crypto: testmgr - Set struct aead_testvec iv member size to MAX_IVLEN

Orabug: 25925256

When setup macsec driver or running IPsec esp aead tests, KASan reports
out of bound access by memcpy().

BUG: KASan: out of bounds access in memcpy+0x21/0x50 at addr ffffffff81ce8780
Read of size 16 by task cryptomgr_test/7394
Address belongs to variable deflate_comp_params+0xdac0/0x20200
CPU: 23 PID: 7394 Comm: cryptomgr_test Tainted: G    B       E
4.1.12-96.el7uek.kasan.x86_64 #2
Hardware name: Oracle Corporation SUN SERVER X4-2/ASSY,MOTHERBOARD,1U, BIOS 25010603 01/16/2014
ffffffff81ce8780 000000004127a5c6 ffff881b44acf858 ffffffff81b6629e
ffff881b44acf8e8 ffffffff81ce8780 ffff881b44acf8d8 ffffffff81302d54
ffff881b44acf8a8 ffff881c3449e110 0000000000000296 0000000000000400
Call Trace:
[<ffffffff81b6629e>] dump_stack+0x63/0x81
[<ffffffff81302d54>] kasan_report_error+0x3e4/0x420
[<ffffffff813033d8>] kasan_report+0x58/0x60
[<ffffffff81302421>] ? memcpy+0x21/0x50
[<ffffffff81301f21>] __asan_loadN+0x1c1/0x1d0
[<ffffffffa09d2423>] ? crypto_gcm_encrypt+0x1d3/0x1e0 [gcm]
[<ffffffff81510479>] ? memcmp+0x69/0xa0
[<ffffffff81302421>] memcpy+0x21/0x50
[<ffffffff8148ed0d>] __test_aead+0xa5d/0x1d90
[<ffffffff8147bc0f>] ? crypto_alloc_base+0x5f/0x150
[<ffffffff8148e2b0>] ? alg_test_crc32c+0x1f0/0x1f0
[<ffffffffa08661d5>] ? ablk_ctr_init+0x15/0x20 [aesni_intel]
[<ffffffff8147e10e>] ? crypto_spawn_tfm+0x4e/0x90
[<ffffffff81484502>] ? async_chainiv_init+0xa2/0xb0
[<ffffffff8147e10e>] ? crypto_spawn_tfm+0x4e/0x90
[<ffffffff8147bb31>] ? __crypto_alloc_tfm+0x181/0x200
[<ffffffff814900ff>] test_aead+0xbf/0xd0
[<ffffffff81490177>] alg_test_aead+0x67/0xf0
[<ffffffff8148b332>] alg_test+0x242/0x520
[<ffffffff8148b0f0>] ? alg_find_test+0xa0/0xa0
[<ffffffff8110c573>] ? finish_task_switch+0xc3/0x240
[<ffffffff81b6965e>] ? __schedule+0x39e/0xb90
[<ffffffff81488f30>] ? crypto_unregister_pcomp+0x20/0x20
[<ffffffff81488f86>] cryptomgr_test+0x56/0x60
[<ffffffff810ffa58>] kthread+0x178/0x1a0
[<ffffffff810ff8e0>] ? kthread_create_on_node+0x270/0x270
[<ffffffff810ff8e0>] ? kthread_create_on_node+0x270/0x270
[<ffffffff81b71122>] ret_from_fork+0x42/0x70
[<ffffffff810ff8e0>] ? kthread_create_on_node+0x270/0x270
Memory state around the buggy address:
ffffffff81ce8680: 01 fa fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
ffffffff81ce8700: fa fa fa fa 00 00 00 00 01 fa fa fa fa fa fa fa
>ffffffff81ce8780: 00 05 fa fa fa fa fa fa 00 00 00 00 00 00 00 00
                       ^
ffffffff81ce8800: 00 00 01 fa fa fa fa fa 00 00 00 00 00 00 00 00
ffffffff81ce8880: 01 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00

This problem is due to the test aes_gcm_enc/dec test templates have actual IV
size of 13 bytes, but alg copies 16 bytes which leads to out of bound access.
The fix is to initialize the iv member to MAX_IV_SIZE.

Fixes: b824b1aa827f ("crypto: testmgr - fix out of bound read in __test_aead()")
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>

diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 62e2485bb428c03de6d8b1e6c546fc825a95fcb7..4ae2de50a9e18086920c9bcedc0b245cbab6cc28 100644 (file)
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -63,7 +63,7 @@ struct cipher_testvec {
 
 struct aead_testvec {
        char *key;
-       char *iv;
+       char iv[MAX_IVLEN];
        char *input;
        char *assoc;
        char *result;
@@ -19622,7 +19622,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
         { /* Generated using Crypto++ */
                .key    = zeroed_string,
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                 .input  = zeroed_string,
                 .ilen   = 16,
                 .assoc  = zeroed_string,
@@ -19654,7 +19654,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
                          "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
                           "\x00\x00\x00\x00",
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                 .input  = "\x01\x01\x01\x01\x01\x01\x01\x01"
                           "\x01\x01\x01\x01\x01\x01\x01\x01",
                 .ilen   = 16,
@@ -19670,7 +19670,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = {
                          "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
                           "\x00\x00\x00\x00",
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                 .input  = "\x01\x01\x01\x01\x01\x01\x01\x01"
                           "\x01\x01\x01\x01\x01\x01\x01\x01",
                 .ilen   = 16,
@@ -19796,7 +19796,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
         { /* Generated using Crypto++ */
                .key    = zeroed_string,
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                .input  = "\x03\x88\xDA\xCE\x60\xB6\xA3\x92"
                           "\xF3\x28\xC2\xB9\x71\xB2\xFE\x78"
                           "\x97\xFE\x4C\x23\x37\x42\x01\xE0"
@@ -19828,7 +19828,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
                          "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
                           "\x00\x00\x00\x00",
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                .input  = "\x4B\xB1\xB5\xE3\x25\x71\x70\xDE"
                           "\x7F\xC9\x9C\xA5\x14\x19\xF2\xAC"
                           "\x0B\x8F\x88\x69\x17\xE6\xB4\x3C"
@@ -19844,7 +19844,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = {
                          "\x6d\x6a\x8f\x94\x67\x30\x83\x08"
                           "\x00\x00\x00\x00",
                .klen   = 20,
-                .iv     = zeroed_string,
+                .iv     = "",
                .input  = "\x4B\xB1\xB5\xE3\x25\x71\x70\xDE"
                           "\x7F\xC9\x9C\xA5\x14\x19\xF2\xAC"
                           "\x90\x92\xB7\xE3\x5F\xA3\x9A\x63"
@@ -19974,7 +19974,7 @@ static struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = {
                          "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
                          "\x22\x43\x3c\x64",
                .klen   = 20,
-               .iv     = zeroed_string,
+               .iv     = "",
                .assoc  = "\x00\x00\x43\x21\x00\x00\x00\x07",
                .alen   = 8,
                .input  = "\x45\x00\x00\x30\xda\x3a\x00\x00"
@@ -20004,7 +20004,7 @@ static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
                          "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
                          "\x22\x43\x3c\x64",
                .klen   = 20,
-               .iv     = zeroed_string,
+               .iv     = "",
                .assoc  = "\x00\x00\x43\x21\x00\x00\x00\x07",
                .alen   = 8,
                .input  = "\x45\x00\x00\x30\xda\x3a\x00\x00"
@@ -20030,7 +20030,7 @@ static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = {
                          "\x90\x6a\xc7\x3c\x36\x13\xa6\x34"
                          "\x22\x43\x3c\x64",
                .klen   = 20,
-               .iv     = zeroed_string,
+               .iv     = "",
                .assoc  = "\x00\x00\x43\x21\x00\x00\x00\x07",
                .alen   = 8,
                .input  = "\x45\x00\x00\x30\xda\x3a\x00\x00"