提交 9a5467bf 编写于 作者: M Mathias Krause 提交者: Herbert Xu

crypto: user - fix info leaks in report API

Three errors resulting in kernel memory disclosure:

1/ The structures used for the netlink based crypto algorithm report API
are located on the stack. As snprintf() does not fill the remainder of
the buffer with null bytes, those stack bytes will be disclosed to users
of the API. Switch to strncpy() to fix this.

2/ crypto_report_one() does not initialize all field of struct
crypto_user_alg. Fix this to fix the heap info leak.

3/ For the module name we should copy only as many bytes as
module_name() returns -- not as much as the destination buffer could
hold. But the current code does not and therefore copies random data
from behind the end of the module name, as the module name is always
shorter than CRYPTO_MAX_ALG_NAME.

Also switch to use strncpy() to copy the algorithm's name and
driver_name. They are strings, after all.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
上级 7eb9c5df
...@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -388,9 +388,9 @@ static int crypto_ablkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_blkcipher rblkcipher; struct crypto_report_blkcipher rblkcipher;
snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "ablkcipher"); strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type));
snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
alg->cra_ablkcipher.geniv ?: "<default>"); sizeof(rblkcipher.geniv));
rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.blocksize = alg->cra_blocksize;
rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
...@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -469,9 +469,9 @@ static int crypto_givcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_blkcipher rblkcipher; struct crypto_report_blkcipher rblkcipher;
snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "givcipher"); strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type));
snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<built-in>",
alg->cra_ablkcipher.geniv ?: "<built-in>"); sizeof(rblkcipher.geniv));
rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.blocksize = alg->cra_blocksize;
rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize;
......
...@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -117,9 +117,8 @@ static int crypto_aead_report(struct sk_buff *skb, struct crypto_alg *alg)
struct crypto_report_aead raead; struct crypto_report_aead raead;
struct aead_alg *aead = &alg->cra_aead; struct aead_alg *aead = &alg->cra_aead;
snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "aead"); strncpy(raead.type, "aead", sizeof(raead.type));
snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", strncpy(raead.geniv, aead->geniv ?: "<built-in>", sizeof(raead.geniv));
aead->geniv ?: "<built-in>");
raead.blocksize = alg->cra_blocksize; raead.blocksize = alg->cra_blocksize;
raead.maxauthsize = aead->maxauthsize; raead.maxauthsize = aead->maxauthsize;
...@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -203,8 +202,8 @@ static int crypto_nivaead_report(struct sk_buff *skb, struct crypto_alg *alg)
struct crypto_report_aead raead; struct crypto_report_aead raead;
struct aead_alg *aead = &alg->cra_aead; struct aead_alg *aead = &alg->cra_aead;
snprintf(raead.type, CRYPTO_MAX_ALG_NAME, "%s", "nivaead"); strncpy(raead.type, "nivaead", sizeof(raead.type));
snprintf(raead.geniv, CRYPTO_MAX_ALG_NAME, "%s", aead->geniv); strncpy(raead.geniv, aead->geniv, sizeof(raead.geniv));
raead.blocksize = alg->cra_blocksize; raead.blocksize = alg->cra_blocksize;
raead.maxauthsize = aead->maxauthsize; raead.maxauthsize = aead->maxauthsize;
......
...@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -404,7 +404,7 @@ static int crypto_ahash_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_hash rhash; struct crypto_report_hash rhash;
snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "ahash"); strncpy(rhash.type, "ahash", sizeof(rhash.type));
rhash.blocksize = alg->cra_blocksize; rhash.blocksize = alg->cra_blocksize;
rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize; rhash.digestsize = __crypto_hash_alg_common(alg)->digestsize;
......
...@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_blkcipher rblkcipher; struct crypto_report_blkcipher rblkcipher;
snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher"); strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s", strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
alg->cra_blkcipher.geniv ?: "<default>"); sizeof(rblkcipher.geniv));
rblkcipher.blocksize = alg->cra_blocksize; rblkcipher.blocksize = alg->cra_blocksize;
rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
......
...@@ -75,7 +75,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -75,7 +75,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_cipher rcipher; struct crypto_report_cipher rcipher;
snprintf(rcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "cipher"); strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
rcipher.blocksize = alg->cra_blocksize; rcipher.blocksize = alg->cra_blocksize;
rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
...@@ -94,8 +94,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -94,8 +94,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_comp rcomp; struct crypto_report_comp rcomp;
snprintf(rcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "compression"); strncpy(rcomp.type, "compression", sizeof(rcomp.type));
if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
sizeof(struct crypto_report_comp), &rcomp)) sizeof(struct crypto_report_comp), &rcomp))
goto nla_put_failure; goto nla_put_failure;
...@@ -108,12 +107,14 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -108,12 +107,14 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
static int crypto_report_one(struct crypto_alg *alg, static int crypto_report_one(struct crypto_alg *alg,
struct crypto_user_alg *ualg, struct sk_buff *skb) struct crypto_user_alg *ualg, struct sk_buff *skb)
{ {
memcpy(&ualg->cru_name, &alg->cra_name, sizeof(ualg->cru_name)); strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
memcpy(&ualg->cru_driver_name, &alg->cra_driver_name, strncpy(ualg->cru_driver_name, alg->cra_driver_name,
sizeof(ualg->cru_driver_name)); sizeof(ualg->cru_driver_name));
memcpy(&ualg->cru_module_name, module_name(alg->cra_module), strncpy(ualg->cru_module_name, module_name(alg->cra_module),
CRYPTO_MAX_ALG_NAME); sizeof(ualg->cru_module_name));
ualg->cru_type = 0;
ualg->cru_mask = 0;
ualg->cru_flags = alg->cra_flags; ualg->cru_flags = alg->cra_flags;
ualg->cru_refcnt = atomic_read(&alg->cra_refcnt); ualg->cru_refcnt = atomic_read(&alg->cra_refcnt);
...@@ -122,8 +123,7 @@ static int crypto_report_one(struct crypto_alg *alg, ...@@ -122,8 +123,7 @@ static int crypto_report_one(struct crypto_alg *alg,
if (alg->cra_flags & CRYPTO_ALG_LARVAL) { if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
struct crypto_report_larval rl; struct crypto_report_larval rl;
snprintf(rl.type, CRYPTO_MAX_ALG_NAME, "%s", "larval"); strncpy(rl.type, "larval", sizeof(rl.type));
if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
sizeof(struct crypto_report_larval), &rl)) sizeof(struct crypto_report_larval), &rl))
goto nla_put_failure; goto nla_put_failure;
......
...@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -53,8 +53,7 @@ static int crypto_pcomp_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_comp rpcomp; struct crypto_report_comp rpcomp;
snprintf(rpcomp.type, CRYPTO_MAX_ALG_NAME, "%s", "pcomp"); strncpy(rpcomp.type, "pcomp", sizeof(rpcomp.type));
if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
sizeof(struct crypto_report_comp), &rpcomp)) sizeof(struct crypto_report_comp), &rpcomp))
goto nla_put_failure; goto nla_put_failure;
......
...@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -65,7 +65,7 @@ static int crypto_rng_report(struct sk_buff *skb, struct crypto_alg *alg)
{ {
struct crypto_report_rng rrng; struct crypto_report_rng rrng;
snprintf(rrng.type, CRYPTO_MAX_ALG_NAME, "%s", "rng"); strncpy(rrng.type, "rng", sizeof(rrng.type));
rrng.seedsize = alg->cra_rng.seedsize; rrng.seedsize = alg->cra_rng.seedsize;
......
...@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg) ...@@ -530,7 +530,8 @@ static int crypto_shash_report(struct sk_buff *skb, struct crypto_alg *alg)
struct crypto_report_hash rhash; struct crypto_report_hash rhash;
struct shash_alg *salg = __crypto_shash_alg(alg); struct shash_alg *salg = __crypto_shash_alg(alg);
snprintf(rhash.type, CRYPTO_MAX_ALG_NAME, "%s", "shash"); strncpy(rhash.type, "shash", sizeof(rhash.type));
rhash.blocksize = alg->cra_blocksize; rhash.blocksize = alg->cra_blocksize;
rhash.digestsize = salg->digestsize; rhash.digestsize = salg->digestsize;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册