oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI

From: cve-assign () mitre org
Date: Sat, 18 Apr 2015 00:07:22 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
GCM decryption") fixes two bugs in pointer arithmetic that lead to
buffer overruns (even with valid parameters!):

https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
https://bugs.debian.org/782561

These are described as resulting in DoS (local or remote), but are
presumably also exploitable for privilege escalation.



As the destination buffer for decryption only needs to hold the
plaintext memory but cryptlen references the input buffer holding
(ciphertext || authentication tag), the assumption of the destination
buffer length in RFC4106 GCM operation leads to a too large size. ...
In addition, ... cryptlen already includes the size of the tag. Thus,
the tag does not need to be added.


Use CVE-2015-3331.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMdeRAAoJEKllVAevmvmsidIH/i/kj781LmDCrwkAoGRREwKE
Bw8eKCM7Rb5u5om8T+wfX93UBvXQEm9sms3B4LAhpvhQ+hE64M8ETsQq8/Y2J5b3
gz5UQDd57TxIiBUkKuSA6CTQxUw5m+SRd2tlZckgpBjRRWYfKZvaPj/KqI/Uztq+
/WwFU0hXDzAq650mMFGluduwpKpeDIXxtYaNajbFHJdDDhVL0eUiJv2SxUsc3cse
Okx2fFoAKXmyf7YfXN6bgZKE4A4w2LWq175/TvcDTsVzUdct3ramDPVRNBE2LCYx
JXkLV4vuoFxkCScPH6zUPOgaqC+obqCWN0XBjkXx064on9BAM/34aZgZfX5TCf0=
=KYnV
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: