From e57121d08c38dabec15cf3e1e2ad46721af30cae Mon Sep 17 00:00:00 2001

From: Eric Biggers <ebiggers@google.com>

Date: Mon, 11 Dec 2017 12:15:17 -0800

Subject: [PATCH] crypto: chacha20poly1305 - validate the digest size

Git-commit: e57121d08c38dabec15cf3e1e2ad46721af30cae

Patch-mainline: v4.15-rc7

References: bsc#1051510

If the rfc7539 template was instantiated with a hash algorithm with

digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest

overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the

subsequent memory, including 'cryptlen'.  This caused a crash during

crypto_skcipher_decrypt().

Fix it by, when instantiating the template, requiring that the

underlying hash algorithm has the digest size expected for Poly1305.

Reproducer: 

    #include <linux/if_alg.h>

    #include <sys/socket.h>

    #include <unistd.h>

    int main()

    {

            int algfd, reqfd;

            struct sockaddr_alg addr = {

                    .salg_type = "aead",

                    .salg_name = "rfc7539(chacha20,sha256)",

            };

            unsigned char buf[32] = { 0 };

            algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);

            bind(algfd, (void *)&addr, sizeof(addr));

            setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));

            reqfd = accept(algfd, 0, 0);

            write(reqfd, buf, 16);

            read(reqfd, buf, 16);

    }

Reported-by: syzbot <syzkaller@googlegroups.com>

Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")

Cc: <stable@vger.kernel.org> # v4.2+

Signed-off-by: Eric Biggers <ebiggers@google.com>

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 crypto/chacha20poly1305.c |    6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/crypto/chacha20poly1305.c

+++ b/crypto/chacha20poly1305.c

@@ -610,6 +610,11 @@ static int chachapoly_create(struct cryp

 						    algt->mask));

 	if (IS_ERR(poly))

 		return PTR_ERR(poly);

+	poly_hash = __crypto_hash_alg_common(poly);

+

+	err = -EINVAL;

+	if (poly_hash->digestsize != POLY1305_DIGEST_SIZE)

+		goto out_put_poly;

 	err = -ENOMEM;

 	inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);

@@ -618,7 +623,6 @@ static int chachapoly_create(struct cryp

 	ctx = aead_instance_ctx(inst);

 	ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize;

-	poly_hash = __crypto_hash_alg_common(poly);

 	err = crypto_init_ahash_spawn(&ctx->poly, poly_hash,

 				      aead_crypto_instance(inst));

 	if (err)