From patchwork Wed Feb 1 08:17:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 93003 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp2307053qgi; Wed, 1 Feb 2017 00:18:30 -0800 (PST) X-Received: by 10.84.225.148 with SMTP id u20mr2468893plj.93.1485937110103; Wed, 01 Feb 2017 00:18:30 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i88si18450658pfk.178.2017.02.01.00.18.29; Wed, 01 Feb 2017 00:18:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751787AbdBAIS1 (ORCPT + 5 others); Wed, 1 Feb 2017 03:18:27 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:37078 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751687AbdBAISP (ORCPT ); Wed, 1 Feb 2017 03:18:15 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 7FE5B201D0; Wed, 1 Feb 2017 09:18:09 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CB_L0iH8RGj3; Wed, 1 Feb 2017 09:18:09 +0100 (CET) Received: from mail-essen-01.secunet.de (204.40.53.10.in-addr.arpa [10.53.40.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 61B82201D2; Wed, 1 Feb 2017 09:18:06 +0100 (CET) Received: from gauss.dd.secunet.de (10.182.7.102) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server id 14.3.319.2; Wed, 1 Feb 2017 09:18:06 +0100 Received: by gauss.dd.secunet.de (Postfix, from userid 1000) id 06F2D5C0BFF; Wed, 1 Feb 2017 09:18:05 +0100 (CET) From: Steffen Klassert To: David Miller CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 09/15] IPsec: do not ignore crypto err in ah4 input Date: Wed, 1 Feb 2017 09:17:51 +0100 Message-ID: <1485937077-612-10-git-send-email-steffen.klassert@secunet.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1485937077-612-1-git-send-email-steffen.klassert@secunet.com> References: <1485937077-612-1-git-send-email-steffen.klassert@secunet.com> MIME-Version: 1.0 X-Originating-IP: [10.182.7.102] X-G-Data-MailSecurity-for-Exchange-State: 0 X-G-Data-MailSecurity-for-Exchange-Error: 0 X-G-Data-MailSecurity-for-Exchange-Sender: 23 X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93 X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-G-Data-MailSecurity-for-Exchange-Guid: 45D1AE8E-07CF-4806-86B9-8754E1F8FC7E Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Gilad Ben-Yossef ah4 input processing uses the asynchronous hash crypto API which supplies an error code as part of the operation completion but the error code was being ignored. Treat a crypto API error indication as a verification failure. While a crypto API reported error would almost certainly result in a memcpy of the digest failing anyway and thus the security risk seems minor, performing a memory compare on what might be uninitialized memory is wrong. Signed-off-by: Gilad Ben-Yossef Signed-off-by: Steffen Klassert --- net/ipv4/ah4.c | 3 +++ 1 file changed, 3 insertions(+) -- 1.9.1 diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index f2a7102..22377c8 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -270,6 +270,9 @@ static void ah_input_done(struct crypto_async_request *base, int err) int ihl = ip_hdrlen(skb); int ah_hlen = (ah->hdrlen + 2) << 2; + if (err) + goto out; + work_iph = AH_SKB_CB(skb)->tmp; auth_data = ah_tmp_auth(work_iph, ihl); icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len); From patchwork Wed Feb 1 08:17:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 93004 Delivered-To: patch@linaro.org Received: by 10.140.20.99 with SMTP id 90csp2307096qgi; Wed, 1 Feb 2017 00:18:38 -0800 (PST) X-Received: by 10.84.247.2 with SMTP id n2mr2509343pll.39.1485937118670; Wed, 01 Feb 2017 00:18:38 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i88si18450658pfk.178.2017.02.01.00.18.38; Wed, 01 Feb 2017 00:18:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751855AbdBAISZ (ORCPT + 5 others); Wed, 1 Feb 2017 03:18:25 -0500 Received: from a.mx.secunet.com ([62.96.220.36]:37096 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751820AbdBAISQ (ORCPT ); Wed, 1 Feb 2017 03:18:16 -0500 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 8A130201D3; Wed, 1 Feb 2017 09:18:10 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3Kc4hTO9vC0; Wed, 1 Feb 2017 09:18:08 +0100 (CET) Received: from mail-essen-01.secunet.de (204.40.53.10.in-addr.arpa [10.53.40.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 606EB201D1; Wed, 1 Feb 2017 09:18:06 +0100 (CET) Received: from gauss.dd.secunet.de (10.182.7.102) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server id 14.3.319.2; Wed, 1 Feb 2017 09:18:06 +0100 Received: by gauss.dd.secunet.de (Postfix, from userid 1000) id EACD55C0AA3; Wed, 1 Feb 2017 09:18:05 +0100 (CET) From: Steffen Klassert To: David Miller CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 10/15] IPsec: do not ignore crypto err in ah6 input Date: Wed, 1 Feb 2017 09:17:52 +0100 Message-ID: <1485937077-612-11-git-send-email-steffen.klassert@secunet.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1485937077-612-1-git-send-email-steffen.klassert@secunet.com> References: <1485937077-612-1-git-send-email-steffen.klassert@secunet.com> MIME-Version: 1.0 X-Originating-IP: [10.182.7.102] X-G-Data-MailSecurity-for-Exchange-State: 0 X-G-Data-MailSecurity-for-Exchange-Error: 0 X-G-Data-MailSecurity-for-Exchange-Sender: 23 X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93 X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-G-Data-MailSecurity-for-Exchange-Guid: 184EE0EE-119D-4640-A881-F2F30A986D91 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Gilad Ben-Yossef ah6 input processing uses the asynchronous hash crypto API which supplies an error code as part of the operation completion but the error code was being ignored. Treat a crypto API error indication as a verification failure. While a crypto API reported error would almost certainly result in a memcpy of the digest failing anyway and thus the security risk seems minor, performing a memory compare on what might be uninitialized memory is wrong. Signed-off-by: Gilad Ben-Yossef Signed-off-by: Steffen Klassert --- net/ipv6/ah6.c | 3 +++ 1 file changed, 3 insertions(+) -- 1.9.1 diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 189eb10..dda6035 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -474,6 +474,9 @@ static void ah6_input_done(struct crypto_async_request *base, int err) int hdr_len = skb_network_header_len(skb); int ah_hlen = (ah->hdrlen + 2) << 2; + if (err) + goto out; + work_iph = AH_SKB_CB(skb)->tmp; auth_data = ah_tmp_auth(work_iph, hdr_len); icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);