mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-18 02:56:47 +07:00
ecaaab5649
When asked to encrypt or decrypt 0 bytes, both the generic and x86
implementations of Salsa20 crash in blkcipher_walk_done(), either when
doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
because walk->buffer and walk->page have not been initialized.
The bug is that Salsa20 is calling blkcipher_walk_done() even when
nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
be called when a nonzero number of bytes have been provided.
The broken code is part of an optimization that tries to make only one
call to salsa20_encrypt_bytes() to process inputs that are not evenly
divisible by 64 bytes. To fix the bug, just remove this "optimization"
and use the blkcipher_walk API the same way all the other users do.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "salsa20",
};
char key[16] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
reqfd = accept(algfd, 0, 0);
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
read(reqfd, key, sizeof(key));
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: eb6f13eb9f ("[CRYPTO] salsa20_generic: Fix multi-page processing")
Cc: <stable@vger.kernel.org> # v2.6.25+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
117 lines
3.3 KiB
C
117 lines
3.3 KiB
C
/*
|
|
* Glue code for optimized assembly version of Salsa20.
|
|
*
|
|
* Copyright (c) 2007 Tan Swee Heng <thesweeheng@gmail.com>
|
|
*
|
|
* The assembly codes are public domain assembly codes written by Daniel. J.
|
|
* Bernstein <djb@cr.yp.to>. The codes are modified to include indentation
|
|
* and to remove extraneous comments and functions that are not needed.
|
|
* - i586 version, renamed as salsa20-i586-asm_32.S
|
|
* available from <http://cr.yp.to/snuffle/salsa20/x86-pm/salsa20.s>
|
|
* - x86-64 version, renamed as salsa20-x86_64-asm_64.S
|
|
* available from <http://cr.yp.to/snuffle/salsa20/amd64-3/salsa20.s>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*
|
|
*/
|
|
|
|
#include <crypto/algapi.h>
|
|
#include <linux/module.h>
|
|
#include <linux/crypto.h>
|
|
|
|
#define SALSA20_IV_SIZE 8U
|
|
#define SALSA20_MIN_KEY_SIZE 16U
|
|
#define SALSA20_MAX_KEY_SIZE 32U
|
|
|
|
struct salsa20_ctx
|
|
{
|
|
u32 input[16];
|
|
};
|
|
|
|
asmlinkage void salsa20_keysetup(struct salsa20_ctx *ctx, const u8 *k,
|
|
u32 keysize, u32 ivsize);
|
|
asmlinkage void salsa20_ivsetup(struct salsa20_ctx *ctx, const u8 *iv);
|
|
asmlinkage void salsa20_encrypt_bytes(struct salsa20_ctx *ctx,
|
|
const u8 *src, u8 *dst, u32 bytes);
|
|
|
|
static int setkey(struct crypto_tfm *tfm, const u8 *key,
|
|
unsigned int keysize)
|
|
{
|
|
struct salsa20_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
salsa20_keysetup(ctx, key, keysize*8, SALSA20_IV_SIZE*8);
|
|
return 0;
|
|
}
|
|
|
|
static int encrypt(struct blkcipher_desc *desc,
|
|
struct scatterlist *dst, struct scatterlist *src,
|
|
unsigned int nbytes)
|
|
{
|
|
struct blkcipher_walk walk;
|
|
struct crypto_blkcipher *tfm = desc->tfm;
|
|
struct salsa20_ctx *ctx = crypto_blkcipher_ctx(tfm);
|
|
int err;
|
|
|
|
blkcipher_walk_init(&walk, dst, src, nbytes);
|
|
err = blkcipher_walk_virt_block(desc, &walk, 64);
|
|
|
|
salsa20_ivsetup(ctx, walk.iv);
|
|
|
|
while (walk.nbytes >= 64) {
|
|
salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
|
|
walk.dst.virt.addr,
|
|
walk.nbytes - (walk.nbytes % 64));
|
|
err = blkcipher_walk_done(desc, &walk, walk.nbytes % 64);
|
|
}
|
|
|
|
if (walk.nbytes) {
|
|
salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
|
|
walk.dst.virt.addr, walk.nbytes);
|
|
err = blkcipher_walk_done(desc, &walk, 0);
|
|
}
|
|
|
|
return err;
|
|
}
|
|
|
|
static struct crypto_alg alg = {
|
|
.cra_name = "salsa20",
|
|
.cra_driver_name = "salsa20-asm",
|
|
.cra_priority = 200,
|
|
.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
|
|
.cra_type = &crypto_blkcipher_type,
|
|
.cra_blocksize = 1,
|
|
.cra_ctxsize = sizeof(struct salsa20_ctx),
|
|
.cra_alignmask = 3,
|
|
.cra_module = THIS_MODULE,
|
|
.cra_u = {
|
|
.blkcipher = {
|
|
.setkey = setkey,
|
|
.encrypt = encrypt,
|
|
.decrypt = encrypt,
|
|
.min_keysize = SALSA20_MIN_KEY_SIZE,
|
|
.max_keysize = SALSA20_MAX_KEY_SIZE,
|
|
.ivsize = SALSA20_IV_SIZE,
|
|
}
|
|
}
|
|
};
|
|
|
|
static int __init init(void)
|
|
{
|
|
return crypto_register_alg(&alg);
|
|
}
|
|
|
|
static void __exit fini(void)
|
|
{
|
|
crypto_unregister_alg(&alg);
|
|
}
|
|
|
|
module_init(init);
|
|
module_exit(fini);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION ("Salsa20 stream cipher algorithm (optimized assembly version)");
|
|
MODULE_ALIAS_CRYPTO("salsa20");
|
|
MODULE_ALIAS_CRYPTO("salsa20-asm");
|