Skip to content

Commit ccfe8c3

Browse files
smuellerDDherbertx
authored andcommitted
crypto: aesni - fix memory usage in GCM decryption
The kernel crypto API logic requires the caller to provide the length of (ciphertext || authentication tag) as cryptlen for the AEAD decryption operation. Thus, the cipher implementation must calculate the size of the plaintext output itself and cannot simply use cryptlen. The RFC4106 GCM decryption operation tries to overwrite cryptlen memory in req->dst. As the destination buffer for decryption only needs to hold the plaintext memory but cryptlen references the input buffer holding (ciphertext || authentication tag), the assumption of the destination buffer length in RFC4106 GCM operation leads to a too large size. This patch simply uses the already calculated plaintext size. In addition, this patch fixes the offset calculation of the AAD buffer pointer: as mentioned before, cryptlen already includes the size of the tag. Thus, the tag does not need to be added. With the addition, the AAD will be written beyond the already allocated buffer. Note, this fixes a kernel crash that can be triggered from user space via AF_ALG(aead) -- simply use the libkcapi test application from [1] and update it to use rfc4106-gcm-aes. Using [1], the changes were tested using CAVS vectors to demonstrate that the crypto operation still delivers the right results. [1] http://www.chronox.de/libkcapi.html CC: Tadeusz Struk <tadeusz.struk@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 001eabf commit ccfe8c3

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: arch/x86/crypto/aesni-intel_glue.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -1155,7 +1155,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
11551155
src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
11561156
if (!src)
11571157
return -ENOMEM;
1158-
assoc = (src + req->cryptlen + auth_tag_len);
1158+
assoc = (src + req->cryptlen);
11591159
scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
11601160
scatterwalk_map_and_copy(assoc, req->assoc, 0,
11611161
req->assoclen, 0);
@@ -1180,7 +1180,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
11801180
scatterwalk_done(&src_sg_walk, 0, 0);
11811181
scatterwalk_done(&assoc_sg_walk, 0, 0);
11821182
} else {
1183-
scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
1183+
scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
11841184
kfree(src);
11851185
}
11861186
return retval;

0 commit comments

Comments
 (0)