2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2010-10-19 21:23:00 +08:00
|
|
|
/*
|
|
|
|
* algif_hash: User-space interface for hash algorithms
|
|
|
|
*
|
|
|
|
* This file provides the user-space API for hash algorithms.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2010 Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <crypto/hash.h>
|
|
|
|
#include <crypto/if_alg.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
|
|
|
|
struct hash_ctx {
|
|
|
|
struct af_alg_sgl sgl;
|
|
|
|
|
|
|
|
u8 *result;
|
|
|
|
|
2017-10-18 15:00:39 +08:00
|
|
|
struct crypto_wait wait;
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
unsigned int len;
|
|
|
|
bool more;
|
|
|
|
|
|
|
|
struct ahash_request req;
|
|
|
|
};
|
|
|
|
|
2016-09-01 17:16:44 +08:00
|
|
|
static int hash_alloc_result(struct sock *sk, struct hash_ctx *ctx)
|
|
|
|
{
|
|
|
|
unsigned ds;
|
|
|
|
|
|
|
|
if (ctx->result)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ds = crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req));
|
|
|
|
|
|
|
|
ctx->result = sock_kmalloc(sk, ds, GFP_KERNEL);
|
|
|
|
if (!ctx->result)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
memset(ctx->result, 0, ds);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void hash_free_result(struct sock *sk, struct hash_ctx *ctx)
|
|
|
|
{
|
|
|
|
unsigned ds;
|
|
|
|
|
|
|
|
if (!ctx->result)
|
|
|
|
return;
|
|
|
|
|
|
|
|
ds = crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req));
|
|
|
|
|
|
|
|
sock_kzfree_s(sk, ctx->result, ds);
|
|
|
|
ctx->result = NULL;
|
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
|
|
|
|
size_t ignored)
|
2010-10-19 21:23:00 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
|
|
|
struct hash_ctx *ctx = ask->private;
|
2023-06-06 21:08:56 +08:00
|
|
|
ssize_t copied = 0;
|
|
|
|
size_t len, max_pages, npages;
|
2023-07-07 17:12:38 +08:00
|
|
|
bool continuing, need_init = false;
|
2010-10-19 21:23:00 +08:00
|
|
|
int err;
|
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
max_pages = min_t(size_t, ALG_MAX_PAGES,
|
|
|
|
DIV_ROUND_UP(sk->sk_sndbuf, PAGE_SIZE));
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
lock_sock(sk);
|
2023-07-07 17:12:38 +08:00
|
|
|
continuing = ctx->more;
|
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
if (!continuing) {
|
2023-06-16 19:10:32 +08:00
|
|
|
/* Discard a previous request that wasn't marked MSG_MORE. */
|
|
|
|
hash_free_result(sk, ctx);
|
|
|
|
if (!msg_data_left(msg))
|
|
|
|
goto done; /* Zero-length; don't start new req */
|
2023-06-06 21:08:56 +08:00
|
|
|
need_init = true;
|
2023-06-16 19:10:32 +08:00
|
|
|
} else if (!msg_data_left(msg)) {
|
|
|
|
/*
|
|
|
|
* No data - finalise the prev req if MSG_MORE so any error
|
|
|
|
* comes out here.
|
|
|
|
*/
|
|
|
|
if (!(msg->msg_flags & MSG_MORE)) {
|
|
|
|
err = hash_alloc_result(sk, ctx);
|
|
|
|
if (err)
|
|
|
|
goto unlock_free;
|
|
|
|
ahash_request_set_crypt(&ctx->req, NULL,
|
|
|
|
ctx->result, 0);
|
|
|
|
err = crypto_wait_req(crypto_ahash_final(&ctx->req),
|
|
|
|
&ctx->wait);
|
|
|
|
if (err)
|
|
|
|
goto unlock_free;
|
|
|
|
}
|
|
|
|
goto done_more;
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
2014-12-16 10:39:31 +08:00
|
|
|
while (msg_data_left(msg)) {
|
2023-06-06 21:08:52 +08:00
|
|
|
ctx->sgl.sgt.sgl = ctx->sgl.sgl;
|
|
|
|
ctx->sgl.sgt.nents = 0;
|
|
|
|
ctx->sgl.sgt.orig_nents = 0;
|
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
err = -EIO;
|
|
|
|
npages = iov_iter_npages(&msg->msg_iter, max_pages);
|
|
|
|
if (npages == 0)
|
|
|
|
goto unlock_free;
|
|
|
|
|
|
|
|
sg_init_table(ctx->sgl.sgl, npages);
|
2023-06-06 21:08:52 +08:00
|
|
|
|
|
|
|
ctx->sgl.need_unpin = iov_iter_extract_will_pin(&msg->msg_iter);
|
2010-10-19 21:23:00 +08:00
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
err = extract_iter_to_sg(&msg->msg_iter, LONG_MAX,
|
|
|
|
&ctx->sgl.sgt, npages, 0);
|
|
|
|
if (err < 0)
|
|
|
|
goto unlock_free;
|
|
|
|
len = err;
|
|
|
|
sg_mark_end(ctx->sgl.sgt.sgl + ctx->sgl.sgt.nents - 1);
|
|
|
|
|
|
|
|
if (!msg_data_left(msg)) {
|
|
|
|
err = hash_alloc_result(sk, ctx);
|
|
|
|
if (err)
|
|
|
|
goto unlock_free;
|
2022-06-09 23:14:04 +08:00
|
|
|
}
|
2010-10-19 21:23:00 +08:00
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
ahash_request_set_crypt(&ctx->req, ctx->sgl.sgt.sgl,
|
|
|
|
ctx->result, len);
|
|
|
|
|
|
|
|
if (!msg_data_left(msg) && !continuing &&
|
|
|
|
!(msg->msg_flags & MSG_MORE)) {
|
|
|
|
err = crypto_ahash_digest(&ctx->req);
|
|
|
|
} else {
|
|
|
|
if (need_init) {
|
|
|
|
err = crypto_wait_req(
|
|
|
|
crypto_ahash_init(&ctx->req),
|
|
|
|
&ctx->wait);
|
|
|
|
if (err)
|
|
|
|
goto unlock_free;
|
|
|
|
need_init = false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (msg_data_left(msg) || (msg->msg_flags & MSG_MORE))
|
|
|
|
err = crypto_ahash_update(&ctx->req);
|
|
|
|
else
|
|
|
|
err = crypto_ahash_finup(&ctx->req);
|
|
|
|
continuing = true;
|
|
|
|
}
|
2010-10-19 21:23:00 +08:00
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
err = crypto_wait_req(err, &ctx->wait);
|
2016-09-01 17:16:44 +08:00
|
|
|
if (err)
|
2023-06-06 21:08:56 +08:00
|
|
|
goto unlock_free;
|
2016-09-01 17:16:44 +08:00
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
copied += len;
|
|
|
|
af_alg_free_sg(&ctx->sgl);
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
2023-06-16 19:10:32 +08:00
|
|
|
done_more:
|
2023-06-06 21:08:56 +08:00
|
|
|
ctx->more = msg->msg_flags & MSG_MORE;
|
2023-06-16 19:10:32 +08:00
|
|
|
done:
|
2023-06-06 21:08:56 +08:00
|
|
|
err = 0;
|
2010-10-19 21:23:00 +08:00
|
|
|
unlock:
|
|
|
|
release_sock(sk);
|
2023-06-06 21:08:56 +08:00
|
|
|
return copied ?: err;
|
2010-10-19 21:23:00 +08:00
|
|
|
|
2023-06-06 21:08:56 +08:00
|
|
|
unlock_free:
|
|
|
|
af_alg_free_sg(&ctx->sgl);
|
2023-06-16 19:10:32 +08:00
|
|
|
hash_free_result(sk, ctx);
|
|
|
|
ctx->more = false;
|
2023-06-06 21:08:56 +08:00
|
|
|
goto unlock;
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
2015-03-02 15:37:48 +08:00
|
|
|
static int hash_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
|
|
|
|
int flags)
|
2010-10-19 21:23:00 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
|
|
|
struct hash_ctx *ctx = ask->private;
|
|
|
|
unsigned ds = crypto_ahash_digestsize(crypto_ahash_reqtfm(&ctx->req));
|
2016-09-01 17:16:44 +08:00
|
|
|
bool result;
|
2010-10-19 21:23:00 +08:00
|
|
|
int err;
|
|
|
|
|
|
|
|
if (len > ds)
|
|
|
|
len = ds;
|
|
|
|
else if (len < ds)
|
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
|
|
|
|
lock_sock(sk);
|
2016-09-01 17:16:44 +08:00
|
|
|
result = ctx->result;
|
|
|
|
err = hash_alloc_result(sk, ctx);
|
|
|
|
if (err)
|
|
|
|
goto unlock;
|
|
|
|
|
|
|
|
ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0);
|
|
|
|
|
2016-11-21 15:34:00 +08:00
|
|
|
if (!result && !ctx->more) {
|
2017-10-18 15:00:39 +08:00
|
|
|
err = crypto_wait_req(crypto_ahash_init(&ctx->req),
|
|
|
|
&ctx->wait);
|
2016-11-17 22:07:58 +08:00
|
|
|
if (err)
|
|
|
|
goto unlock;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!result || ctx->more) {
|
2020-03-20 19:36:31 +08:00
|
|
|
ctx->more = false;
|
2017-10-18 15:00:39 +08:00
|
|
|
err = crypto_wait_req(crypto_ahash_final(&ctx->req),
|
|
|
|
&ctx->wait);
|
2010-10-19 21:23:00 +08:00
|
|
|
if (err)
|
|
|
|
goto unlock;
|
|
|
|
}
|
|
|
|
|
2014-04-07 09:51:23 +08:00
|
|
|
err = memcpy_to_msg(msg, ctx->result, len);
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
unlock:
|
2016-11-17 22:07:58 +08:00
|
|
|
hash_free_result(sk, ctx);
|
2010-10-19 21:23:00 +08:00
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
return err ?: len;
|
|
|
|
}
|
|
|
|
|
2017-03-09 16:09:05 +08:00
|
|
|
static int hash_accept(struct socket *sock, struct socket *newsock, int flags,
|
|
|
|
bool kern)
|
2010-10-19 21:23:00 +08:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
|
|
|
struct hash_ctx *ctx = ask->private;
|
|
|
|
struct ahash_request *req = &ctx->req;
|
2023-03-28 11:54:24 +08:00
|
|
|
struct crypto_ahash *tfm;
|
2010-10-19 21:23:00 +08:00
|
|
|
struct sock *sk2;
|
|
|
|
struct alg_sock *ask2;
|
|
|
|
struct hash_ctx *ctx2;
|
2023-03-28 11:54:24 +08:00
|
|
|
char *state;
|
2015-11-01 17:11:19 +08:00
|
|
|
bool more;
|
2010-10-19 21:23:00 +08:00
|
|
|
int err;
|
|
|
|
|
2023-03-28 11:54:24 +08:00
|
|
|
tfm = crypto_ahash_reqtfm(req);
|
|
|
|
state = kmalloc(crypto_ahash_statesize(tfm), GFP_KERNEL);
|
|
|
|
err = -ENOMEM;
|
|
|
|
if (!state)
|
|
|
|
goto out;
|
|
|
|
|
2015-11-01 17:11:19 +08:00
|
|
|
lock_sock(sk);
|
|
|
|
more = ctx->more;
|
|
|
|
err = more ? crypto_ahash_export(req, state) : 0;
|
|
|
|
release_sock(sk);
|
|
|
|
|
2010-10-19 21:23:00 +08:00
|
|
|
if (err)
|
2023-03-28 11:54:24 +08:00
|
|
|
goto out_free_state;
|
2010-10-19 21:23:00 +08:00
|
|
|
|
2017-03-09 16:09:05 +08:00
|
|
|
err = af_alg_accept(ask->parent, newsock, kern);
|
2010-10-19 21:23:00 +08:00
|
|
|
if (err)
|
2023-03-28 11:54:24 +08:00
|
|
|
goto out_free_state;
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
sk2 = newsock->sk;
|
|
|
|
ask2 = alg_sk(sk2);
|
|
|
|
ctx2 = ask2->private;
|
2015-11-01 17:11:19 +08:00
|
|
|
ctx2->more = more;
|
|
|
|
|
|
|
|
if (!more)
|
2023-03-28 11:54:24 +08:00
|
|
|
goto out_free_state;
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
err = crypto_ahash_import(&ctx2->req, state);
|
|
|
|
if (err) {
|
|
|
|
sock_orphan(sk2);
|
|
|
|
sock_put(sk2);
|
|
|
|
}
|
|
|
|
|
2023-03-28 11:54:24 +08:00
|
|
|
out_free_state:
|
|
|
|
kfree_sensitive(state);
|
|
|
|
|
|
|
|
out:
|
2010-10-19 21:23:00 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct proto_ops algif_hash_ops = {
|
|
|
|
.family = PF_ALG,
|
|
|
|
|
|
|
|
.connect = sock_no_connect,
|
|
|
|
.socketpair = sock_no_socketpair,
|
|
|
|
.getname = sock_no_getname,
|
|
|
|
.ioctl = sock_no_ioctl,
|
|
|
|
.listen = sock_no_listen,
|
|
|
|
.shutdown = sock_no_shutdown,
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
.bind = sock_no_bind,
|
|
|
|
|
|
|
|
.release = af_alg_release,
|
|
|
|
.sendmsg = hash_sendmsg,
|
|
|
|
.recvmsg = hash_recvmsg,
|
|
|
|
.accept = hash_accept,
|
|
|
|
};
|
|
|
|
|
2016-01-08 21:31:04 +08:00
|
|
|
static int hash_check_key(struct socket *sock)
|
|
|
|
{
|
2016-01-15 22:01:08 +08:00
|
|
|
int err = 0;
|
2016-01-08 21:31:04 +08:00
|
|
|
struct sock *psk;
|
|
|
|
struct alg_sock *pask;
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
struct crypto_ahash *tfm;
|
2016-01-08 21:31:04 +08:00
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
|
|
|
|
2016-01-15 22:01:08 +08:00
|
|
|
lock_sock(sk);
|
2020-06-08 14:48:43 +08:00
|
|
|
if (!atomic_read(&ask->nokey_refcnt))
|
2016-01-15 22:01:08 +08:00
|
|
|
goto unlock_child;
|
2016-01-08 21:31:04 +08:00
|
|
|
|
|
|
|
psk = ask->parent;
|
|
|
|
pask = alg_sk(ask->parent);
|
|
|
|
tfm = pask->private;
|
|
|
|
|
|
|
|
err = -ENOKEY;
|
2016-01-15 22:01:08 +08:00
|
|
|
lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
|
2016-01-08 21:31:04 +08:00
|
|
|
goto unlock;
|
|
|
|
|
2020-06-08 14:48:43 +08:00
|
|
|
atomic_dec(&pask->nokey_refcnt);
|
|
|
|
atomic_set(&ask->nokey_refcnt, 0);
|
2016-01-08 21:31:04 +08:00
|
|
|
|
|
|
|
err = 0;
|
|
|
|
|
|
|
|
unlock:
|
|
|
|
release_sock(psk);
|
2016-01-15 22:01:08 +08:00
|
|
|
unlock_child:
|
|
|
|
release_sock(sk);
|
2016-01-08 21:31:04 +08:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int hash_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
|
|
|
|
size_t size)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = hash_check_key(sock);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return hash_sendmsg(sock, msg, size);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int hash_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
|
|
|
|
size_t ignored, int flags)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = hash_check_key(sock);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return hash_recvmsg(sock, msg, ignored, flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int hash_accept_nokey(struct socket *sock, struct socket *newsock,
|
2017-03-09 16:09:05 +08:00
|
|
|
int flags, bool kern)
|
2016-01-08 21:31:04 +08:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = hash_check_key(sock);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2017-03-09 16:09:05 +08:00
|
|
|
return hash_accept(sock, newsock, flags, kern);
|
2016-01-08 21:31:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct proto_ops algif_hash_ops_nokey = {
|
|
|
|
.family = PF_ALG,
|
|
|
|
|
|
|
|
.connect = sock_no_connect,
|
|
|
|
.socketpair = sock_no_socketpair,
|
|
|
|
.getname = sock_no_getname,
|
|
|
|
.ioctl = sock_no_ioctl,
|
|
|
|
.listen = sock_no_listen,
|
|
|
|
.shutdown = sock_no_shutdown,
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
.bind = sock_no_bind,
|
|
|
|
|
|
|
|
.release = af_alg_release,
|
|
|
|
.sendmsg = hash_sendmsg_nokey,
|
|
|
|
.recvmsg = hash_recvmsg_nokey,
|
|
|
|
.accept = hash_accept_nokey,
|
|
|
|
};
|
|
|
|
|
2010-10-19 21:23:00 +08:00
|
|
|
static void *hash_bind(const char *name, u32 type, u32 mask)
|
|
|
|
{
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
return crypto_alloc_ahash(name, type, mask);
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void hash_release(void *private)
|
|
|
|
{
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
crypto_free_ahash(private);
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int hash_setkey(void *private, const u8 *key, unsigned int keylen)
|
|
|
|
{
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
return crypto_ahash_setkey(private, key, keylen);
|
2010-10-19 21:23:00 +08:00
|
|
|
}
|
|
|
|
|
2016-01-13 15:00:36 +08:00
|
|
|
static void hash_sock_destruct(struct sock *sk)
|
2010-10-19 21:23:00 +08:00
|
|
|
{
|
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
|
|
|
struct hash_ctx *ctx = ask->private;
|
|
|
|
|
2016-09-01 17:16:44 +08:00
|
|
|
hash_free_result(sk, ctx);
|
2010-10-19 21:23:00 +08:00
|
|
|
sock_kfree_s(sk, ctx, ctx->len);
|
2016-01-08 21:31:04 +08:00
|
|
|
af_alg_release_parent(sk);
|
|
|
|
}
|
|
|
|
|
2016-01-13 15:00:36 +08:00
|
|
|
static int hash_accept_parent_nokey(void *private, struct sock *sk)
|
2010-10-19 21:23:00 +08:00
|
|
|
{
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
struct crypto_ahash *tfm = private;
|
2010-10-19 21:23:00 +08:00
|
|
|
struct alg_sock *ask = alg_sk(sk);
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
struct hash_ctx *ctx;
|
|
|
|
unsigned int len = sizeof(*ctx) + crypto_ahash_reqsize(tfm);
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
ctx = sock_kmalloc(sk, len, GFP_KERNEL);
|
|
|
|
if (!ctx)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2016-09-01 17:16:44 +08:00
|
|
|
ctx->result = NULL;
|
2010-10-19 21:23:00 +08:00
|
|
|
ctx->len = len;
|
2020-03-20 19:36:31 +08:00
|
|
|
ctx->more = false;
|
2017-10-18 15:00:39 +08:00
|
|
|
crypto_init_wait(&ctx->wait);
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
ask->private = ctx;
|
|
|
|
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
ahash_request_set_tfm(&ctx->req, tfm);
|
2010-10-19 21:23:00 +08:00
|
|
|
ahash_request_set_callback(&ctx->req, CRYPTO_TFM_REQ_MAY_BACKLOG,
|
2017-10-18 15:00:39 +08:00
|
|
|
crypto_req_done, &ctx->wait);
|
2010-10-19 21:23:00 +08:00
|
|
|
|
|
|
|
sk->sk_destruct = hash_sock_destruct;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-01-08 21:31:04 +08:00
|
|
|
static int hash_accept_parent(void *private, struct sock *sk)
|
|
|
|
{
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
struct crypto_ahash *tfm = private;
|
2016-01-08 21:31:04 +08:00
|
|
|
|
crypto: hash - prevent using keyed hashes without setting key
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-04 03:16:27 +08:00
|
|
|
if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
|
2016-01-08 21:31:04 +08:00
|
|
|
return -ENOKEY;
|
|
|
|
|
2016-01-13 15:00:36 +08:00
|
|
|
return hash_accept_parent_nokey(private, sk);
|
2016-01-08 21:31:04 +08:00
|
|
|
}
|
|
|
|
|
2010-10-19 21:23:00 +08:00
|
|
|
static const struct af_alg_type algif_type_hash = {
|
|
|
|
.bind = hash_bind,
|
|
|
|
.release = hash_release,
|
|
|
|
.setkey = hash_setkey,
|
|
|
|
.accept = hash_accept_parent,
|
2016-01-08 21:31:04 +08:00
|
|
|
.accept_nokey = hash_accept_parent_nokey,
|
2010-10-19 21:23:00 +08:00
|
|
|
.ops = &algif_hash_ops,
|
2016-01-08 21:31:04 +08:00
|
|
|
.ops_nokey = &algif_hash_ops_nokey,
|
2010-10-19 21:23:00 +08:00
|
|
|
.name = "hash",
|
|
|
|
.owner = THIS_MODULE
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init algif_hash_init(void)
|
|
|
|
{
|
|
|
|
return af_alg_register_type(&algif_type_hash);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit algif_hash_exit(void)
|
|
|
|
{
|
|
|
|
int err = af_alg_unregister_type(&algif_type_hash);
|
|
|
|
BUG_ON(err);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(algif_hash_init);
|
|
|
|
module_exit(algif_hash_exit);
|
|
|
|
MODULE_LICENSE("GPL");
|