iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/crypto
History
Eric Biggers aa15fe4d6a crypto: dh - Fix double free of ctx->p 
commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.

When setting the secret with the software Diffie-Hellman implementation,
if allocating 'g' failed (e.g. if it was longer than
MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
once later when the crypto_kpp tfm was destroyed.

Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
paths, as that correctly sets the pointers to NULL.

KASAN report:

    MPI: mpi too large (32760 bits)
    ==================================================================
    BUG: KASAN: use-after-free in mpi_free+0x131/0x170
    Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367

    CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     dump_stack+0xb3/0x10b
     ? mpi_free+0x131/0x170
     print_address_description+0x79/0x2a0
     ? mpi_free+0x131/0x170
     kasan_report+0x236/0x340
     ? akcipher_register_instance+0x90/0x90
     __asan_report_load4_noabort+0x14/0x20
     mpi_free+0x131/0x170
     ? akcipher_register_instance+0x90/0x90
     dh_exit_tfm+0x3d/0x140
     crypto_kpp_exit_tfm+0x52/0x70
     crypto_destroy_tfm+0xb3/0x250
     __keyctl_dh_compute+0x640/0xe90
     ? kasan_slab_free+0x12f/0x180
     ? dh_data_from_key+0x240/0x240
     ? key_create_or_update+0x1ee/0xb20
     ? key_instantiate_and_link+0x440/0x440
     ? lock_contended+0xee0/0xee0
     ? kfree+0xcf/0x210
     ? SyS_add_key+0x268/0x340
     keyctl_dh_compute+0xb3/0xf1
     ? __keyctl_dh_compute+0xe90/0xe90
     ? SyS_add_key+0x26d/0x340
     ? entry_SYSCALL_64_fastpath+0x5/0xbe
     ? trace_hardirqs_on_caller+0x3f4/0x560
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x43ccf9
    RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
    RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
    RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
    RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
    R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000

    Allocated by task 367:
     save_stack_trace+0x16/0x20
     kasan_kmalloc+0xeb/0x180
     kmem_cache_alloc_trace+0x114/0x300
     mpi_alloc+0x4b/0x230
     mpi_read_raw_data+0xbe/0x360
     dh_set_secret+0x1dc/0x460
     __keyctl_dh_compute+0x623/0xe90
     keyctl_dh_compute+0xb3/0xf1
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe

    Freed by task 367:
     save_stack_trace+0x16/0x20
     kasan_slab_free+0xab/0x180
     kfree+0xb5/0x210
     mpi_free+0xcb/0x170
     dh_set_secret+0x2d7/0x460
     __keyctl_dh_compute+0x623/0xe90
     keyctl_dh_compute+0xb3/0xf1
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe

Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-24 08:33:41 +01:00
..
asymmetric_keys
pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
2017-10-27 10:38:08 +02:00
async_tx
async_pq_val: fix DMA memory leak
2016-10-05 06:18:09 +05:30
.gitignore
crypto: rsa - add .gitignore for crypto/*.-asn1.[ch] files
2015-06-25 23:29:24 +08:00
842.c
crypto: 842 - change 842 alg to use software
2015-05-11 15:06:43 +08:00
ablk_helper.c
crypto: ablk_helper - Fix cryptd reordering
2016-06-23 18:29:53 +08:00
ablkcipher.c
crypto: skcipher - Remove top-level givcipher interface
2016-07-18 17:35:46 +08:00
aead.c
crypto: aead - Remove blkcipher null for IV generators
2016-07-18 17:35:43 +08:00
aes_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
af_alg.c
crypto: af_alg - Forbid bind(2) when nokey child sockets are present
2016-01-18 18:16:33 +08:00
ahash.c
crypto: ahash - Fix EINPROGRESS notification callback
2017-04-21 09:31:23 +02:00
akcipher.c
crypto: akcipher - add akcipher declarations needed by templates.
2015-12-09 20:03:57 +08:00
algapi.c
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
2017-02-09 08:08:26 +01:00
algboss.c
crypto: algboss - Remove reference to nivaead
2015-08-17 16:53:41 +08:00
algif_aead.c
crypto: algif_aead - Require setkey before accept(2)
2017-05-20 14:28:37 +02:00
algif_hash.c
crypto: algif_hash - avoid zero-sized array
2017-03-30 09:41:28 +02:00
algif_rng.c
crypto: algif_rng - Remove obsolete const-removal cast
2015-04-22 09:30:21 +08:00
algif_skcipher.c
crypto: AF_ALG - remove SGL terminator indicator when chaining
2017-09-27 14:39:20 +02:00
ansi_cprng.c
crypto: ansi_cprng - Convert to new rng interface
2015-04-22 09:30:18 +08:00
anubis.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
api.c
crypto: api - Only abort operations on fatal signal
2015-10-20 21:59:25 +08:00
arc4.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
authenc.c
crypto: authenc - Use skcipher
2016-07-18 17:35:38 +08:00
authencesn.c
crypto: authencesn - Fix digest_null crash
2017-08-06 18:59:40 -07:00
blkcipher.c
crypto: skcipher - Fix blkcipher walk OOM crash
2016-09-13 18:44:57 +08:00
blowfish_common.c
crypto: blowfish - split generic and common c code
2011-09-22 21:25:25 +10:00
blowfish_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
camellia_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
cast5_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
cast6_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
cast_common.c
crypto: make tables used from assembler __visible
2013-08-14 20:42:03 +10:00
cbc.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
ccm.c
crypto: ccm - preserve the IV buffer
2017-11-15 15:53:18 +01:00
chacha20_generic.c
random: replace non-blocking pool with a Chacha20-based CRNG
2016-07-03 00:57:23 -04:00
chacha20poly1305.c
crypto: chacha20poly1305 - Use skcipher
2016-07-18 17:35:41 +08:00
cipher.c
crypto: cipher - Fix checkpatch errors
2010-02-16 20:31:37 +08:00
cmac.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
compress.c
crc32_generic.c
crypto: crc32 - Rename generic implementation
2016-01-30 22:11:22 +08:00
crc32c_generic.c
crypto: crc32c - Fix crc32c soft dependency
2016-01-19 15:52:10 +08:00
crct10dif_common.c
crypto: crct10dif - Add fallback for broken initrds
2013-09-12 15:31:34 +10:00
crct10dif_generic.c
crypto: squash lines for simple wrapper functions
2016-09-13 20:27:26 +08:00
cryptd.c
crypto: cryptd - initialize child shash_desc on import
2016-09-07 21:04:36 +08:00
crypto_engine.c
kthread: kthread worker API cleanup
2016-10-11 15:06:33 -07:00
crypto_null.c
crypto: null - Remove default null blkcipher
2016-07-18 17:35:44 +08:00
crypto_user.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
2016-07-21 12:26:55 +08:00
crypto_wq.c
crypto: crypto_wq - Fix late crypto work queue initialization
2014-03-21 21:54:28 +08:00
ctr.c
crypto: ctr - Use skcipher in rfc3686
2016-07-18 17:35:39 +08:00
cts.c
crypto: cts - Convert to skcipher
2016-07-18 17:35:44 +08:00
deflate.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
des_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
dh_helper.c
crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
2017-11-21 09:23:29 +01:00
dh.c
crypto: dh - Fix double free of ctx->p
2017-11-24 08:33:41 +01:00
drbg.c
crypto: drbg - fix freeing of resources
2017-10-05 09:43:59 +02:00
ecb.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
ecc_curve_defs.h
crypto: ecdh - Add ECDH software support
2016-06-23 18:29:57 +08:00
ecc.c
crypto: ecdh - make ecdh_shared_secret unique
2016-06-24 21:24:59 +08:00
ecc.h
crypto: ecdh - make ecdh_shared_secret unique
2016-06-24 21:24:59 +08:00
ecdh_helper.c
crypto: ecdh - Add ECDH software support
2016-06-23 18:29:57 +08:00
ecdh.c
crypto: ecdh - make ecdh_shared_secret unique
2016-06-24 21:24:59 +08:00
echainiv.c
crypto: echainiv - Replace chaining with multiplication
2016-09-13 18:44:57 +08:00
fcrypt.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
fips.c
crypto: fips - Move fips_enabled sysctl into fips.c
2015-04-23 14:18:09 +08:00
gcm.c
crypto: gcm - wait for crypto op not signal safe
2017-06-14 15:05:55 +02:00
gf128mul.c
crypto: gf128mul - fix call to memset()
2011-07-08 17:21:21 +08:00
ghash-generic.c
crypto: ghash-generic - move common definitions to a new header file
2016-10-02 22:26:40 +08:00
hash_info.c
keys, trusted: select hash algorithm for TPM2 chips
2015-12-20 15:27:12 +02:00
hmac.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
internal.h
crypto: api - Add crypto_type_has_alg helper
2016-01-25 22:42:12 +08:00
jitterentropy-kcapi.c
crypto: jitterentropy - use ktime_get_ns as fallback
2016-06-24 21:24:58 +08:00
jitterentropy.c
crypto: jitterentropy - Delete unnecessary checks before the function call "kzfree"
2015-06-25 23:18:33 +08:00
Kconfig
Revert "crypto: xts - Add ECB dependency"
2017-11-21 09:23:28 +01:00
keywrap.c
crypto: keywrap - memzero the correct memory
2016-02-01 22:27:05 +08:00
khazad.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
kpp.c
crypto: kpp - Key-agreement Protocol Primitives API (KPP)
2016-06-23 18:29:56 +08:00
lrw.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
lz4.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
lz4hc.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
lzo.c
crypto: lzo - get rid of superfluous __GFP_REPEAT
2016-04-15 22:36:36 +08:00
Makefile
crypto: improve gcc optimization flags for serpent and wp512
2017-03-18 19:14:26 +08:00
mcryptd.c
crypto: mcryptd - Check mcryptd algorithm compatibility
2016-12-07 19:55:37 +08:00
md4.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
md5.c
crypto: hash - add zero length message hash for shax and md5
2015-12-22 20:43:35 +08:00
memneq.c
crypto: memneq - fix for archs without efficient unaligned access
2013-12-09 20:09:12 +08:00
michael_mic.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
pcbc.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
pcrypt.c
crypto: aead - Remove CRYPTO_ALG_AEAD_NEW flag
2015-08-17 16:53:53 +08:00
poly1305_generic.c
crypto: poly1305 - Export common Poly1305 helpers
2015-07-17 21:20:26 +08:00
proc.c
crypto: fips - Move fips_enabled sysctl into fips.c
2015-04-23 14:18:09 +08:00
ripemd.h
rmd128.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
rmd160.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
rmd256.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
rmd320.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
rng.c
crypto: rng - Do not free default RNG when it becomes unused
2015-06-22 15:49:18 +08:00
rsa_helper.c
crypto: rsa - allow keys >= 2048 bits in FIPS mode
2016-08-24 21:07:10 +08:00
rsa-pkcs1pad.c
crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
2017-07-15 12:16:16 +02:00
rsa.c
crypto: rsa - Generate fixed-length output
2016-07-01 23:45:18 +08:00
rsaprivkey.asn1
crypto: rsa - Store rest of the private key components
2016-07-05 23:05:26 +08:00
rsapubkey.asn1
crypto: akcipher - Changes to asymmetric key API
2015-10-14 22:23:16 +08:00
salsa20_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
scatterwalk.c
crypto: scatterwalk - Remove unnecessary aliasing check in map_and_copy
2016-11-22 15:02:25 +08:00
seed.c
crypto: prefix module autoloading with "crypto-"
2014-11-24 22:43:57 +08:00
seqiv.c
crypto: skcipher - Remove top-level givcipher interface
2016-07-18 17:35:46 +08:00
serpent_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
sha1_generic.c
crypto: hash - add zero length message hash for shax and md5
2015-12-22 20:43:35 +08:00
sha3_generic.c
crypto: sha3 - Add missing ULL suffixes for 64-bit constants
2016-08-08 23:43:46 +08:00
sha256_generic.c
crypto: hash - add zero length message hash for shax and md5
2015-12-22 20:43:35 +08:00
sha512_generic.c
crypto: sha512-generic - move to generic glue implementation
2015-04-10 21:39:41 +08:00
shash.c
crypto: shash - Fix zero-length shash ahash digest crash
2017-10-18 09:35:38 +02:00
skcipher.c
crypto: skcipher - Add missing API setkey checks
2017-06-07 12:07:46 +02:00
tcrypt.c
crypto: sha3 - Add HMAC-SHA3 test modes and test vectors
2016-07-01 23:45:24 +08:00
tcrypt.h
crypto: tcrypt - Add ChaCha20/Poly1305 speed tests
2015-07-17 21:20:20 +08:00
tea.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
testmgr.c
crypto: testmgr - add guard to dst buffer for ahash_export
2016-10-02 22:33:43 +08:00
testmgr.h
crypto: testmgr - Pad aes_ccm_enc_tv_template vector
2017-03-12 06:41:47 +01:00
tgr192.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
twofish_common.c
crypto: twofish-x86_64-3way - add lrw support
2011-11-09 11:53:32 +08:00
twofish_generic.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
vmac.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
wp512.c
crypto: add missing crypto module aliases
2015-01-13 22:29:11 +11:00
xcbc.c
crypto: include crypto- module prefix in template
2014-11-26 20:06:30 +08:00
xor.c
crypto: xor - Fix warning when XOR_SELECT_TEMPLATE is unset
2016-08-31 23:00:48 +08:00
xts.c
crypto: xts - fix a little typo
2016-08-16 17:16:49 +08:00