From patchwork Thu Feb  1 12:14:31 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 868220
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zXJvq0ZdVz9t4B;
	Thu,  1 Feb 2018 23:14:46 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ehDlI-0001CL-Im; Thu, 01 Feb 2018 12:14:40 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1ehDlF-0001Bj-U1
	for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 12:14:37 +0000
Received: from mail-wm0-f71.google.com ([74.125.82.71])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1ehDlF-0003uw-Mc
	for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2018 12:14:37 +0000
Received: by mail-wm0-f71.google.com with SMTP id a6so1590983wme.9
	for <kernel-team@lists.ubuntu.com>;
	Thu, 01 Feb 2018 04:14:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=HuWKjLglinyStt/OItIX8sx5wKh/nN0EemP8cTGWVMQ=;
	b=H2y19aWrgXj/bNpbxTMdklaFYBhJ4DUIQ4EpWCmuo9ICaVWvQ2hp6cc9JzAytkLp1s
	gIX5aGQuG+d2sF7OgzOkwnIVMtoP4xjYzKm83WEQQaHIh/LWEnSQteQALfUInHwZSuPu
	2FDS+7YNvZvpombXKDELWClxfm08kZ7gnwlPa8XIZ9uBUtol27oJYHv4Ca/pdufZlnBN
	Z2UftI74VDzNf6UHNvWSnaRRc0Orp6YZ1ReBs3OGCtDmHqN2Q78Tl9PMLTKDjdeYOvK3
	HLU5P+l7mVHncihRUj2kXK9/7mkoObOcpB5keXBTWeSiTOkVhkUR7UMYref/b8SGqgi5
	iz6w==
X-Gm-Message-State: AKwxytf5ZUMBn1aIl8F1JJm/Q6E+T8PqmDWQGz6Q2jueAJGClC68AgdI
	OeooIr1uqII8Idf52U4AL1j9rWw+CH7mCGGU4xNSakjwzXpcqVzcxntDS13ZXJpVFFNS+ZpEHT8
	Y+k3FinBTgwh1xF684ovkMIq6RUh7JH4zoAKqlWk1dQ==
X-Received: by 10.223.178.206 with SMTP id g72mr5265585wrd.213.1517487276999;
	Thu, 01 Feb 2018 04:14:36 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x2264x3CvOuJCeRj8SgFym8+HBMNNyRcJuK7yk+dpcwjCHuNs3O3SCkPYVcqMzo3SFaAJTb+ZAg==
X-Received: by 10.223.178.206 with SMTP id g72mr5265565wrd.213.1517487276629;
	Thu, 01 Feb 2018 04:14:36 -0800 (PST)
Received: from localhost ([2a02:8109:98c0:1604:e0bc:dea5:ede9:cfef])
	by smtp.gmail.com with ESMTPSA id
	d17sm16985584wrc.19.2018.02.01.04.14.35
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 01 Feb 2018 04:14:35 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][Artful][PATCH 1/1] crypto: salsa20 - fix
	blkcipher_walk API usage
Date: Thu,  1 Feb 2018 13:14:31 +0100
Message-Id: <20180201121431.20804-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180201121431.20804-1-kleber.souza@canonical.com>
References: <20180201121431.20804-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Eric Biggers <ebiggers@google.com>

When asked to encrypt or decrypt 0 bytes, both the generic and x86
implementations of Salsa20 crash in blkcipher_walk_done(), either when
doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
because walk->buffer and walk->page have not been initialized.

The bug is that Salsa20 is calling blkcipher_walk_done() even when
nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
be called when a nonzero number of bytes have been provided.

The broken code is part of an optimization that tries to make only one
call to salsa20_encrypt_bytes() to process inputs that are not evenly
divisible by 64 bytes.  To fix the bug, just remove this "optimization"
and use the blkcipher_walk API the same way all the other users do.

Reproducer:

    #include <linux/if_alg.h>
    #include <sys/socket.h>
    #include <unistd.h>

    int main()
    {
            int algfd, reqfd;
            struct sockaddr_alg addr = {
                    .salg_type = "skcipher",
                    .salg_name = "salsa20",
            };
            char key[16] = { 0 };

            algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
            bind(algfd, (void *)&addr, sizeof(addr));
            reqfd = accept(algfd, 0, 0);
            setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
            read(reqfd, key, sizeof(key));
    }

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
Cc: <stable@vger.kernel.org> # v2.6.25+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

CVE-2017-17805
(cherry picked from commit ecaaab5649781c5a0effdaf298a925063020500e)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 arch/x86/crypto/salsa20_glue.c | 7 -------
 crypto/salsa20_generic.c       | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
index 399a29d067d6..cb91a64a99e7 100644
--- a/arch/x86/crypto/salsa20_glue.c
+++ b/arch/x86/crypto/salsa20_glue.c
@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc,
 
 	salsa20_ivsetup(ctx, walk.iv);
 
-	if (likely(walk.nbytes == nbytes))
-	{
-		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
-				      walk.dst.virt.addr, nbytes);
-		return blkcipher_walk_done(desc, &walk, 0);
-	}
-
 	while (walk.nbytes >= 64) {
 		salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
 				      walk.dst.virt.addr,
diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
index f550b5d94630..d7da0eea5622 100644
--- a/crypto/salsa20_generic.c
+++ b/crypto/salsa20_generic.c
@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
 
 	salsa20_ivsetup(ctx, walk.iv);
 
-	if (likely(walk.nbytes == nbytes))
-	{
-		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
-				      walk.src.virt.addr, nbytes);
-		return blkcipher_walk_done(desc, &walk, 0);
-	}
-
 	while (walk.nbytes >= 64) {
 		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
 				      walk.src.virt.addr,