Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / adf26e87f4b73d1f820352b0bfa085f6aaf3f51a^! / . / include / linux / crypto.h
commitadf26e87f4b73d1f820352b0bfa085f6aaf3f51a[log] [tgz]
authorEric Biggers <ebiggers@google.com>Wed Jan 03 11:16:27 2018 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Sun Feb 25 11:05:44 2018 +0100
treee5658322a999cecdfe0effd8cdcf42ef71db91a5
parentb392a53b11f325b30b7d54e575352a8cac4c300d [diff] [blame]
crypto: hash - prevent using keyed hashes without setting key

commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream.

Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding.  Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.

A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool.  However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed.  Examples of this include:

    - KEYCTL_DH_COMPUTE, via the KDF extension
    - dm-verity
    - dm-crypt, via the ESSIV support
    - dm-integrity, via the "internal hash" mode with no key given
    - drbd (Distributed Replicated Block Device)

This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.

Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not.  Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.

The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>



diff --git a/include/linux/crypto.h b/include/linux/crypto.h
index b0175fa..8edb3ba 100644
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h

@@ -111,6 +111,8 @@
 /*
  * Transform masks and values (for crt_flags).
  */
+#define CRYPTO_TFM_NEED_KEY		0x00000001
+
 #define CRYPTO_TFM_REQ_MASK		0x000fff00
 #define CRYPTO_TFM_RES_MASK		0xfff00000