2010-10-19 21:23:00 +08:00
/*
* algif_hash : User - space interface for hash algorithms
*
* This file provides the user - space API for hash algorithms .
*
* Copyright ( c ) 2010 Herbert Xu < herbert @ gondor . apana . org . au >
*
* This program is free software ; you can redistribute it and / or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation ; either version 2 of the License , or ( at your option )
* any later version .
*
*/
# include <crypto/hash.h>
# include <crypto/if_alg.h>
# include <linux/init.h>
# include <linux/kernel.h>
# include <linux/mm.h>
# include <linux/module.h>
# include <linux/net.h>
# include <net/sock.h>
struct hash_ctx {
struct af_alg_sgl sgl ;
u8 * result ;
2017-10-18 08:00:39 +01:00
struct crypto_wait wait ;
2010-10-19 21:23:00 +08:00
unsigned int len ;
bool more ;
struct ahash_request req ;
} ;
2016-09-01 17:16:44 +08:00
static int hash_alloc_result ( struct sock * sk , struct hash_ctx * ctx )
{
unsigned ds ;
if ( ctx - > result )
return 0 ;
ds = crypto_ahash_digestsize ( crypto_ahash_reqtfm ( & ctx - > req ) ) ;
ctx - > result = sock_kmalloc ( sk , ds , GFP_KERNEL ) ;
if ( ! ctx - > result )
return - ENOMEM ;
memset ( ctx - > result , 0 , ds ) ;
return 0 ;
}
static void hash_free_result ( struct sock * sk , struct hash_ctx * ctx )
{
unsigned ds ;
if ( ! ctx - > result )
return ;
ds = crypto_ahash_digestsize ( crypto_ahash_reqtfm ( & ctx - > req ) ) ;
sock_kzfree_s ( sk , ctx - > result , ds ) ;
ctx - > result = NULL ;
}
2015-03-02 15:37:48 +08:00
static int hash_sendmsg ( struct socket * sock , struct msghdr * msg ,
size_t ignored )
2010-10-19 21:23:00 +08:00
{
int limit = ALG_MAX_PAGES * PAGE_SIZE ;
struct sock * sk = sock - > sk ;
struct alg_sock * ask = alg_sk ( sk ) ;
struct hash_ctx * ctx = ask - > private ;
long copied = 0 ;
int err ;
if ( limit > sk - > sk_sndbuf )
limit = sk - > sk_sndbuf ;
lock_sock ( sk ) ;
if ( ! ctx - > more ) {
2016-09-01 17:16:44 +08:00
if ( ( msg - > msg_flags & MSG_MORE ) )
hash_free_result ( sk , ctx ) ;
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( crypto_ahash_init ( & ctx - > req ) , & ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
if ( err )
goto unlock ;
}
ctx - > more = 0 ;
2014-12-15 21:39:31 -05:00
while ( msg_data_left ( msg ) ) {
int len = msg_data_left ( msg ) ;
2010-10-19 21:23:00 +08:00
2014-11-28 16:39:25 -05:00
if ( len > limit )
len = limit ;
2010-10-19 21:23:00 +08:00
2014-11-28 16:39:25 -05:00
len = af_alg_make_sg ( & ctx - > sgl , & msg - > msg_iter , len ) ;
if ( len < 0 ) {
err = copied ? 0 : len ;
goto unlock ;
}
2010-10-19 21:23:00 +08:00
2014-11-28 16:39:25 -05:00
ahash_request_set_crypt ( & ctx - > req , ctx - > sgl . sg , NULL , len ) ;
2010-10-19 21:23:00 +08:00
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( crypto_ahash_update ( & ctx - > req ) ,
& ctx - > wait ) ;
2014-11-28 16:39:25 -05:00
af_alg_free_sg ( & ctx - > sgl ) ;
if ( err )
goto unlock ;
2010-10-19 21:23:00 +08:00
2014-11-28 16:39:25 -05:00
copied + = len ;
iov_iter_advance ( & msg - > msg_iter , len ) ;
2010-10-19 21:23:00 +08:00
}
err = 0 ;
ctx - > more = msg - > msg_flags & MSG_MORE ;
if ( ! ctx - > more ) {
2016-09-01 17:16:44 +08:00
err = hash_alloc_result ( sk , ctx ) ;
if ( err )
goto unlock ;
2010-10-19 21:23:00 +08:00
ahash_request_set_crypt ( & ctx - > req , NULL , ctx - > result , 0 ) ;
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( crypto_ahash_final ( & ctx - > req ) ,
& ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
}
unlock :
release_sock ( sk ) ;
return err ? : copied ;
}
static ssize_t hash_sendpage ( struct socket * sock , struct page * page ,
int offset , size_t size , int flags )
{
struct sock * sk = sock - > sk ;
struct alg_sock * ask = alg_sk ( sk ) ;
struct hash_ctx * ctx = ask - > private ;
int err ;
2013-11-24 22:36:28 -08:00
if ( flags & MSG_SENDPAGE_NOTLAST )
flags | = MSG_MORE ;
2010-10-19 21:23:00 +08:00
lock_sock ( sk ) ;
sg_init_table ( ctx - > sgl . sg , 1 ) ;
sg_set_page ( ctx - > sgl . sg , page , size , offset ) ;
2016-09-01 17:16:44 +08:00
if ( ! ( flags & MSG_MORE ) ) {
err = hash_alloc_result ( sk , ctx ) ;
if ( err )
goto unlock ;
} else if ( ! ctx - > more )
hash_free_result ( sk , ctx ) ;
2010-10-19 21:23:00 +08:00
ahash_request_set_crypt ( & ctx - > req , ctx - > sgl . sg , ctx - > result , size ) ;
if ( ! ( flags & MSG_MORE ) ) {
if ( ctx - > more )
err = crypto_ahash_finup ( & ctx - > req ) ;
else
err = crypto_ahash_digest ( & ctx - > req ) ;
} else {
if ( ! ctx - > more ) {
err = crypto_ahash_init ( & ctx - > req ) ;
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( err , & ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
if ( err )
goto unlock ;
}
err = crypto_ahash_update ( & ctx - > req ) ;
}
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( err , & ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
if ( err )
goto unlock ;
ctx - > more = flags & MSG_MORE ;
unlock :
release_sock ( sk ) ;
return err ? : size ;
}
2015-03-02 15:37:48 +08:00
static int hash_recvmsg ( struct socket * sock , struct msghdr * msg , size_t len ,
int flags )
2010-10-19 21:23:00 +08:00
{
struct sock * sk = sock - > sk ;
struct alg_sock * ask = alg_sk ( sk ) ;
struct hash_ctx * ctx = ask - > private ;
unsigned ds = crypto_ahash_digestsize ( crypto_ahash_reqtfm ( & ctx - > req ) ) ;
2016-09-01 17:16:44 +08:00
bool result ;
2010-10-19 21:23:00 +08:00
int err ;
if ( len > ds )
len = ds ;
else if ( len < ds )
msg - > msg_flags | = MSG_TRUNC ;
lock_sock ( sk ) ;
2016-09-01 17:16:44 +08:00
result = ctx - > result ;
err = hash_alloc_result ( sk , ctx ) ;
if ( err )
goto unlock ;
ahash_request_set_crypt ( & ctx - > req , NULL , ctx - > result , 0 ) ;
2016-11-21 15:34:00 +08:00
if ( ! result & & ! ctx - > more ) {
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( crypto_ahash_init ( & ctx - > req ) ,
& ctx - > wait ) ;
2016-11-17 22:07:58 +08:00
if ( err )
goto unlock ;
}
if ( ! result | | ctx - > more ) {
2010-10-19 21:23:00 +08:00
ctx - > more = 0 ;
2017-10-18 08:00:39 +01:00
err = crypto_wait_req ( crypto_ahash_final ( & ctx - > req ) ,
& ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
if ( err )
goto unlock ;
}
2014-04-06 21:51:23 -04:00
err = memcpy_to_msg ( msg , ctx - > result , len ) ;
2010-10-19 21:23:00 +08:00
unlock :
2016-11-17 22:07:58 +08:00
hash_free_result ( sk , ctx ) ;
2010-10-19 21:23:00 +08:00
release_sock ( sk ) ;
return err ? : len ;
}
2017-03-09 08:09:05 +00:00
static int hash_accept ( struct socket * sock , struct socket * newsock , int flags ,
bool kern )
2010-10-19 21:23:00 +08:00
{
struct sock * sk = sock - > sk ;
struct alg_sock * ask = alg_sk ( sk ) ;
struct hash_ctx * ctx = ask - > private ;
struct ahash_request * req = & ctx - > req ;
crypto: algif_hash - avoid zero-sized array
With this reproducer:
struct sockaddr_alg alg = {
.salg_family = 0x26,
.salg_type = "hash",
.salg_feat = 0xf,
.salg_mask = 0x5,
.salg_name = "digest_null",
};
int sock, sock2;
sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(sock, (struct sockaddr *)&alg, sizeof(alg));
sock2 = accept(sock, NULL, NULL);
setsockopt(sock, SOL_ALG, ALG_SET_KEY, "\x9b\xca", 2);
accept(sock2, NULL, NULL);
==== 8< ======== 8< ======== 8< ======== 8< ====
one can immediatelly see an UBSAN warning:
UBSAN: Undefined behaviour in crypto/algif_hash.c:187:7
variable length array bound value 0 <= 0
CPU: 0 PID: 15949 Comm: syz-executor Tainted: G E 4.4.30-0-default #1
...
Call Trace:
...
[<ffffffff81d598fd>] ? __ubsan_handle_vla_bound_not_positive+0x13d/0x188
[<ffffffff81d597c0>] ? __ubsan_handle_out_of_bounds+0x1bc/0x1bc
[<ffffffffa0e2204d>] ? hash_accept+0x5bd/0x7d0 [algif_hash]
[<ffffffffa0e2293f>] ? hash_accept_nokey+0x3f/0x51 [algif_hash]
[<ffffffffa0e206b0>] ? hash_accept_parent_nokey+0x4a0/0x4a0 [algif_hash]
[<ffffffff8235c42b>] ? SyS_accept+0x2b/0x40
It is a correct warning, as hash state is propagated to accept as zero,
but creating a zero-length variable array is not allowed in C.
Fix this as proposed by Herbert -- do "?: 1" on that site. No sizeof or
similar happens in the code there, so we just allocate one byte even
though we do not use the array.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net> (maintainer:CRYPTO API)
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-12-15 14:31:01 +01:00
char state [ crypto_ahash_statesize ( crypto_ahash_reqtfm ( req ) ) ? : 1 ] ;
2010-10-19 21:23:00 +08:00
struct sock * sk2 ;
struct alg_sock * ask2 ;
struct hash_ctx * ctx2 ;
2015-11-01 17:11:19 +08:00
bool more ;
2010-10-19 21:23:00 +08:00
int err ;
2015-11-01 17:11:19 +08:00
lock_sock ( sk ) ;
more = ctx - > more ;
err = more ? crypto_ahash_export ( req , state ) : 0 ;
release_sock ( sk ) ;
2010-10-19 21:23:00 +08:00
if ( err )
return err ;
2017-03-09 08:09:05 +00:00
err = af_alg_accept ( ask - > parent , newsock , kern ) ;
2010-10-19 21:23:00 +08:00
if ( err )
return err ;
sk2 = newsock - > sk ;
ask2 = alg_sk ( sk2 ) ;
ctx2 = ask2 - > private ;
2015-11-01 17:11:19 +08:00
ctx2 - > more = more ;
if ( ! more )
return err ;
2010-10-19 21:23:00 +08:00
err = crypto_ahash_import ( & ctx2 - > req , state ) ;
if ( err ) {
sock_orphan ( sk2 ) ;
sock_put ( sk2 ) ;
}
return err ;
}
static struct proto_ops algif_hash_ops = {
. family = PF_ALG ,
. connect = sock_no_connect ,
. socketpair = sock_no_socketpair ,
. getname = sock_no_getname ,
. ioctl = sock_no_ioctl ,
. listen = sock_no_listen ,
. shutdown = sock_no_shutdown ,
. getsockopt = sock_no_getsockopt ,
. mmap = sock_no_mmap ,
. bind = sock_no_bind ,
. setsockopt = sock_no_setsockopt ,
. release = af_alg_release ,
. sendmsg = hash_sendmsg ,
. sendpage = hash_sendpage ,
. recvmsg = hash_recvmsg ,
. accept = hash_accept ,
} ;
2016-01-08 21:31:04 +08:00
static int hash_check_key ( struct socket * sock )
{
2016-01-15 22:01:08 +08:00
int err = 0 ;
2016-01-08 21:31:04 +08:00
struct sock * psk ;
struct alg_sock * pask ;
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
struct crypto_ahash * tfm ;
2016-01-08 21:31:04 +08:00
struct sock * sk = sock - > sk ;
struct alg_sock * ask = alg_sk ( sk ) ;
2016-01-15 22:01:08 +08:00
lock_sock ( sk ) ;
2016-01-08 21:31:04 +08:00
if ( ask - > refcnt )
2016-01-15 22:01:08 +08:00
goto unlock_child ;
2016-01-08 21:31:04 +08:00
psk = ask - > parent ;
pask = alg_sk ( ask - > parent ) ;
tfm = pask - > private ;
err = - ENOKEY ;
2016-01-15 22:01:08 +08:00
lock_sock_nested ( psk , SINGLE_DEPTH_NESTING ) ;
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
if ( crypto_ahash_get_flags ( tfm ) & CRYPTO_TFM_NEED_KEY )
2016-01-08 21:31:04 +08:00
goto unlock ;
if ( ! pask - > refcnt + + )
sock_hold ( psk ) ;
ask - > refcnt = 1 ;
sock_put ( psk ) ;
err = 0 ;
unlock :
release_sock ( psk ) ;
2016-01-15 22:01:08 +08:00
unlock_child :
release_sock ( sk ) ;
2016-01-08 21:31:04 +08:00
return err ;
}
static int hash_sendmsg_nokey ( struct socket * sock , struct msghdr * msg ,
size_t size )
{
int err ;
err = hash_check_key ( sock ) ;
if ( err )
return err ;
return hash_sendmsg ( sock , msg , size ) ;
}
static ssize_t hash_sendpage_nokey ( struct socket * sock , struct page * page ,
int offset , size_t size , int flags )
{
int err ;
err = hash_check_key ( sock ) ;
if ( err )
return err ;
return hash_sendpage ( sock , page , offset , size , flags ) ;
}
static int hash_recvmsg_nokey ( struct socket * sock , struct msghdr * msg ,
size_t ignored , int flags )
{
int err ;
err = hash_check_key ( sock ) ;
if ( err )
return err ;
return hash_recvmsg ( sock , msg , ignored , flags ) ;
}
static int hash_accept_nokey ( struct socket * sock , struct socket * newsock ,
2017-03-09 08:09:05 +00:00
int flags , bool kern )
2016-01-08 21:31:04 +08:00
{
int err ;
err = hash_check_key ( sock ) ;
if ( err )
return err ;
2017-03-09 08:09:05 +00:00
return hash_accept ( sock , newsock , flags , kern ) ;
2016-01-08 21:31:04 +08:00
}
static struct proto_ops algif_hash_ops_nokey = {
. family = PF_ALG ,
. connect = sock_no_connect ,
. socketpair = sock_no_socketpair ,
. getname = sock_no_getname ,
. ioctl = sock_no_ioctl ,
. listen = sock_no_listen ,
. shutdown = sock_no_shutdown ,
. getsockopt = sock_no_getsockopt ,
. mmap = sock_no_mmap ,
. bind = sock_no_bind ,
. setsockopt = sock_no_setsockopt ,
. release = af_alg_release ,
. sendmsg = hash_sendmsg_nokey ,
. sendpage = hash_sendpage_nokey ,
. recvmsg = hash_recvmsg_nokey ,
. accept = hash_accept_nokey ,
} ;
2010-10-19 21:23:00 +08:00
static void * hash_bind ( const char * name , u32 type , u32 mask )
{
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
return crypto_alloc_ahash ( name , type , mask ) ;
2010-10-19 21:23:00 +08:00
}
static void hash_release ( void * private )
{
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
crypto_free_ahash ( private ) ;
2010-10-19 21:23:00 +08:00
}
static int hash_setkey ( void * private , const u8 * key , unsigned int keylen )
{
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
return crypto_ahash_setkey ( private , key , keylen ) ;
2010-10-19 21:23:00 +08:00
}
2016-01-13 15:00:36 +08:00
static void hash_sock_destruct ( struct sock * sk )
2010-10-19 21:23:00 +08:00
{
struct alg_sock * ask = alg_sk ( sk ) ;
struct hash_ctx * ctx = ask - > private ;
2016-09-01 17:16:44 +08:00
hash_free_result ( sk , ctx ) ;
2010-10-19 21:23:00 +08:00
sock_kfree_s ( sk , ctx , ctx - > len ) ;
2016-01-08 21:31:04 +08:00
af_alg_release_parent ( sk ) ;
}
2016-01-13 15:00:36 +08:00
static int hash_accept_parent_nokey ( void * private , struct sock * sk )
2010-10-19 21:23:00 +08:00
{
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
struct crypto_ahash * tfm = private ;
2010-10-19 21:23:00 +08:00
struct alg_sock * ask = alg_sk ( sk ) ;
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
struct hash_ctx * ctx ;
unsigned int len = sizeof ( * ctx ) + crypto_ahash_reqsize ( tfm ) ;
2010-10-19 21:23:00 +08:00
ctx = sock_kmalloc ( sk , len , GFP_KERNEL ) ;
if ( ! ctx )
return - ENOMEM ;
2016-09-01 17:16:44 +08:00
ctx - > result = NULL ;
2010-10-19 21:23:00 +08:00
ctx - > len = len ;
ctx - > more = 0 ;
2017-10-18 08:00:39 +01:00
crypto_init_wait ( & ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
ask - > private = ctx ;
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
ahash_request_set_tfm ( & ctx - > req , tfm ) ;
2010-10-19 21:23:00 +08:00
ahash_request_set_callback ( & ctx - > req , CRYPTO_TFM_REQ_MAY_BACKLOG ,
2017-10-18 08:00:39 +01:00
crypto_req_done , & ctx - > wait ) ;
2010-10-19 21:23:00 +08:00
sk - > sk_destruct = hash_sock_destruct ;
return 0 ;
}
2016-01-08 21:31:04 +08:00
static int hash_accept_parent ( void * private , struct sock * sk )
{
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
struct crypto_ahash * tfm = private ;
2016-01-08 21:31:04 +08:00
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-03 11:16:27 -08:00
if ( crypto_ahash_get_flags ( tfm ) & CRYPTO_TFM_NEED_KEY )
2016-01-08 21:31:04 +08:00
return - ENOKEY ;
2016-01-13 15:00:36 +08:00
return hash_accept_parent_nokey ( private , sk ) ;
2016-01-08 21:31:04 +08:00
}
2010-10-19 21:23:00 +08:00
static const struct af_alg_type algif_type_hash = {
. bind = hash_bind ,
. release = hash_release ,
. setkey = hash_setkey ,
. accept = hash_accept_parent ,
2016-01-08 21:31:04 +08:00
. accept_nokey = hash_accept_parent_nokey ,
2010-10-19 21:23:00 +08:00
. ops = & algif_hash_ops ,
2016-01-08 21:31:04 +08:00
. ops_nokey = & algif_hash_ops_nokey ,
2010-10-19 21:23:00 +08:00
. name = " hash " ,
. owner = THIS_MODULE
} ;
static int __init algif_hash_init ( void )
{
return af_alg_register_type ( & algif_type_hash ) ;
}
static void __exit algif_hash_exit ( void )
{
int err = af_alg_unregister_type ( & algif_type_hash ) ;
BUG_ON ( err ) ;
}
module_init ( algif_hash_init ) ;
module_exit ( algif_hash_exit ) ;
MODULE_LICENSE ( " GPL " ) ;