oss-security - CVE request: kernel: crypto: ghash: null pointer deref if no key is set

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <4EA91FEF.1030408@redhat.com>
Date: Thu, 27 Oct 2011 17:10:07 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: kernel: crypto: ghash: null pointer deref if no key
 is set

Description from the commit: The ghash_update function passes a pointer
to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or
if the most recent call to ghash_setkey failed to allocate memory.  This
causes an oops.  Fix this up by returning an error code in the null case.

This is trivially triggered from unprivileged userspace through the
AF_ALG interface by simply writing to the socket without setting a key.

The ghash_final function has a similar issue, but triggering it requires
a memory allocation failure in ghash_setkey _after_ at least one
successful call to ghash_update.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=749475
https://secunia.com/advisories/46584/
https://bugs.gentoo.org/show_bug.cgi?id=388581

Upstream commit:
http://git.kernel.org/linus/7ed47b7d142ec99ad6880bbbec51e9f12b3af74c

+config CRYPTO_GHASH
was added in commit 2cdc6899, v2.6.32-rc1.

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.