From patchwork Fri Jan 14 08:19:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers@kernel.org>
X-Patchwork-Id: 532261
Return-Path: <stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 01C12C433F5
 for <stable@archiver.kernel.org>; Fri, 14 Jan 2022 08:22:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S240484AbiANIWX (ORCPT <rfc822;stable@archiver.kernel.org>);
 Fri, 14 Jan 2022 03:22:23 -0500
Received: from dfw.source.kernel.org ([139.178.84.217]:60024 "EHLO
 dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S239965AbiANIVM (ORCPT
 <rfc822;stable@vger.kernel.org>); Fri, 14 Jan 2022 03:21:12 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dfw.source.kernel.org (Postfix) with ESMTPS id 0CC0D61E34;
 Fri, 14 Jan 2022 08:21:12 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 44E28C36AED;
 Fri, 14 Jan 2022 08:21:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1642148471;
 bh=Y8I8G02qtt+1LJcVr6kJCIIHChwaLeQ0Deg0+o4Caa8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=mZ4JjzxTCh0Vi1sV81c40V13i0OhsdxV4lUsjAoo4dzwr+ZZA7AtFa/LjnOanKa0U
 6Aw0v21mbmsg83jWnPNsntNj82bzqVDW2Nu7oKFUxfXi+iCBj7UpGyptUpkOIoQq7e
 ZE3c49Gxn4G2mRak6E9pB3jC0FcWkM95wHw+BqJfsSLBRqpkdDY+wQLtV11i0hIoxZ
 aGfFYAzD8sgaSOsAc5OhpPOA9/2tYRATEJf8l5IhWRykOr/w0oTL2Yn5FNuaEZnSMG
 lWg+9nSn5tV5h4qGu4rwUwKSI2lq2oEKc2CzzFRl7C9jiKyasH6a8i6fgwVm+J0ro5
 tha7V8d1vmSiw==
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: keyrings@vger.kernel.org, Vitaly Chikunov <vt@altlinux.org>,
 Denis Kenzior <denkenz@gmail.com>, stable@vger.kernel.org
Subject: [PATCH 1/3] crypto: rsa-pkcs1pad - correctly get hash from source
 scatterlist
Date: Fri, 14 Jan 2022 00:19:37 -0800
Message-Id: <20220114081939.218416-2-ebiggers@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220114081939.218416-1-ebiggers@kernel.org>
References: <20220114081939.218416-1-ebiggers@kernel.org>
MIME-Version: 1.0
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before.  To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.

Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size.  This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.

It is unclear whether the resulting scheme has any useful security
properties.

Fix this by correctly extracting the hash from the scatterlist.

Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/rsa-pkcs1pad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index 1b3545781425..7b223adebabf 100644
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
 			   sg_nents_for_len(req->src,
 					    req->src_len + req->dst_len),
 			   req_ctx->out_buf + ctx->key_size,
-			   req->dst_len, ctx->key_size);
+			   req->dst_len, req->src_len);
 	/* Do the actual verification step. */
 	if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
 		   req->dst_len) != 0)

From patchwork Fri Jan 14 08:19:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers@kernel.org>
X-Patchwork-Id: 532596
Return-Path: <stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id CAA04C4332F
 for <stable@archiver.kernel.org>; Fri, 14 Jan 2022 08:22:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S240231AbiANIWo (ORCPT <rfc822;stable@archiver.kernel.org>);
 Fri, 14 Jan 2022 03:22:44 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50054 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S240269AbiANIV1 (ORCPT
 <rfc822;stable@vger.kernel.org>); Fri, 14 Jan 2022 03:21:27 -0500
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C11C5C0617A7;
 Fri, 14 Jan 2022 00:21:12 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dfw.source.kernel.org (Postfix) with ESMTPS id 61BB361E37;
 Fri, 14 Jan 2022 08:21:12 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 971C7C36AE9;
 Fri, 14 Jan 2022 08:21:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1642148471;
 bh=42/E2d5qp+aGEb3LON47WXAM0iCKqIGuFaGn17hu4ts=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=JwEY2mD2KTqbOdCNrAF+34oRuR7ZeEHeS/ssxh6swbbl2GJscXxJezaxAQOpJbh9J
 3x4uIyVb4YHrVnFeh8wkaKu5qE5MyUq0m90yTEp8pKnfr7d7kv+IV4ZwpLD8ZHnuPS
 v+xhwlpjy/gshT8EQK6DqXqYmfFP5JS4dW+CP7da/TxARNnSU7t/dZoMyf8gshjlU2
 wo+y2dnnQIbpTgv9TqgqAjxdgo+C55QOklM48homFpxz9JdKq7OuHK6QJRQEARV0kj
 zwtlTnolTgK85pyq+x8MxKDvDr0ab8GQ1YZv2lw00hLX7iP5q82CtfMDbcLUzzBh2i
 6PMtXfp96PW6w==
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: keyrings@vger.kernel.org, Vitaly Chikunov <vt@altlinux.org>,
 Denis Kenzior <denkenz@gmail.com>,
 Tadeusz Struk <tadeusz.struk@linaro.org>, stable@vger.kernel.org
Subject: [PATCH 2/3] crypto: rsa-pkcs1pad - fix buffer overread in
 pkcs1pad_verify_complete()
Date: Fri, 14 Jan 2022 00:19:38 -0800
Message-Id: <20220114081939.218416-3-ebiggers@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220114081939.218416-1-ebiggers@kernel.org>
References: <20220114081939.218416-1-ebiggers@kernel.org>
MIME-Version: 1.0
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.

Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Cc: <stable@vger.kernel.org> # v4.6+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/rsa-pkcs1pad.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index 7b223adebabf..6cd24b4b9b9e 100644
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(struct akcipher_request *req, int err)
 	pos++;
 
 	if (digest_info) {
+		if (digest_info->size > dst_len - pos)
+			goto done;
 		if (crypto_memneq(out_buf + pos, digest_info->data,
 				  digest_info->size))
 			goto done;