• Stephan Mueller's avatar
    crypto: aesni - fix memory usage in GCM decryption · b90935f1
    Stephan Mueller authored
    commit ccfe8c3f upstream.
    
    The kernel crypto API logic requires the caller to provide the
    length of (ciphertext || authentication tag) as cryptlen for the
    AEAD decryption operation. Thus, the cipher implementation must
    calculate the size of the plaintext output itself and cannot simply use
    cryptlen.
    
    The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
    in req->dst. As the destination buffer for decryption only needs to hold
    the plaintext memory but cryptlen references the input buffer holding
    (ciphertext || authentication tag), the assumption of the destination
    buffer length in RFC4106 GCM operation leads to a too large size. This
    patch simply uses the already calculated plaintext size.
    
    In addition, this patch fixes the offset calculation of the AAD buffer
    pointer: as mentioned before, cryptlen already includes the size of the
    tag. Thus, the tag does not need to be added. With the addition, the AAD
    will be written beyond the already allocated buffer.
    
    Note, this fixes a kernel crash that can be triggered from user space
    via AF_ALG(aead) -- simply use the libkcapi test application
    from [1] and update it to use rfc4106-gcm-aes.
    
    Using [1], the changes were tested using CAVS vectors to demonstrate
    that the crypto operation still delivers the right results.
    
    [1] http://www.chronox.de/libkcapi.html
    
    CC: Tadeusz Struk <tadeusz.struk@intel.com>
    Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b90935f1
aesni-intel_glue.c 43.8 KB