diff options
| author | Eric Biggers <ebiggers@google.com> | 2017-11-29 01:18:57 -0800 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2017-12-11 22:29:53 +1100 |
| commit | bb3b8b211f88eb46571b8b705bb9a6290ef54b25 (patch) | |
| tree | d3edd428f5341fb2d3955bb0666258ab814916df /crypto/des_generic.c | |
| parent | 8dce1988dfaa3668372990f05ee2202d9d9521b5 (diff) | |
| download | linux-crypto-bb3b8b211f88eb46571b8b705bb9a6290ef54b25.tar.gz linux-crypto-bb3b8b211f88eb46571b8b705bb9a6290ef54b25.zip | |
crypto: skcipher - set walk.iv for zero-length inputs
All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
before checking whether any bytes need to be processed (walk.nbytes).
But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
and the algorithms crash trying to use the uninitialized IV pointer.
Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it
for the AEAD walk functions.
This isn't a perfect solution because we can't actually align the IV to
->cra_alignmask unless there are bytes to process, for one because the
temporary buffer for the aligned IV is freed by skcipher_walk_done(),
which is only called when there are bytes to process. Thus, algorithms
that require aligned IVs will still need to avoid accessing the IV when
walk.nbytes == 0. Still, many algorithms/architectures are fine with
IVs having any alignment, and even for those that aren't, a misaligned
pointer bug is much less severe than an uninitialized pointer bug.
This change also matches the behavior of the older blkcipher_walk API.
Fixes: 75b192a19c70 ("crypto: skcipher - Fix crash on zero-length input")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/des_generic.c')
0 files changed, 0 insertions, 0 deletions