salsa20 - fix blkcipher_walk API usage in kernel-crypto CVE-2017-17805

Tracked by Jolla (Rejected)

asked 2018-01-22 09:18:41 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-01-22 09:18:41 +0200

lpr gravatar image

The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. 7.8high (attack range: local)

Patch is available and equal to kernel-3.2 backport.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/crypto/salsa20_generic.c lines 188-200

So the patch should look like:

@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,

salsa20_ivsetup(ctx, walk.iv);

-   if (likely(walk.nbytes == nbytes))
-   {
-       salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
-                     walk.src.virt.addr, nbytes);
-       return blkcipher_walk_done(desc, &walk, 0);
-   }
-
while (walk.nbytes >= 64) {
    salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
                  walk.src.virt.addr,
edit retag flag offensive close delete