linux/crypto
Jarod Wilson 516280e735 crypto: ccm - Fix handling of null assoc data
Its a valid use case to have null associated data in a ccm vector, but
this case isn't being handled properly right now.

The following ccm decryption/verification test vector, using the
rfc4309 implementation regularly triggers a panic, as will any
other vector with null assoc data:

* key: ab2f8a74b71cd2b1ff802e487d82f8b9
* iv: c6fb7d800d13abd8a6b2d8
* Associated Data: [NULL]
* Tag Length: 8
* input: d5e8939fc7892e2b

The resulting panic looks like so:

Unable to handle kernel paging request at ffff810064ddaec0 RIP: 
 [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
PGD 8063 PUD 0 
Oops: 0002 [1] SMP 
last sysfs file: /module/libata/version
CPU 0
Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg 
snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
cd ohci_hcd ehci_hcd
Pid: 12844, comm: crypto-tester Tainted: G      2.6.18-128.el5.fips1 #1
RIP: 0010:[<ffffffff8864c4d7>]  [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
RSP: 0018:ffff8100134434e8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
FS:  00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
Stack:  ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
Call Trace:
 [<ffffffff8864c634>] :ccm:crypto_ccm_auth+0x12d/0x140
 [<ffffffff8864cf73>] :ccm:crypto_ccm_decrypt+0x161/0x23a
 [<ffffffff88633643>] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
[...]

The above is from a RHEL5-based kernel, but upstream is susceptible too.

The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
whatever was in memory when pctx was allocated if assoclen is 0. The tested
fix is to simply add an else clause setting pctx->ilen to 0 for the
assoclen == 0 case, so that get_data_to_compute() doesn't try doing
things its not supposed to.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-01-27 17:11:15 +11:00
..
async_tx dmaengine: replace dma_async_client_register with dmaengine_get 2009-01-06 11:38:17 -07:00
ablkcipher.c
aead.c
aes_generic.c crypto: aes - Precompute tables 2008-12-25 11:05:13 +11:00
ahash.c crypto: hash - Make setkey optional 2008-12-25 11:02:06 +11:00
algapi.c
algboss.c
ansi_cprng.c crypto: ansi_cprng - fix inverted DT increment routine 2008-12-25 11:01:49 +11:00
anubis.c
api.c crypto: api - Rebirth of crypto_alloc_tfm 2008-12-25 11:01:24 +11:00
arc4.c
authenc.c crypto: authenc - Fix zero-length IV crash 2009-01-15 15:33:49 +11:00
blkcipher.c crypto: blkcipher - Fix WARN_ON handling in walk_done 2009-01-27 17:11:13 +11:00
blowfish.c
camellia.c crypto: camellia - use kernel-provided bitops, unaligned access 2008-12-25 11:01:15 +11:00
cast5.c
cast6.c
cbc.c
ccm.c crypto: ccm - Fix handling of null assoc data 2009-01-27 17:11:15 +11:00
chainiv.c
cipher.c
compress.c
crc32c.c libcrc32c: Move implementation to crypto crc32c 2008-12-25 11:01:40 +11:00
cryptd.c
crypto_null.c crypto: null - Switch to shash 2008-12-25 11:02:07 +11:00
ctr.c
cts.c
deflate.c
des_generic.c crypto: des3_ede - permit weak keys unless REQ_WEAK_KEY set 2008-12-25 11:02:28 +11:00
digest.c
ecb.c
eseqiv.c
fcrypt.c crypto: remove uses of __constant_{endian} helpers 2008-12-25 11:02:03 +11:00
fips.c
gcm.c
gf128mul.c
hash.c
hmac.c crypto: hash - Export shash through hash 2008-12-25 11:01:33 +11:00
internal.h crypto: api - Rebirth of crypto_alloc_tfm 2008-12-25 11:01:24 +11:00
Kconfig crypto: sha512 - Switch to shash 2008-12-25 11:02:27 +11:00
khazad.c
krng.c
lrw.c
lzo.c
Makefile crypto: hash - Add shash interface 2008-12-25 11:01:26 +11:00
md4.c crypto: md4 - Switch to shash 2008-12-25 11:02:16 +11:00
md5.c crypto: md5 - Switch to shash 2008-12-25 11:02:18 +11:00
michael_mic.c crypto: michael_mic - Switch to shash 2008-12-25 11:02:24 +11:00
pcbc.c
proc.c crypto: api - Call type show function before legacy for proc 2008-12-25 11:01:32 +11:00
ripemd.h
rmd128.c crypto: rmd128 - Switch to shash 2008-12-25 11:02:09 +11:00
rmd160.c crypto: rmd160 - Switch to shash 2008-12-25 11:02:10 +11:00
rmd256.c crypto: rmd256 - Switch to shash 2008-12-25 11:02:12 +11:00
rmd320.c crypto: rmd320 - Switch to shash 2008-12-25 11:02:13 +11:00
rng.c
salsa20_generic.c crypto: salsa20 - Remove private wrappers around various operations 2008-12-25 11:02:30 +11:00
scatterwalk.c
seed.c
seqiv.c
serpent.c
sha1_generic.c crypto: sha1 - Switch to shash 2008-12-25 11:02:15 +11:00
sha256_generic.c crypto: sha256 - Switch to shash 2008-12-25 11:02:19 +11:00
sha512_generic.c crypto: sha512 - Switch to shash 2008-12-25 11:02:27 +11:00
shash.c crypto: hash - Make setkey optional 2008-12-25 11:02:06 +11:00
tcrypt.c
tcrypt.h
tea.c
testmgr.c crypto: testmgr - Validate output length in (de)compression tests 2008-12-25 11:02:04 +11:00
testmgr.h crypto: testmgr - Correct comment about deflate parameters 2008-12-25 11:02:32 +11:00
tgr192.c crypto: tgr192 - Switch to shash 2008-12-25 11:02:21 +11:00
twofish_common.c
twofish.c
wp512.c crypto: wp512 - Switch to shash 2008-12-25 11:02:22 +11:00
xcbc.c
xor.c
xts.c