Re: [PATCH 2/4] crypto: dh - don't permit 'p' to be 0
On 11/02/2017 12:25 AM, Eric Biggers wrote:
From: Eric Biggers
If 'p' is 0 for the software Diffie-Hellman implementation, then
dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes
ZERO_SIZE_POINTER to be passed to sg_init_one(), which with
CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
sg_set_buf().
Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes
no sense for any DH implementation because 'p' is supposed to be a prime
number. Moreover, 'mod 0' is not mathematically defined.
Bug report:
kernel BUG at ./include/linux/scatterlist.h:140!
invalid opcode: [#1] SMP KASAN
CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted
4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.3-20171021_125229-anatol 04/01/2014
task: 88006caac0c0 task.stack: 88006c7c8000
RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
RSP: 0018:88006c7cfb08 EFLAGS: 00010216
RAX: 0001 RBX: 88006c7cfe30 RCX: 64ee
RDX: 81cf64c3 RSI: c9d72000 RDI: 92e937e0
RBP: 88006c7cfb30 R08: ed000d8f9fab R09: 88006c7cfd30
R10: 0005 R11: ed000d8f9faa R12: 88006c7cfd30
R13: R14: 0010 R15: 88006c7cfc50
FS: 7fce190fa700() GS:88003ea0()
knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7fffc6b33db8 CR3: 3cf64000 CR4: 06f0
Call Trace:
__keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
SYSC_keyctl security/keys/keyctl.c:1745 [inline]
SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4585c9
RSP: 002b:7fce190f9bd8 EFLAGS: 0216 ORIG_RAX: 00fa
RAX: ffda RBX: 00738020 RCX: 004585c9
RDX: 2000d000 RSI: 2ff4 RDI: 0017
RBP: 0046 R08: 20008000 R09:
R10: R11: 0216 R12: 7fff6e610cde
R13: 7fff6e610cdf R14: 7fce190fa700 R15:
Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89
6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f
0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP:
88006c7cfb08
RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: 88006c7cfb08
Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Cc: # v4.8+
Signed-off-by: Eric Biggers
Reviewed-by: Tudor Ambarus
Re: [PATCH 2/4] crypto: dh - don't permit 'p' to be 0
On Thu, Nov 02, 2017 at 01:40:51PM +0200, Tudor Ambarus wrote: > Hi, Eric, > > On 11/02/2017 12:25 AM, Eric Biggers wrote: > >If 'p' is 0 for the software Diffie-Hellman implementation, then > >dh_max_size() returns 0. > > dh_set_secret() returns -EINVAL if p_len < 1536, see > dh_check_params_length(). What am I missing? > > Cheers, > ta You pass a buffer containing 0's, not a buffer of length 0. The buffer is interpreted as an arbitrary precision integer, so any length buffer filled with 0's has the mathematical value 0. Eric
Re: [PATCH 2/4] crypto: dh - don't permit 'p' to be 0
Hi, Eric, On 11/02/2017 12:25 AM, Eric Biggers wrote: If 'p' is 0 for the software Diffie-Hellman implementation, then dh_max_size() returns 0. dh_set_secret() returns -EINVAL if p_len < 1536, see dh_check_params_length(). What am I missing? Cheers, ta
