Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: kernel: crypto: ghash: null pointer deref if no key is set
From: Eugene Teo <eugene () redhat com>
Date: Thu, 27 Oct 2011 17:10:07 +0800

Description from the commit: The ghash_update function passes a pointer
to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or
if the most recent call to ghash_setkey failed to allocate memory.  This
causes an oops.  Fix this up by returning an error code in the null case.

This is trivially triggered from unprivileged userspace through the
AF_ALG interface by simply writing to the socket without setting a key.

The ghash_final function has a similar issue, but triggering it requires
a memory allocation failure in ghash_setkey _after_ at least one
successful call to ghash_update.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=749475
https://secunia.com/advisories/46584/
https://bugs.gentoo.org/show_bug.cgi?id=388581

Upstream commit:
http://git.kernel.org/linus/7ed47b7d142ec99ad6880bbbec51e9f12b3af74c

+config CRYPTO_GHASH
was added in commit 2cdc6899, v2.6.32-rc1.

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]