linux/lib/mpi
Nicolai Stange cece762f6f lib/mpi: mpi_write_sgl(): fix out-of-bounds stack access
Within the copying loop in mpi_write_sgl(), we have

  if (lzeros) {
    mpi_limb_t *limb1 = (void *)p - sizeof(alimb);
    mpi_limb_t *limb2 = (void *)p - sizeof(alimb)
                               + lzeros;
    *limb1 = *limb2;
    ...
  }

where p points past the end of alimb2 which lives on the stack and contains
the current limb in BE order.

The purpose of the above is to shift the non-zero bytes of alimb2 to its
beginning in memory, i.e. to skip its leading zero bytes.

However, limb2 points somewhere into the middle of alimb2 and thus, reading
*limb2 pulls in lzero bytes from somewhere.

Indeed, KASAN splats:

  BUG: KASAN: stack-out-of-bounds in mpi_write_to_sgl+0x4e3/0x6f0
                                      at addr ffff8800cb04f601
  Read of size 8 by task systemd-udevd/391
  page:ffffea00032c13c0 count:0 mapcount:0 mapping:   (null) index:0x0
  flags: 0x3fff8000000000()
  page dumped because: kasan: bad access detected
  CPU: 3 PID: 391 Comm: systemd-udevd Tainted: G  B  L
                                              4.5.0-next-20160316+ #12
  [...]
  Call Trace:
   [<ffffffff8194889e>] dump_stack+0xdc/0x15e
   [<ffffffff819487c2>] ? _atomic_dec_and_lock+0xa2/0xa2
   [<ffffffff814892b5>] ? __dump_page+0x185/0x330
   [<ffffffff8150ffd6>] kasan_report_error+0x5e6/0x8b0
   [<ffffffff814724cd>] ? kzfree+0x2d/0x40
   [<ffffffff819c5bce>] ? mpi_free_limb_space+0xe/0x20
   [<ffffffff819c469e>] ? mpi_powm+0x37e/0x16f0
   [<ffffffff815109f1>] kasan_report+0x71/0xa0
   [<ffffffff819c0353>] ? mpi_write_to_sgl+0x4e3/0x6f0
   [<ffffffff8150ed34>] __asan_load8+0x64/0x70
   [<ffffffff819c0353>] mpi_write_to_sgl+0x4e3/0x6f0
   [<ffffffff819bfe70>] ? mpi_set_buffer+0x620/0x620
   [<ffffffff819c0e6f>] ? mpi_cmp+0xbf/0x180
   [<ffffffff8186e282>] rsa_verify+0x202/0x260

What's more, since lzeros can be anything from 1 to sizeof(mpi_limb_t)-1,
the above will cause unaligned accesses which is bad on non-x86 archs.

Fix the issue, by preparing the starting point p for the upcoming copy
operation instead of shifting the source memory, i.e. alimb2.

Fixes: 2d4d1eea54 ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-04-05 20:35:48 +08:00
..
generic_mpih-add1.c
generic_mpih-lshift.c
generic_mpih-mul1.c
generic_mpih-mul2.c
generic_mpih-mul3.c
generic_mpih-rshift.c
generic_mpih-sub1.c
longlong.h lib/mpi: avoid assembler warning 2016-02-28 03:26:34 +08:00
Makefile MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA signature verification 2012-10-08 13:50:15 +10:30
mpi-bit.c MPILIB: Provide count_leading/trailing_zeros() based on arch functions 2012-10-08 13:50:11 +10:30
mpi-cmp.c MPILIB: Fix comparison of negative MPIs 2015-01-14 16:10:12 +00:00
mpi-inline.h lib/mpi: use "static inline" instead of "extern inline" 2016-02-28 03:26:34 +08:00
mpi-internal.h lib/mpi: use "static inline" instead of "extern inline" 2016-02-28 03:26:34 +08:00
mpi-pow.c MPILIB: Provide count_leading/trailing_zeros() based on arch functions 2012-10-08 13:50:11 +10:30
mpicoder.c lib/mpi: mpi_write_sgl(): fix out-of-bounds stack access 2016-04-05 20:35:48 +08:00
mpih-cmp.c
mpih-div.c Remove unused code from MPI library 2012-05-26 11:51:03 +10:00
mpih-mul.c Remove unused code from MPI library 2012-05-26 11:51:03 +10:00
mpiutil.c MPILIB: add mpi_read_buf() and mpi_get_size() helpers 2015-06-16 14:35:06 +08:00