[Devel] [PATCH RHEL8] crypto: user - fix leaking uninitialized memory to userspace
Vasily Averin
vvs at virtuozzo.com
Wed Apr 22 08:18:39 MSK 2020
I think we should not to spend time for such bugs -- they will went away after rebase on last RHEL8 kernel,
https://git.centos.org/rpms/kernel/blob/c8/f/SPECS/kernel.spec
* Wed Apr 10 2019 Herton R. Krzesinski <herton at redhat.com> [4.18.0-80.13.el8]
[crypto] crypto: user - fix leaking uninitialized memory to userspace (Herbert Xu) [1657880] {CVE-2018-19854}
On 4/21/20 8:12 PM, Valeriy Vdovin wrote:
> All bytes of the NETLINK_CRYPTO report structures must be initialized,
> since they are copied to userspace. The change from strncpy() to
> strlcpy() broke this. As a minimal fix, change it back.
>
> Fixes: 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion")
> Cc: <stable at vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers at google.com>
> Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> (cherry-picked from f43f39958beb206b53292801e216d9b8a660f087
> due to https://jira.sw.ru/browse/PSBM-103298)
>
> Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
> ---
> crypto/crypto_user.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> index 0e89b54..ceeb2ea 100644
> --- a/crypto/crypto_user.c
> +++ b/crypto/crypto_user.c
> @@ -83,7 +83,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
> {
> struct crypto_report_cipher rcipher;
>
> - strlcpy(rcipher.type, "cipher", sizeof(rcipher.type));
> + strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
>
> rcipher.blocksize = alg->cra_blocksize;
> rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
> @@ -102,7 +102,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
> {
> struct crypto_report_comp rcomp;
>
> - strlcpy(rcomp.type, "compression", sizeof(rcomp.type));
> + strncpy(rcomp.type, "compression", sizeof(rcomp.type));
> if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
> sizeof(struct crypto_report_comp), &rcomp))
> goto nla_put_failure;
> @@ -116,7 +116,7 @@ static int crypto_report_acomp(struct sk_buff *skb, struct crypto_alg *alg)
> {
> struct crypto_report_acomp racomp;
>
> - strlcpy(racomp.type, "acomp", sizeof(racomp.type));
> + strncpy(racomp.type, "acomp", sizeof(racomp.type));
>
> if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP,
> sizeof(struct crypto_report_acomp), &racomp))
> @@ -131,7 +131,7 @@ static int crypto_report_akcipher(struct sk_buff *skb, struct crypto_alg *alg)
> {
> struct crypto_report_akcipher rakcipher;
>
> - strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
> + strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
>
> if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER,
> sizeof(struct crypto_report_akcipher), &rakcipher))
> @@ -146,7 +146,7 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
> {
> struct crypto_report_kpp rkpp;
>
> - strlcpy(rkpp.type, "kpp", sizeof(rkpp.type));
> + strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
>
> if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
> sizeof(struct crypto_report_kpp), &rkpp))
> @@ -160,10 +160,10 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
> static int crypto_report_one(struct crypto_alg *alg,
> struct crypto_user_alg *ualg, struct sk_buff *skb)
> {
> - strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
> - strlcpy(ualg->cru_driver_name, alg->cra_driver_name,
> + strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
> + strncpy(ualg->cru_driver_name, alg->cra_driver_name,
> sizeof(ualg->cru_driver_name));
> - strlcpy(ualg->cru_module_name, module_name(alg->cra_module),
> + strncpy(ualg->cru_module_name, module_name(alg->cra_module),
> sizeof(ualg->cru_module_name));
>
> ualg->cru_type = 0;
> @@ -176,7 +176,7 @@ static int crypto_report_one(struct crypto_alg *alg,
> if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
> struct crypto_report_larval rl;
>
> - strlcpy(rl.type, "larval", sizeof(rl.type));
> + strncpy(rl.type, "larval", sizeof(rl.type));
> if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
> sizeof(struct crypto_report_larval), &rl))
> goto nla_put_failure;
>
More information about the Devel
mailing list