• Eric Biggers's avatar
    crypto: hash - prevent using keyed hashes without setting key · 9fa68f62
    Eric Biggers authored
    Currently, almost none of the keyed hash algorithms check whether a key
    has been set before proceeding.  Some algorithms are okay with this and
    will effectively just use a key of all 0's or some other bogus default.
    However, others will severely break, as demonstrated using
    "hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
    via a (potentially exploitable) stack buffer overflow.
    
    A while ago, this problem was solved for AF_ALG by pairing each hash
    transform with a 'has_key' bool.  However, there are still other places
    in the kernel where userspace can specify an arbitrary hash algorithm by
    name, and the kernel uses it as unkeyed hash without checking whether it
    is really unkeyed.  Examples of this include:
    
        - KEYCTL_DH_COMPUTE, via the KDF extension
        - dm-verity
        - dm-crypt, via the ESSIV support
        - dm-integrity, via the "internal hash" mode with no key given
        - drbd (Distributed Replicated Block Device)
    
    This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
    privileges to call.
    
    Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
    ->crt_flags of each hash transform that indicates whether the transform
    still needs to be keyed or not.  Then, make the hash init, import, and
    digest functions return -ENOKEY if the key is still needed.
    
    The new flag also replaces the 'has_key' bool which algif_hash was
    previously using, thereby simplifying the algif_hash implementation.
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    9fa68f62
shash.c 14.6 KB