linux/include/crypto
Eric Biggers e7aefb13e6 crypto: vmac - separate tfm and request context
commit bb29648102 upstream.

syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG.  The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context.  That's wrong.

Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad.  Therefore, only the first
VMAC invocation with a given key calculates the correct digest.

Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.

Reproducer for the crash:

    #include <linux/if_alg.h>
    #include <sys/socket.h>
    #include <unistd.h>

    int main()
    {
            int fd;
            struct sockaddr_alg addr = {
                    .salg_type = "hash",
                    .salg_name = "vmac(aes)",
            };
            char buf[256] = { 0 };

            fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
            bind(fd, (void *)&addr, sizeof(addr));
            setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
            fork();
            fd = accept(fd, NULL, NULL);
            for (;;)
                    write(fd, buf, 256);
    }

The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.

Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes: f1939f7c56 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-17 21:01:10 +02:00
..
internal crypto: hash - introduce crypto_hash_alg_has_setkey() 2018-02-16 20:22:59 +01:00
ablk_helper.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
acompress.h crypto: acomp - add driver-side scomp interface 2016-10-25 11:08:31 +08:00
aead.h crypto: doc - clarify AEAD memory structure 2016-12-13 16:38:06 -07:00
aes.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
akcipher.h crypto: akcipher - assume key is already set in maxsize 2017-06-10 12:04:29 +08:00
algapi.h crypto: algapi - make crypto_xor() take separate dst and src arguments 2017-08-04 09:27:15 +08:00
authenc.h crypto: authenc - Export key parsing helper function 2013-10-16 20:56:25 +08:00
b128ops.h
blowfish.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cast5.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cast6.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cast_common.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cbc.h crypto: cbc - Export CBC implementation 2016-11-28 21:23:21 +08:00
chacha20.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cryptd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crypto_wq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ctr.h [CRYPTO] ctr: Refactor into ctr and rfc3686 2008-01-11 08:16:41 +11:00
des.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dh.h crypto: kpp, (ec)dh - fix typos 2017-06-10 12:04:25 +08:00
drbg.h crypto: drbg - prevent invalid SG mappings 2016-11-30 19:46:44 +08:00
ecdh.h crypto: kpp, (ec)dh - fix typos 2017-06-10 12:04:25 +08:00
engine.h crypto: engine - replace pr_xxx by dev_xxx 2017-06-19 14:19:54 +08:00
gcm.h crypto: gcm - add GCM IV size constant 2018-02-03 17:38:49 +01:00
gf128mul.h crypto: gf128mul - switch gf128mul_x_ble to le128 2017-04-05 21:58:37 +08:00
ghash.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hash_info.h keys, trusted: select hash algorithm for TPM2 chips 2015-12-20 15:27:12 +02:00
hash.h crypto: hash - prevent using keyed hashes without setting key 2018-02-16 20:23:00 +01:00
hmac.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
if_alg.h crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t 2018-03-03 10:24:29 +01:00
kpp.h crypto: kpp - add get/set_flags helpers 2017-07-18 17:50:57 +08:00
lrw.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mcryptd.h crypto: mcryptd - protect the per-CPU queue with a lock 2017-12-29 17:53:45 +01:00
md5.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
null.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
padlock.h crypto: padlock - Move padlock.h into include/crypto 2011-01-07 14:52:00 +11:00
pcrypt.h crypto: pcrypt - Add pcrypt crypto parallelization wrapper 2010-01-07 15:57:19 +11:00
pkcs7.h PKCS#7: Make trust determination dependent on contents of trust keyring 2016-04-06 16:14:24 +01:00
poly1305.h crypto: poly1305 - remove ->setkey() method 2018-02-16 20:23:00 +01:00
public_key.h KEYS: Keyring asymmetric key restrict method with chaining 2017-04-04 14:10:13 -07:00
rng.h crypto: doc - Fix typo in crypto-API.xml 2015-06-04 15:05:08 +08:00
scatterwalk.h crypto: scatterwalk - Inline start/map/done 2016-07-18 17:35:50 +08:00
serpent.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sha1_base.h crypto: sha1 - implement base layer for SHA-1 2015-04-10 21:39:39 +08:00
sha3.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sha256_base.h crypto: sha256 - implement base layer for SHA-256 2015-04-10 21:39:39 +08:00
sha512_base.h crypto: sha512 - implement base layer for SHA-512 2015-04-10 21:39:39 +08:00
sha.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
skcipher.h crypto: skcipher - introduce walksize attribute for SIMD algos 2016-12-30 19:52:47 +08:00
twofish.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xts.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00