The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=abd116de1d42489c641adadca515fcfc76000904
commit abd116de1d42489c641adadca515fcfc76000904 Author: Mark Johnston <[email protected]> AuthorDate: 2021-05-11 21:36:12 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2021-05-14 13:58:54 +0000 cryptodev: Fix some input validation bugs - When we do not have a separate IV, make sure that the IV length specified by the session is not larger than the payload size. - Disallow AEAD requests without a separate IV. crp_sanity() asserts that CRYPTO_F_IV_SEPARATE is set for AEAD requests, and some (but not all) drivers require it. - Return EINVAL for AEAD requests if an IV is specified but the transform does not expect one. Reported by: [email protected] Reported by: [email protected] Reported by: [email protected] Reported by: [email protected] Reported by: [email protected] Reported by: [email protected] Reviewed by: jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30154 (cherry picked from commit 1a04f0156c4e6abfc01d5841341a94179f317f31) --- sys/opencrypto/cryptodev.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c index 9bb95bcb21f0..45146284642b 100644 --- a/sys/opencrypto/cryptodev.c +++ b/sys/opencrypto/cryptodev.c @@ -932,6 +932,11 @@ cryptodev_op(struct csession *cse, const struct crypt_op *cop) } crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else if (cse->ivsize != 0) { + if (crp->crp_payload_length < cse->ivsize) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + error = EINVAL; + goto bail; + } crp->crp_iv_start = 0; crp->crp_payload_start += cse->ivsize; crp->crp_payload_length -= cse->ivsize; @@ -1112,6 +1117,11 @@ cryptodev_aead(struct csession *cse, struct crypt_aead *caead) cse->ivsize == AES_XTS_IV_LEN) caead->ivlen = AES_XTS_IV_LEN; + if (cse->ivsize == 0) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + error = EINVAL; + goto bail; + } if (caead->ivlen != cse->ivsize) { error = EINVAL; SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); @@ -1125,10 +1135,9 @@ cryptodev_aead(struct csession *cse, struct crypt_aead *caead) } crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else { - crp->crp_iv_start = crp->crp_payload_start; - crp->crp_payload_start += cse->ivsize; - crp->crp_payload_length -= cse->ivsize; - dst += cse->ivsize; + error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); + goto bail; } if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
