[PATCH] keys/encrypted: Fix two crypto-on-the-stack bugs

[Andy Lutomirski]

The driver put a constant buffer of all zeros on the stack and
pointed a scatterlist entry at it in two places.  This doesn't work
with virtual stacks.  Use a static 16-byte buffer of zeros instead.

Cc: sta...@vger.kernel.org # 4.9 only
Reported-by: Eric Biggers <ebigge...@gmail.com>
Signed-off-by: Andy Lutomirski <l...@kernel.org>
---
 security/keys/encrypted-keys/encrypted.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/security/keys/encrypted-keys/encrypted.c 
b/security/keys/encrypted-keys/encrypted.c
index 17a06105ccb6..fab2fb864002 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -46,6 +46,7 @@ static const char key_format_default[] = "default";
 static const char key_format_ecryptfs[] = "ecryptfs";
 static unsigned int ivsize;
 static int blksize;
+static const char zero_pad[16] = {0};
 
 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
@@ -481,7 +482,6 @@ static int derived_key_encrypt(struct encrypted_key_payload 
*epayload,
        unsigned int encrypted_datalen;
        u8 iv[AES_BLOCK_SIZE];
        unsigned int padlen;
-       char pad[16];
        int ret;
 
        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
@@ -493,11 +493,10 @@ static int derived_key_encrypt(struct 
encrypted_key_payload *epayload,
                goto out;
        dump_decrypted_data(epayload);
 
-       memset(pad, 0, sizeof pad);
        sg_init_table(sg_in, 2);
        sg_set_buf(&sg_in[0], epayload->decrypted_data,
                   epayload->decrypted_datalen);
-       sg_set_buf(&sg_in[1], pad, padlen);
+       sg_set_buf(&sg_in[1], zero_pad, padlen);
 
        sg_init_table(sg_out, 1);
        sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
@@ -584,7 +583,6 @@ static int derived_key_decrypt(struct encrypted_key_payload 
*epayload,
        struct skcipher_request *req;
        unsigned int encrypted_datalen;
        u8 iv[AES_BLOCK_SIZE];
-       char pad[16];
        int ret;
 
        encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
@@ -594,13 +592,12 @@ static int derived_key_decrypt(struct 
encrypted_key_payload *epayload,
                goto out;
        dump_encrypted_data(epayload, encrypted_datalen);
 
-       memset(pad, 0, sizeof pad);
        sg_init_table(sg_in, 1);
        sg_init_table(sg_out, 2);
        sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
        sg_set_buf(&sg_out[0], epayload->decrypted_data,
                   epayload->decrypted_datalen);
-       sg_set_buf(&sg_out[1], pad, sizeof pad);
+       sg_set_buf(&sg_out[1], zero_pad, sizeof zero_pad);
 
        memcpy(iv, epayload->iv, sizeof(iv));
        skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html