[PATCH 1/1] crypto: user - fix leaking uninitialized memory to userspace

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri Jan 25 11:26:53 UTC 2019 

On Fri, Jan 25, 2019 at 02:08:08AM +0000, Tyler Hicks wrote:
> From: Eric Biggers <ebiggers at google.com>
> 
> All bytes of the NETLINK_CRYPTO report structures must be initialized,
> since they are copied to userspace.  The change from strncpy() to
> strlcpy() broke this.  As a minimal fix, change it back.

Why not using strscpy?

Cascardo.

> 
> Fixes: 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion")
> Cc: <stable at vger.kernel.org> # v4.12+
> Signed-off-by: Eric Biggers <ebiggers at google.com>
> Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> 
> CVE-2018-19854
> 
> (backported from commit f43f39958beb206b53292801e216d9b8a660f087)
> [tyhicks: Adjust the name of the file to be patched]
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  crypto/crypto_user.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
> index 0dbe2be7f783..b5758768920b 100644
> --- a/crypto/crypto_user.c
> +++ b/crypto/crypto_user.c
> @@ -83,7 +83,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
>  {
>  	struct crypto_report_cipher rcipher;
>  
> -	strlcpy(rcipher.type, "cipher", sizeof(rcipher.type));
> +	strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
>  
>  	rcipher.blocksize = alg->cra_blocksize;
>  	rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
> @@ -102,7 +102,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
>  {
>  	struct crypto_report_comp rcomp;
>  
> -	strlcpy(rcomp.type, "compression", sizeof(rcomp.type));
> +	strncpy(rcomp.type, "compression", sizeof(rcomp.type));
>  	if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
>  		    sizeof(struct crypto_report_comp), &rcomp))
>  		goto nla_put_failure;
> @@ -116,7 +116,7 @@ static int crypto_report_acomp(struct sk_buff *skb, struct crypto_alg *alg)
>  {
>  	struct crypto_report_acomp racomp;
>  
> -	strlcpy(racomp.type, "acomp", sizeof(racomp.type));
> +	strncpy(racomp.type, "acomp", sizeof(racomp.type));
>  
>  	if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP,
>  		    sizeof(struct crypto_report_acomp), &racomp))
> @@ -131,7 +131,7 @@ static int crypto_report_akcipher(struct sk_buff *skb, struct crypto_alg *alg)
>  {
>  	struct crypto_report_akcipher rakcipher;
>  
> -	strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
> +	strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
>  
>  	if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER,
>  		    sizeof(struct crypto_report_akcipher), &rakcipher))
> @@ -146,7 +146,7 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
>  {
>  	struct crypto_report_kpp rkpp;
>  
> -	strlcpy(rkpp.type, "kpp", sizeof(rkpp.type));
> +	strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
>  
>  	if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
>  		    sizeof(struct crypto_report_kpp), &rkpp))
> @@ -160,10 +160,10 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
>  static int crypto_report_one(struct crypto_alg *alg,
>  			     struct crypto_user_alg *ualg, struct sk_buff *skb)
>  {
> -	strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
> -	strlcpy(ualg->cru_driver_name, alg->cra_driver_name,
> +	strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
> +	strncpy(ualg->cru_driver_name, alg->cra_driver_name,
>  		sizeof(ualg->cru_driver_name));
> -	strlcpy(ualg->cru_module_name, module_name(alg->cra_module),
> +	strncpy(ualg->cru_module_name, module_name(alg->cra_module),
>  		sizeof(ualg->cru_module_name));
>  
>  	ualg->cru_type = 0;
> @@ -176,7 +176,7 @@ static int crypto_report_one(struct crypto_alg *alg,
>  	if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
>  		struct crypto_report_larval rl;
>  
> -		strlcpy(rl.type, "larval", sizeof(rl.type));
> +		strncpy(rl.type, "larval", sizeof(rl.type));
>  		if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
>  			    sizeof(struct crypto_report_larval), &rl))
>  			goto nla_put_failure;
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list