• Eric Biggers's avatar
    dh key: fix rounding up KDF output length · 3619dec5
    Eric Biggers authored
    Commit 383203ef ("dh key: get rid of stack allocated array") changed
    kdf_ctr() to assume that the length of key material to derive is a
    multiple of the digest size.  The length was supposed to be rounded up
    accordingly.  However, the round_up() macro was used which only gives
    the correct result on power-of-2 arguments, whereas not all hash
    algorithms have power-of-2 digest sizes.  In some cases this resulted in
    a write past the end of the 'outbuf' buffer.
    
    Fix it by switching to roundup(), which works for non-power-of-2 inputs.
    
    Reported-by: syzbot+486f97f892efeb2075a3@syzkaller.appspotmail.com
    Reported-by: syzbot+29d17b7898b41ee120a5@syzkaller.appspotmail.com
    Reported-by: syzbot+8a608baf8751184ec727@syzkaller.appspotmail.com
    Reported-by: syzbot+d04e58bd384f1fe0b112@syzkaller.appspotmail.com
    Fixes: 383203ef ("dh key: get rid of stack allocated array")
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Acked-by: default avatarTycho Andersen <tycho@tycho.ws>
    Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
    3619dec5
Name
Last commit
Last update
..
encrypted-keys Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
big_key.c Loading commit data...
compat.c Loading commit data...
compat_dh.c Loading commit data...
dh.c Loading commit data...
gc.c Loading commit data...
internal.h Loading commit data...
key.c Loading commit data...
keyctl.c Loading commit data...
keyring.c Loading commit data...
permission.c Loading commit data...
persistent.c Loading commit data...
proc.c Loading commit data...
process_keys.c Loading commit data...
request_key.c Loading commit data...
request_key_auth.c Loading commit data...
sysctl.c Loading commit data...
trusted.c Loading commit data...
trusted.h Loading commit data...
user_defined.c Loading commit data...