From: Somasundaram Krishnasamy Date: Mon, 18 Sep 2017 22:40:33 +0000 (-0700) Subject: crypto: testmgr - Set struct aead_testvec iv member size to MAX_IVLEN X-Git-Tag: v4.1.12-117.0_27200813_3~341 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=9b565f4452896f6c6a9d2b71116cd0a17842dc7b;p=users%2Fjedix%2Flinux-maple.git crypto: testmgr - Set struct aead_testvec iv member size to MAX_IVLEN Orabug: 25925256 When setup macsec driver or running IPsec esp aead tests, KASan reports out of bound access by memcpy(). BUG: KASan: out of bounds access in memcpy+0x21/0x50 at addr ffffffff81ce8780 Read of size 16 by task cryptomgr_test/7394 Address belongs to variable deflate_comp_params+0xdac0/0x20200 CPU: 23 PID: 7394 Comm: cryptomgr_test Tainted: G B E 4.1.12-96.el7uek.kasan.x86_64 #2 Hardware name: Oracle Corporation SUN SERVER X4-2/ASSY,MOTHERBOARD,1U, BIOS 25010603 01/16/2014 ffffffff81ce8780 000000004127a5c6 ffff881b44acf858 ffffffff81b6629e ffff881b44acf8e8 ffffffff81ce8780 ffff881b44acf8d8 ffffffff81302d54 ffff881b44acf8a8 ffff881c3449e110 0000000000000296 0000000000000400 Call Trace: [] dump_stack+0x63/0x81 [] kasan_report_error+0x3e4/0x420 [] kasan_report+0x58/0x60 [] ? memcpy+0x21/0x50 [] __asan_loadN+0x1c1/0x1d0 [] ? crypto_gcm_encrypt+0x1d3/0x1e0 [gcm] [] ? memcmp+0x69/0xa0 [] memcpy+0x21/0x50 [] __test_aead+0xa5d/0x1d90 [] ? crypto_alloc_base+0x5f/0x150 [] ? alg_test_crc32c+0x1f0/0x1f0 [] ? ablk_ctr_init+0x15/0x20 [aesni_intel] [] ? crypto_spawn_tfm+0x4e/0x90 [] ? async_chainiv_init+0xa2/0xb0 [] ? crypto_spawn_tfm+0x4e/0x90 [] ? __crypto_alloc_tfm+0x181/0x200 [] test_aead+0xbf/0xd0 [] alg_test_aead+0x67/0xf0 [] alg_test+0x242/0x520 [] ? alg_find_test+0xa0/0xa0 [] ? finish_task_switch+0xc3/0x240 [] ? __schedule+0x39e/0xb90 [] ? crypto_unregister_pcomp+0x20/0x20 [] cryptomgr_test+0x56/0x60 [] kthread+0x178/0x1a0 [] ? kthread_create_on_node+0x270/0x270 [] ? kthread_create_on_node+0x270/0x270 [] ret_from_fork+0x42/0x70 [] ? kthread_create_on_node+0x270/0x270 Memory state around the buggy address: ffffffff81ce8680: 01 fa fa fa fa fa fa fa 00 00 00 00 01 fa fa fa ffffffff81ce8700: fa fa fa fa 00 00 00 00 01 fa fa fa fa fa fa fa >ffffffff81ce8780: 00 05 fa fa fa fa fa fa 00 00 00 00 00 00 00 00 ^ ffffffff81ce8800: 00 00 01 fa fa fa fa fa 00 00 00 00 00 00 00 00 ffffffff81ce8880: 01 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 This problem is due to the test aes_gcm_enc/dec test templates have actual IV size of 13 bytes, but alg copies 16 bytes which leads to out of bound access. The fix is to initialize the iv member to MAX_IV_SIZE. Fixes: b824b1aa827f ("crypto: testmgr - fix out of bound read in __test_aead()") Signed-off-by: Somasundaram Krishnasamy Reviewed-by: John Haxby --- diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 62e2485bb428..4ae2de50a9e1 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -63,7 +63,7 @@ struct cipher_testvec { struct aead_testvec { char *key; - char *iv; + char iv[MAX_IVLEN]; char *input; char *assoc; char *result; @@ -19622,7 +19622,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = { { /* Generated using Crypto++ */ .key = zeroed_string, .klen = 20, - .iv = zeroed_string, + .iv = "", .input = zeroed_string, .ilen = 16, .assoc = zeroed_string, @@ -19654,7 +19654,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = { "\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\x00\x00\x00\x00", .klen = 20, - .iv = zeroed_string, + .iv = "", .input = "\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01", .ilen = 16, @@ -19670,7 +19670,7 @@ static struct aead_testvec aes_gcm_rfc4106_enc_tv_template[] = { "\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\x00\x00\x00\x00", .klen = 20, - .iv = zeroed_string, + .iv = "", .input = "\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01", .ilen = 16, @@ -19796,7 +19796,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = { { /* Generated using Crypto++ */ .key = zeroed_string, .klen = 20, - .iv = zeroed_string, + .iv = "", .input = "\x03\x88\xDA\xCE\x60\xB6\xA3\x92" "\xF3\x28\xC2\xB9\x71\xB2\xFE\x78" "\x97\xFE\x4C\x23\x37\x42\x01\xE0" @@ -19828,7 +19828,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = { "\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\x00\x00\x00\x00", .klen = 20, - .iv = zeroed_string, + .iv = "", .input = "\x4B\xB1\xB5\xE3\x25\x71\x70\xDE" "\x7F\xC9\x9C\xA5\x14\x19\xF2\xAC" "\x0B\x8F\x88\x69\x17\xE6\xB4\x3C" @@ -19844,7 +19844,7 @@ static struct aead_testvec aes_gcm_rfc4106_dec_tv_template[] = { "\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\x00\x00\x00\x00", .klen = 20, - .iv = zeroed_string, + .iv = "", .input = "\x4B\xB1\xB5\xE3\x25\x71\x70\xDE" "\x7F\xC9\x9C\xA5\x14\x19\xF2\xAC" "\x90\x92\xB7\xE3\x5F\xA3\x9A\x63" @@ -19974,7 +19974,7 @@ static struct aead_testvec aes_gcm_rfc4543_enc_tv_template[] = { "\x90\x6a\xc7\x3c\x36\x13\xa6\x34" "\x22\x43\x3c\x64", .klen = 20, - .iv = zeroed_string, + .iv = "", .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07", .alen = 8, .input = "\x45\x00\x00\x30\xda\x3a\x00\x00" @@ -20004,7 +20004,7 @@ static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = { "\x90\x6a\xc7\x3c\x36\x13\xa6\x34" "\x22\x43\x3c\x64", .klen = 20, - .iv = zeroed_string, + .iv = "", .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07", .alen = 8, .input = "\x45\x00\x00\x30\xda\x3a\x00\x00" @@ -20030,7 +20030,7 @@ static struct aead_testvec aes_gcm_rfc4543_dec_tv_template[] = { "\x90\x6a\xc7\x3c\x36\x13\xa6\x34" "\x22\x43\x3c\x64", .klen = 20, - .iv = zeroed_string, + .iv = "", .assoc = "\x00\x00\x43\x21\x00\x00\x00\x07", .alen = 8, .input = "\x45\x00\x00\x30\xda\x3a\x00\x00"