• Eric Biggers's avatar
    crypto: chacha20poly1305 - validate the digest size · 869994e0
    Eric Biggers authored
    commit e57121d0 upstream.
    
    If the rfc7539 template was instantiated with a hash algorithm with
    digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
    overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
    subsequent memory, including 'cryptlen'.  This caused a crash during
    crypto_skcipher_decrypt().
    
    Fix it by, when instantiating the template, requiring that the
    underlying hash algorithm has the digest size expected for Poly1305.
    
    Reproducer:
    
        #include <linux/if_alg.h>
        #include <sys/socket.h>
        #include <unistd.h>
    
        int main()
        {
                int algfd, reqfd;
                struct sockaddr_alg addr = {
                        .salg_type = "aead",
                        .salg_name = "rfc7539(chacha20,sha256)",
                };
                unsigned char buf[32] = { 0 };
    
                algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                bind(algfd, (void *)&addr, sizeof(addr));
                setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
                reqfd = accept(algfd, 0, 0);
                write(reqfd, buf, 16);
                read(reqfd, buf, 16);
        }
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    869994e0
chacha20poly1305.c 19.2 KB