oss-sec mailing list archives
Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI
From: cve-assign () mitre org
Date: Sat, 18 Apr 2015 00:07:22 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in GCM decryption") fixes two bugs in pointer arithmetic that lead to buffer overruns (even with valid parameters!): https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a https://bugs.debian.org/782561 These are described as resulting in DoS (local or remote), but are presumably also exploitable for privilege escalation.
As the destination buffer for decryption only needs to hold the plaintext memory but cryptlen references the input buffer holding (ciphertext || authentication tag), the assumption of the destination buffer length in RFC4106 GCM operation leads to a too large size. ... In addition, ... cryptlen already includes the size of the tag. Thus, the tag does not need to be added.
Use CVE-2015-3331. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdeRAAoJEKllVAevmvmsidIH/i/kj781LmDCrwkAoGRREwKE Bw8eKCM7Rb5u5om8T+wfX93UBvXQEm9sms3B4LAhpvhQ+hE64M8ETsQq8/Y2J5b3 gz5UQDd57TxIiBUkKuSA6CTQxUw5m+SRd2tlZckgpBjRRWYfKZvaPj/KqI/Uztq+ /WwFU0hXDzAq650mMFGluduwpKpeDIXxtYaNajbFHJdDDhVL0eUiJv2SxUsc3cse Okx2fFoAKXmyf7YfXN6bgZKE4A4w2LWq175/TvcDTsVzUdct3ramDPVRNBE2LCYx JXkLV4vuoFxkCScPH6zUPOgaqC+obqCWN0XBjkXx064on9BAM/34aZgZfX5TCf0= =KYnV -----END PGP SIGNATURE-----
Current thread:
- Buffer overruns in Linux kernel RFC4106 implementation using AESNI Ben Hutchings (Apr 14)
- Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI cve-assign (Apr 17)
- Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI Ben Hutchings (Apr 20)