oss-sec mailing list archives
Buffer overruns in Linux kernel RFC4106 implementation using AESNI
From: Ben Hutchings <ben () decadent org uk>
Date: Tue, 14 Apr 2015 21:46:32 +0100
Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in GCM decryption") fixes two bugs in pointer arithmetic that lead to buffer overruns (even with valid parameters!): https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a These are described as resulting in DoS (local or remote), but are presumably also exploitable for privilege escalation. The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto: aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in Linux 2.6.38. The above fix is included in Linux 4.0 and the following stable updates: v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption v3.14.37: e9b15363c101 crypto: aesni - fix memory usage in GCM decryption v3.18.11: 3b389956156c crypto: aesni - fix memory usage in GCM decryption v3.19.3: b90935f1d9a0 crypto: aesni - fix memory usage in GCM decryption v3.13.11-ckt19: 40e073009626 crypto: aesni - fix memory usage in GCM decryption Please assign a CVE ID for this. Ben. -- Ben Hutchings Editing code like this is akin to sticking plasters on the bleeding stump of a severed limb. - me, 29 June 1999
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Buffer overruns in Linux kernel RFC4106 implementation using AESNI Ben Hutchings (Apr 14)
- Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI cve-assign (Apr 17)
- Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI Ben Hutchings (Apr 20)