[kernel] r22532 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/x86

Ben Hutchings benh at moszumanska.debian.org
Fri Apr 24 15:06:02 UTC 2015 

Author: benh
Date: Fri Apr 24 15:06:01 2015
New Revision: 22532

Log:
[x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561) (CVE-2015-3331)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Fri Apr 24 15:05:00 2015	(r22531)
+++ dists/wheezy-security/linux/debian/changelog	Fri Apr 24 15:06:01 2015	(r22532)
@@ -11,6 +11,8 @@
   * [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization
     (CVE-2015-2830)
   * ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
+  * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561)
+    (CVE-2015-3331)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Apr 2015 00:33:14 +0100
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch	Fri Apr 24 15:06:01 2015	(r22532)
@@ -0,0 +1,61 @@
+From: Stephan Mueller <smueller at chronox.de>
+Date: Thu, 12 Mar 2015 09:17:51 +0100
+Subject: crypto: aesni - fix memory usage in GCM decryption
+Origin: https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
+Bug-Debian: https://bugs.debian.org/782561
+
+The kernel crypto API logic requires the caller to provide the
+length of (ciphertext || authentication tag) as cryptlen for the
+AEAD decryption operation. Thus, the cipher implementation must
+calculate the size of the plaintext output itself and cannot simply use
+cryptlen.
+
+The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
+in req->dst. As the destination buffer for decryption only needs to hold
+the plaintext memory but cryptlen references the input buffer holding
+(ciphertext || authentication tag), the assumption of the destination
+buffer length in RFC4106 GCM operation leads to a too large size. This
+patch simply uses the already calculated plaintext size.
+
+In addition, this patch fixes the offset calculation of the AAD buffer
+pointer: as mentioned before, cryptlen already includes the size of the
+tag. Thus, the tag does not need to be added. With the addition, the AAD
+will be written beyond the already allocated buffer.
+
+Note, this fixes a kernel crash that can be triggered from user space
+via AF_ALG(aead) -- simply use the libkcapi test application
+from [1] and update it to use rfc4106-gcm-aes.
+
+Using [1], the changes were tested using CAVS vectors to demonstrate
+that the crypto operation still delivers the right results.
+
+[1] http://www.chronox.de/libkcapi.html
+
+CC: Tadeusz Struk <tadeusz.struk at intel.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stephan Mueller <smueller at chronox.de>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/aesni-intel_glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1203,7 +1203,7 @@ static int __driver_rfc4106_decrypt(stru
+ 		src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ 		if (!src)
+ 			return -ENOMEM;
+-		assoc = (src + req->cryptlen + auth_tag_len);
++		assoc = (src + req->cryptlen);
+ 		scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ 		scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ 			req->assoclen, 0);
+@@ -1228,7 +1228,7 @@ static int __driver_rfc4106_decrypt(stru
+ 		scatterwalk_done(&src_sg_walk, 0, 0);
+ 		scatterwalk_done(&assoc_sg_walk, 0, 0);
+ 	} else {
+-		scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++		scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ 		kfree(src);
+ 	}
+ 	return retval;

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Fri Apr 24 15:05:00 2015	(r22531)
+++ dists/wheezy-security/linux/debian/patches/series	Fri Apr 24 15:06:01 2015	(r22532)
@@ -1164,3 +1164,4 @@
 bugfix/all/xen-pciback-limit-guest-control-of-command-register.patch
 bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
 bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
+bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch

More information about the Kernel-svn-changes mailing list