diff --git a/debian/changelog b/debian/changelog index 0cd356096..7aea59ce7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -506,6 +506,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium * Add ABI reference for 4.14.0-1 * xen/time: do not decrease steal time after live migration on xen (Closes: #871608) + * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) [ Vagrant Cascadian ] * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i. diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch new file mode 100644 index 000000000..4418d7f77 --- /dev/null +++ b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch @@ -0,0 +1,91 @@ +From: Eric Biggers +Date: Tue, 28 Nov 2017 20:56:59 -0800 +Subject: crypto: salsa20 - fix blkcipher_walk API usage +Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805 + +When asked to encrypt or decrypt 0 bytes, both the generic and x86 +implementations of Salsa20 crash in blkcipher_walk_done(), either when +doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)', +because walk->buffer and walk->page have not been initialized. + +The bug is that Salsa20 is calling blkcipher_walk_done() even when +nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to +be called when a nonzero number of bytes have been provided. + +The broken code is part of an optimization that tries to make only one +call to salsa20_encrypt_bytes() to process inputs that are not evenly +divisible by 64 bytes. To fix the bug, just remove this "optimization" +and use the blkcipher_walk API the same way all the other users do. + +Reproducer: + + #include + #include + #include + + int main() + { + int algfd, reqfd; + struct sockaddr_alg addr = { + .salg_type = "skcipher", + .salg_name = "salsa20", + }; + char key[16] = { 0 }; + + algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(algfd, (void *)&addr, sizeof(addr)); + reqfd = accept(algfd, 0, 0); + setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); + read(reqfd, key, sizeof(key)); + } + +Reported-by: syzbot +Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing") +Cc: # v2.6.25+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +--- + arch/x86/crypto/salsa20_glue.c | 7 ------- + crypto/salsa20_generic.c | 7 ------- + 2 files changed, 14 deletions(-) + +diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c +index 399a29d067d6..cb91a64a99e7 100644 +--- a/arch/x86/crypto/salsa20_glue.c ++++ b/arch/x86/crypto/salsa20_glue.c +@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc, + + salsa20_ivsetup(ctx, walk.iv); + +- if (likely(walk.nbytes == nbytes)) +- { +- salsa20_encrypt_bytes(ctx, walk.src.virt.addr, +- walk.dst.virt.addr, nbytes); +- return blkcipher_walk_done(desc, &walk, 0); +- } +- + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.src.virt.addr, + walk.dst.virt.addr, +diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c +index f550b5d94630..d7da0eea5622 100644 +--- a/crypto/salsa20_generic.c ++++ b/crypto/salsa20_generic.c +@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc, + + salsa20_ivsetup(ctx, walk.iv); + +- if (likely(walk.nbytes == nbytes)) +- { +- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, +- walk.src.virt.addr, nbytes); +- return blkcipher_walk_done(desc, &walk, 0); +- } +- + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, + walk.src.virt.addr, +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 2becbc1bb..de71383b3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -127,6 +127,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch +bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch