[linux] 01/01: crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Dec 22 08:07:34 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 4f056ca2c682e6ecab320622a7976fc2739834f9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Dec 22 08:59:46 2017 +0100

    crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)
---
 debian/changelog                                   |  1 +
 ...ypto-salsa20-fix-blkcipher_walk-API-usage.patch | 91 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 93 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0cd3560..7aea59c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -506,6 +506,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium
   * Add ABI reference for 4.14.0-1
   * xen/time: do not decrease steal time after live migration on xen
     (Closes: #871608)
+  * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)
 
   [ Vagrant Cascadian ]
   * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i.
diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
new file mode 100644
index 0000000..4418d7f
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
@@ -0,0 +1,91 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Tue, 28 Nov 2017 20:56:59 -0800
+Subject: crypto: salsa20 - fix blkcipher_walk API usage
+Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805
+
+When asked to encrypt or decrypt 0 bytes, both the generic and x86
+implementations of Salsa20 crash in blkcipher_walk_done(), either when
+doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
+because walk->buffer and walk->page have not been initialized.
+
+The bug is that Salsa20 is calling blkcipher_walk_done() even when
+nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
+be called when a nonzero number of bytes have been provided.
+
+The broken code is part of an optimization that tries to make only one
+call to salsa20_encrypt_bytes() to process inputs that are not evenly
+divisible by 64 bytes.  To fix the bug, just remove this "optimization"
+and use the blkcipher_walk API the same way all the other users do.
+
+Reproducer:
+
+    #include <linux/if_alg.h>
+    #include <sys/socket.h>
+    #include <unistd.h>
+
+    int main()
+    {
+            int algfd, reqfd;
+            struct sockaddr_alg addr = {
+                    .salg_type = "skcipher",
+                    .salg_name = "salsa20",
+            };
+            char key[16] = { 0 };
+
+            algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+            bind(algfd, (void *)&addr, sizeof(addr));
+            reqfd = accept(algfd, 0, 0);
+            setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+            read(reqfd, key, sizeof(key));
+    }
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
+Cc: <stable at vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/salsa20_glue.c | 7 -------
+ crypto/salsa20_generic.c       | 7 -------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
+index 399a29d067d6..cb91a64a99e7 100644
+--- a/arch/x86/crypto/salsa20_glue.c
++++ b/arch/x86/crypto/salsa20_glue.c
+@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc,
+ 
+ 	salsa20_ivsetup(ctx, walk.iv);
+ 
+-	if (likely(walk.nbytes == nbytes))
+-	{
+-		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+-				      walk.dst.virt.addr, nbytes);
+-		return blkcipher_walk_done(desc, &walk, 0);
+-	}
+-
+ 	while (walk.nbytes >= 64) {
+ 		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+ 				      walk.dst.virt.addr,
+diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
+index f550b5d94630..d7da0eea5622 100644
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
+ 
+ 	salsa20_ivsetup(ctx, walk.iv);
+ 
+-	if (likely(walk.nbytes == nbytes))
+-	{
+-		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+-				      walk.src.virt.addr, nbytes);
+-		return blkcipher_walk_done(desc, &walk, 0);
+-	}
+-
+ 	while (walk.nbytes >= 64) {
+ 		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+ 				      walk.src.virt.addr,
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 2becbc1..de71383 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -127,6 +127,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
 bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
 bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
+bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list