On Tue, 2015-04-14 at 21:46 +0100, Ben Hutchings wrote:
> Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
> GCM decryption") fixes two bugs in pointer arithmetic that lead to
> buffer overruns (even with valid parameters!):
>
> https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
>
> These are described as resulting in DoS (local or remote), but are
> presumably also exploitable for privilege escalation.
>
> The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto:
> aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in
> Linux 2.6.38.
[...]After some discussion of these bugs, I'd like to provide my current understanding of the attack vectors. I haven't reproduced the bug or analysed the code myself; this is only based on what I've been told. - The affected code paths are reachable through AF_ALG, but only using the algif_aead module which has not been included in any released kernel. The module and the fix will be part of Linux 4.1. So this attack vector can be largely ignored. - The kernel developers thought that these code paths were not used for decrypting packets for IPsec tunnels. However, they are if a packet is reassembled from IP fragments. This really does cause DoS, confirmed in <https://bugs.debian.org/782561>. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
