +++ b/patches/cve/CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
@@ -0,0 +1,97 @@
		1	From bbda4c57b91619642a94b193531312fe01bc2398 Mon Sep 17 00:00:00 2001
		2	From: Eric Biggers <ebiggers@google.com>
		3	Date: Tue, 28 Nov 2017 20:56:59 -0800
		4	Subject: [PATCH] crypto: salsa20 - fix blkcipher_walk API usage
		5
		6	[ Upstream commit ecaaab5649781c5a0effdaf298a925063020500e ]
		7
		8	When asked to encrypt or decrypt 0 bytes, both the generic and x86
		9	implementations of Salsa20 crash in blkcipher_walk_done(), either when
		10	doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
		11	because walk->buffer and walk->page have not been initialized.
		12
		13	The bug is that Salsa20 is calling blkcipher_walk_done() even when
		14	nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
		15	be called when a nonzero number of bytes have been provided.
		16
		17	The broken code is part of an optimization that tries to make only one
		18	call to salsa20_encrypt_bytes() to process inputs that are not evenly
		19	divisible by 64 bytes. To fix the bug, just remove this "optimization"
		20	and use the blkcipher_walk API the same way all the other users do.
		21
		22	Reproducer:
		23
		24	#include <linux/if_alg.h>
		25	#include <sys/socket.h>
		26	#include <unistd.h>
		27
		28	int main()
		29	{
		30	int algfd, reqfd;
		31	struct sockaddr_alg addr = {
		32	.salg_type = "skcipher",
		33	.salg_name = "salsa20",
		34	};
		35	char key[16] = { 0 };
		36
		37	algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
		38	bind(algfd, (void *)&addr, sizeof(addr));
		39	reqfd = accept(algfd, 0, 0);
		40	setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
		41	read(reqfd, key, sizeof(key));
		42	}
		43
		44	CVE: CVE-2017-17805
		45	Upstream-Status: Backport
		46
		47	Reported-by: syzbot <syzkaller@googlegroups.com>
		48	Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
		49	Cc: <stable@vger.kernel.org> # v2.6.25+
		50	Signed-off-by: Eric Biggers <ebiggers@google.com>
		51	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
		52	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		53	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		54	---
		55	arch/x86/crypto/salsa20_glue.c \| 7 -------
		56	crypto/salsa20_generic.c \| 7 -------
		57	2 files changed, 14 deletions(-)
		58
		59	diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
		60	index 399a29d..cb91a64 100644
		61	--- a/arch/x86/crypto/salsa20_glue.c
		62	+++ b/arch/x86/crypto/salsa20_glue.c
		63	@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc,
		64
		65	salsa20_ivsetup(ctx, walk.iv);
		66
		67	- if (likely(walk.nbytes == nbytes))
		68	- {
		69	- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
		70	- walk.dst.virt.addr, nbytes);
		71	- return blkcipher_walk_done(desc, &walk, 0);
		72	- }
		73	-
		74	while (walk.nbytes >= 64) {
		75	salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
		76	walk.dst.virt.addr,
		77	diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
		78	index f550b5d..d7da0ee 100644
		79	--- a/crypto/salsa20_generic.c
		80	+++ b/crypto/salsa20_generic.c
		81	@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
		82
		83	salsa20_ivsetup(ctx, walk.iv);
		84
		85	- if (likely(walk.nbytes == nbytes))
		86	- {
		87	- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
		88	- walk.src.virt.addr, nbytes);
		89	- return blkcipher_walk_done(desc, &walk, 0);
		90	- }
		91	-
		92	while (walk.nbytes >= 64) {
		93	salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
		94	walk.src.virt.addr,
		95	--
		96	2.7.4
		97