linux/lib
Nicolai Stange 0bb5c9ead6 lib/mpi: mpi_read_raw_from_sgl(): fix out-of-bounds buffer access
Within the copying loop in mpi_read_raw_from_sgl(), the last input SGE's
byte count gets artificially extended as follows:

  if (sg_is_last(sg) && (len % BYTES_PER_MPI_LIMB))
    len += BYTES_PER_MPI_LIMB - (len % BYTES_PER_MPI_LIMB);

Within the following byte copying loop, this causes reads beyond that
SGE's allocated buffer:

  BUG: KASAN: slab-out-of-bounds in mpi_read_raw_from_sgl+0x331/0x650
                                     at addr ffff8801e168d4d8
  Read of size 1 by task systemd-udevd/721
  [...]
  Call Trace:
   [<ffffffff818c4d35>] dump_stack+0xbc/0x117
   [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
   [<ffffffff814af5d1>] ? print_section+0x61/0xb0
   [<ffffffff814b1109>] print_trailer+0x179/0x2c0
   [<ffffffff814bc524>] object_err+0x34/0x40
   [<ffffffff814bfdc7>] kasan_report_error+0x307/0x8c0
   [<ffffffff814bf315>] ? kasan_unpoison_shadow+0x35/0x50
   [<ffffffff814bf38e>] ? kasan_kmalloc+0x5e/0x70
   [<ffffffff814c0ad1>] kasan_report+0x71/0xa0
   [<ffffffff81938171>] ? mpi_read_raw_from_sgl+0x331/0x650
   [<ffffffff814bf1a6>] __asan_load1+0x46/0x50
   [<ffffffff81938171>] mpi_read_raw_from_sgl+0x331/0x650
   [<ffffffff817f41b6>] rsa_verify+0x106/0x260
   [<ffffffff817f40b0>] ? rsa_set_pub_key+0xf0/0xf0
   [<ffffffff818edc79>] ? sg_init_table+0x29/0x50
   [<ffffffff817f4d22>] ? pkcs1pad_sg_set_buf+0xb2/0x2e0
   [<ffffffff817f5b74>] pkcs1pad_verify+0x1f4/0x2b0
   [<ffffffff81831057>] public_key_verify_signature+0x3a7/0x5e0
   [<ffffffff81830cb0>] ? public_key_describe+0x80/0x80
   [<ffffffff817830f0>] ? keyring_search_aux+0x150/0x150
   [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
   [<ffffffff814b83f0>] ? kfree+0x220/0x370
   [<ffffffff818312c2>] public_key_verify_signature_2+0x32/0x50
   [<ffffffff81830b5c>] verify_signature+0x7c/0xb0
   [<ffffffff81835d0c>] pkcs7_validate_trust+0x42c/0x5f0
   [<ffffffff813c391a>] system_verify_data+0xca/0x170
   [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
   [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
   [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
  [...]

The exact purpose of the len extension isn't clear to me, but due to
its form, I suspect that it's a leftover somehow accounting for leading
zero bytes within the most significant output limb.

Note however that without that len adjustement, the total number of bytes
ever processed by the inner loop equals nbytes and thus, the last output
limb gets written at this point. Thus the net effect of the len adjustement
cited above is just to keep the inner loop running for some more
iterations, namely < BYTES_PER_MPI_LIMB ones, reading some extra bytes from
beyond the last SGE's buffer and discarding them afterwards.

Fix this issue by purging the extension of len beyond the last input SGE's
buffer length.

Fixes: 2d4d1eea54 ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-04-05 20:35:51 +08:00
..
842 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-03-17 21:38:27 -07:00
fonts fonts: Add 6x10 font 2014-10-09 11:35:48 +03:00
lz4 lz4: fix system halt at boot kernel on x86_64 2015-05-24 11:56:29 -07:00
lzo lzo: check for length overrun in variable length encoding. 2014-09-28 11:08:01 +02:00
mpi lib/mpi: mpi_read_raw_from_sgl(): fix out-of-bounds buffer access 2016-04-05 20:35:51 +08:00
raid6 powerpc: Create disable_kernel_{fp,altivec,vsx,spe}() 2015-12-01 13:52:25 +11:00
reed_solomon
xz lib/xz: enable all filters by default in Kconfig 2014-06-04 16:54:18 -07:00
zlib_deflate zlib_deflate/deftree: remove bi_reverse() 2015-09-10 13:29:01 -07:00
zlib_inflate zlib: clean up some dead code 2014-08-06 18:01:24 -07:00
.gitignore
argv_split.c argv_split(): teach it to handle mutable strings 2013-04-29 18:28:19 -07:00
asn1_decoder.c ASN.1: Handle 'ANY OPTIONAL' in grammar 2015-08-05 13:38:07 +01:00
assoc_array.c assoc_array: Include rcupdate.h for call_rcu() definition 2015-01-07 16:08:41 +00:00
atomic64_test.c x86/cpufeature: Carve out X86_FEATURE_* 2016-01-30 11:22:17 +01:00
atomic64.c atomic: Provide atomic_{or,xor,and} 2015-07-27 14:06:24 +02:00
audit.c syscalls: implement execveat() system call 2014-12-13 12:42:51 -08:00
bcd.c
bch.c
bitmap.c lib/bitmap.c: conversion routines to/from u32 array 2016-02-19 22:54:09 -05:00
bitrev.c ARM: 8187/1: add CONFIG_HAVE_ARCH_BITREVERSE to support rbit instruction 2014-12-22 16:43:06 +00:00
bsearch.c
btree.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
bug.c lib/bug.c: use common WARN helper 2016-03-17 15:09:34 -07:00
build_OID_registry X.509: do not emit any informational output 2013-06-19 17:54:06 +02:00
bust_spinlocks.c printk: Provide a wake_up_klogd() off-case 2013-03-22 16:41:20 -07:00
check_signature.c
checksum.c ipv4: Update parameters for csum_tcpudp_magic to their original types 2016-03-13 23:55:13 -04:00
clz_ctz.c lib/clz_ctz.c: add prototype declarations in lib/clz_ctz.c 2014-04-03 16:21:12 -07:00
clz_tab.c
cmdline.c lib: Add a generic cmdline parse function parse_option_str 2014-10-03 18:40:58 +01:00
compat_audit.c audit: Add generic compat syscall support 2014-03-20 10:11:35 -04:00
cordic.c
cpu_rmap.c sched/topology: Rename topology_thread_cpumask() to topology_sibling_cpumask() 2015-05-27 15:22:15 +02:00
cpu-notifier-error-inject.c
cpumask.c cpumask: Export cpumask_any_but() 2016-02-29 09:35:20 +01:00
crc7.c lib/crc7: Shift crc7() output left 1 bit 2014-05-16 14:26:52 -04:00
crc8.c
crc16.c
crc32.c lib: crc32: Add some additional __pure annotations 2014-06-25 16:04:00 -07:00
crc32defs.h
crc-ccitt.c
crc-itu-t.c lib: crc-itu-t.[ch] fix 0x0x prefix in integer constants 2015-05-26 15:26:43 +02:00
crc-t10dif.c lib: introduce crc_t10dif_update() 2015-05-30 22:42:24 -07:00
ctype.c
debug_info.c kbuild: include core debug info when DEBUG_INFO_REDUCED 2015-06-11 15:08:32 +02:00
debug_locks.c mutex: Add support for wound/wait style locks 2013-06-26 12:10:56 +02:00
debugobjects.c debugobjects: Allow bigger number of early boot objects 2016-01-27 15:40:59 +01:00
dec_and_lock.c
decompress_bunzip2.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_inflate.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unlz4.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unlzma.c lib/decompress_unlzma: Do a NULL check for pointer 2015-09-10 13:29:01 -07:00
decompress_unlzo.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unxz.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress.c lib/decompress: set the compressor name to NULL on error 2015-07-17 16:39:54 -07:00
devres.c devres: use to_pci_dev() 2016-02-07 23:17:59 -08:00
digsig.c KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
div64.c __div64_32(): make it overridable at compile time 2015-11-16 14:42:12 -05:00
dma-debug.c dma-debug: switch check from _text to _stext 2016-01-14 16:00:49 -08:00
dma-noop.c dma: Provide simple noop dma ops 2016-03-02 17:01:55 +02:00
dump_stack.c dump_stack: avoid potential deadlocks 2016-02-05 18:10:40 -08:00
dynamic_debug.c convert a bunch of open-coded instances of memdup_user_nul() 2016-01-04 10:26:58 -05:00
dynamic_queue_limits.c lib/dynamic_queue_limits.c: simplify includes 2015-02-12 18:54:15 -08:00
earlycpio.c earlycpio.c: Fix the confusing comment of find_cpio_data(). 2013-08-14 23:24:01 +02:00
extable.c extable: add support for relative extables to search and sort routines 2016-02-24 14:57:26 +00:00
fault-inject.c fault-inject: fix inverted interval/probability values in printk 2015-10-23 17:55:10 +09:00
fdt_empty_tree.c lib: add fdt_empty_tree.c 2014-04-30 19:49:37 +01:00
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
fdt.c
find_bit.c lib: rename lib/find_next_bit.c to lib/find_bit.c 2015-04-17 09:03:54 -04:00
flex_array.c reciprocal_divide: update/correction of the algorithm 2014-01-21 23:17:20 -08:00
flex_proportions.c lib+mm: fix few spelling mistakes 2016-02-15 11:18:23 +01:00
gcd.c
gen_crc32table.c lib: crc32: constify crc32 lookup table 2015-02-13 21:21:35 -08:00
genalloc.c CPM/QE: use genalloc to manage CPM/QE muram 2015-12-22 17:10:18 -06:00
glob.c lib/glob.c: add CONFIG_GLOB_SELFTEST 2014-08-06 18:01:25 -07:00
halfmd4.c lib/halfmd4.c: use rol32 inline function in the ROUND macro 2015-11-06 17:50:42 -08:00
hexdump.c lib/hexdump.c: truncate output in case of overflow 2015-11-06 17:50:42 -08:00
hweight.c Make ARCH_HAS_FAST_MULTIPLIER a real config variable 2014-09-13 11:14:53 -07:00
idr.c mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd 2015-11-06 17:50:42 -08:00
inflate.c
int_sqrt.c lib/int_sqrt.c: optimize square root algorithm 2013-04-29 18:28:19 -07:00
interval_tree_test.c lib: Export interval_tree 2014-05-05 09:09:14 +02:00
interval_tree.c lib/interval_tree.c: simplify includes 2015-02-12 18:54:15 -08:00
iomap_copy.c lib/iomap_copy.c: add __ioread32_copy() 2016-01-20 17:09:18 -08:00
iomap.c Kconfig: rename HAS_IOPORT to HAS_IOPORT_MAP 2014-04-07 16:36:11 -07:00
iommu-common.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2015-11-05 16:34:48 -08:00
iommu-helper.c
ioremap.c x86, mm: support huge KVA mappings on x86 2015-04-14 16:49:04 -07:00
iov_iter.c iov_iter: export import_single_range() 2015-12-06 20:42:19 -05:00
irq_poll.c irq_poll: Fix irq_poll_sched() 2016-01-19 15:26:55 -05:00
irq_regs.c
is_single_threaded.c lib/is_single_threaded.c: change current_is_single_threaded() to use for_each_thread() 2015-11-06 17:50:42 -08:00
jedec_ddr_data.c
kasprintf.c lib/kasprintf.c: add sanity check to kvasprintf 2016-01-16 11:17:27 -08:00
Kconfig mm, kasan: stackdepot implementation. Enable stackdepot for SLAB 2016-03-25 16:37:42 -07:00
Kconfig.debug parisc,metag: Implement CONFIG_DEBUG_STACK_USAGE option 2016-03-23 15:44:34 +01:00
Kconfig.kasan mm, kasan: stackdepot implementation. Enable stackdepot for SLAB 2016-03-25 16:37:42 -07:00
Kconfig.kgdb kdb: Allow access to sensitive commands to be restricted by default 2014-11-11 09:31:52 -06:00
Kconfig.kmemcheck
Kconfig.ubsan ubsan: fix tree-wide -Wmaybe-uninitialized false positives 2016-03-22 15:36:02 -07:00
kfifo.c kfifo: use BUG_ON 2014-08-08 15:57:25 -07:00
klist.c klist: fix starting point removed bug in klist iterators 2016-02-07 22:18:47 -08:00
kobject_uevent.c lib/kobject_uevent.c: remove redundant include 2015-02-12 18:54:15 -08:00
kobject.c kobject: export kset_find_obj() for module use 2016-02-09 17:36:34 -08:00
kstrtox.c lib: add "on"/"off" support to kstrtobool 2016-03-17 15:09:34 -07:00
kstrtox.h
lcm.c block: fix blk_stack_limits() regression due to lcm() change 2015-03-31 09:45:50 -06:00
libcrc32c.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-01-22 11:58:43 -08:00
list_debug.c list: kill list_force_poison() 2016-03-09 15:43:42 -08:00
list_sort.c lib/list_sort: use late_initcall to hook in self tests 2015-06-16 14:12:35 -04:00
llist.c lib/llist.c: fix data race in llist_del_first 2015-11-06 17:50:42 -08:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c locking/lockdep: Revert qrwlock recusive stuff 2014-10-03 06:09:30 +02:00
lockref.c locking/lockref: Remove homebrew cmpxchg64_relaxed() macro definition 2015-08-12 11:59:04 +02:00
lru_cache.c lru_cache: Converted lc_seq_printf_status to return void 2015-11-25 09:22:02 -07:00
Makefile mm, kasan: stackdepot implementation. Enable stackdepot for SLAB 2016-03-25 16:37:42 -07:00
md5.c lib/md5.c: simplify include 2015-02-12 18:54:15 -08:00
memory-notifier-error-inject.c
memweight.c
net_utils.c mac_pton: Use bool not int return 2014-06-25 17:45:43 -07:00
netdev-notifier-error-inject.c net: Add support for CHANGEUPPER notifier error injection 2015-12-03 11:49:23 -05:00
nlattr.c netlink: pad nla_memcpy dest buffer with zeroes 2015-03-31 14:07:24 -04:00
nmi_backtrace.c ARM: 8439/1: Fix backtrace generation when IPI is masked 2015-10-03 16:40:51 +01:00
notifier-error-inject.c mode_t, whack-a-mole at 11... 2013-04-09 14:13:05 -04:00
notifier-error-inject.h
of-reconfig-notifier-error-inject.c
oid_registry.c Give the OID registry file module info to avoid kernel tainting 2013-05-05 14:38:00 -07:00
once.c once: make helper generic for calling functions once 2015-10-08 05:26:36 -07:00
parser.c lib/parser.c: put EXPORT_SYMBOLs in the conventional place 2014-01-23 16:36:55 -08:00
pci_iomap.c libnvdimm for 4.3: 2015-09-08 14:35:59 -07:00
percpu_counter.c percpu_counter: batch size aware __percpu_counter_compare() 2015-05-29 07:39:34 +10:00
percpu_ida.c mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM 2015-11-06 17:50:42 -08:00
percpu_test.c percpu: add test module for various percpu operations 2013-11-13 12:09:11 +09:00
percpu-refcount.c lib+mm: fix few spelling mistakes 2016-02-15 11:18:23 +01:00
plist.c lib/plist.c: remove redundant include 2015-02-12 18:54:16 -08:00
pm-notifier-error-inject.c
proportions.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
radix-tree.c radix_tree: add radix_tree_dump 2016-03-17 15:09:34 -07:00
random32.c netfilter: meta: add PRANDOM support 2016-02-29 13:55:59 +01:00
ratelimit.c ratelimit: fix bug in time interval by resetting right begin time 2016-01-21 17:20:51 -08:00
rational.c
rbtree_test.c rbtree/test: test rbtree_postorder_for_each_entry_safe() 2014-01-23 16:37:03 -08:00
rbtree.c rbtree: Make lockless searches non-fatal 2015-05-28 11:32:04 +09:30
reciprocal_div.c reciprocal_divide: update/correction of the algorithm 2014-01-21 23:17:20 -08:00
rhashtable.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-12-31 18:20:10 -05:00
scatterlist.c scatterlist: fix a typo in comment block of sg_miter_stop() 2016-02-08 10:15:17 -08:00
seq_buf.c tracing: Use seq_buf_used() in seq_buf_to_user() instead of len 2015-12-23 14:27:20 -05:00
sg_split.c lib: scatterlist: add sg splitting function 2015-08-24 14:28:01 -06:00
sha1.c lib: EXPORT_SYMBOL sha_init 2015-03-23 22:12:08 -04:00
show_mem.c lib/show_mem.c: correct reserved memory calculation 2015-09-08 15:35:28 -07:00
smp_processor_id.c percpu: add preemption checks to __this_cpu ops 2014-04-07 16:36:14 -07:00
sort.c lib/sort: Add 64 bit swap function 2015-06-25 17:00:40 -07:00
stackdepot.c mm, kasan: stackdepot implementation. Enable stackdepot for SLAB 2016-03-25 16:37:42 -07:00
stmp_device.c lib/stmp_device.c: replace module.h include 2015-02-12 18:54:16 -08:00
string_helpers.c string_helpers: fix precision loss for some inputs 2016-01-20 17:09:18 -08:00
string.c lib: move strtobool() to kstrtobool() 2016-03-17 15:09:34 -07:00
strncpy_from_user.c Use the new batched user accesses in generic user string handling 2015-12-17 10:05:19 -08:00
strnlen_user.c Use the new batched user accesses in generic user string handling 2015-12-17 10:05:19 -08:00
swiotlb.c Merge branch 'for-4.2/sg' of git://git.kernel.dk/linux-block 2015-06-25 15:22:36 -07:00
syscall.c lib/syscall.c: unexport task_current_syscall() 2014-04-03 16:21:06 -07:00
test_bitmap.c test_bitmap: unit tests for lib/bitmap.c 2016-02-19 22:54:09 -05:00
test_bpf.c bpf, test: add couple of test cases 2015-12-18 16:04:51 -05:00
test_firmware.c test: firmware_class: add asynchronous request trigger 2016-01-07 13:44:22 -07:00
test_hexdump.c test_hexdump: print statistics at the end 2016-01-20 17:09:18 -08:00
test_kasan.c kasan: test fix: warn if the UAF could not be detected in kmalloc_uaf2 2016-03-25 16:37:42 -07:00
test_module.c test: add minimal module for verification testing 2014-01-23 16:36:57 -08:00
test_printf.c mm, printk: introduce new format string for flags 2016-03-15 16:55:16 -07:00
test_rhashtable.c rhashtable-test: allow to retry even if -ENOMEM was returned 2015-11-23 12:36:08 -05:00
test_static_key_base.c locking/static_keys: Provide a selftest 2015-08-03 11:51:12 +02:00
test_static_keys.c locking/static_keys: Avoid nested functions 2016-02-09 10:27:29 +01:00
test_user_copy.c test: check copy_to/from_user boundary validation 2014-01-23 16:36:57 -08:00
test-kstrtox.c kstrto*: accept "-0" for signed conversion 2015-09-10 13:29:01 -07:00
test-string_helpers.c lib/test-string_helpers.c: fix and improve string_get_size() tests 2016-02-03 08:28:43 -08:00
textsearch.c lib/textsearch.c: remove textsearch_put reference from comments 2014-10-14 02:18:14 +02:00
timerqueue.c timerqueue: Let timerqueue_add/del return information 2015-04-22 17:06:49 +02:00
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c UBSAN: run-time undefined behavior sanity checker 2016-01-20 17:09:18 -08:00
ubsan.h UBSAN: run-time undefined behavior sanity checker 2016-01-20 17:09:18 -08:00
ucs2_string.c lib/ucs2_string: Correct ucs2 -> utf8 conversion 2016-02-16 12:49:05 +00:00
usercopy.c Kconfig: consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS 2013-04-30 17:04:09 -07:00
uuid.c uuid: use prandom_bytes() 2013-04-29 18:28:42 -07:00
vsprintf.c sscanf: implement basic character sets 2016-03-17 15:09:34 -07:00