diff options
| author | Eric Biggers <ebiggers@google.com> | 2018-11-03 17:56:00 -0400 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2018-11-09 04:35:43 -0500 |
| commit | f43f39958beb206b53292801e216d9b8a660f087 (patch) | |
| tree | 55c72a4428c1e7cb5e38e85e8912e1540be2e65b | |
| parent | 508a1c4df085a547187eed346f1bfe5e381797f1 (diff) | |
crypto: user - fix leaking uninitialized memory to userspace
All bytes of the NETLINK_CRYPTO report structures must be initialized,
since they are copied to userspace. The change from strncpy() to
strlcpy() broke this. As a minimal fix, change it back.
Fixes: 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | crypto/crypto_user_base.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/crypto/crypto_user_base.c b/crypto/crypto_user_base.c index e41f6cc33fff..784748dbb19f 100644 --- a/crypto/crypto_user_base.c +++ b/crypto/crypto_user_base.c | |||
| @@ -84,7 +84,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg) | |||
| 84 | { | 84 | { |
| 85 | struct crypto_report_cipher rcipher; | 85 | struct crypto_report_cipher rcipher; |
| 86 | 86 | ||
| 87 | strlcpy(rcipher.type, "cipher", sizeof(rcipher.type)); | 87 | strncpy(rcipher.type, "cipher", sizeof(rcipher.type)); |
| 88 | 88 | ||
| 89 | rcipher.blocksize = alg->cra_blocksize; | 89 | rcipher.blocksize = alg->cra_blocksize; |
| 90 | rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; | 90 | rcipher.min_keysize = alg->cra_cipher.cia_min_keysize; |
| @@ -103,7 +103,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg) | |||
| 103 | { | 103 | { |
| 104 | struct crypto_report_comp rcomp; | 104 | struct crypto_report_comp rcomp; |
| 105 | 105 | ||
| 106 | strlcpy(rcomp.type, "compression", sizeof(rcomp.type)); | 106 | strncpy(rcomp.type, "compression", sizeof(rcomp.type)); |
| 107 | if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, | 107 | if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS, |
| 108 | sizeof(struct crypto_report_comp), &rcomp)) | 108 | sizeof(struct crypto_report_comp), &rcomp)) |
| 109 | goto nla_put_failure; | 109 | goto nla_put_failure; |
| @@ -117,7 +117,7 @@ static int crypto_report_acomp(struct sk_buff *skb, struct crypto_alg *alg) | |||
| 117 | { | 117 | { |
| 118 | struct crypto_report_acomp racomp; | 118 | struct crypto_report_acomp racomp; |
| 119 | 119 | ||
| 120 | strlcpy(racomp.type, "acomp", sizeof(racomp.type)); | 120 | strncpy(racomp.type, "acomp", sizeof(racomp.type)); |
| 121 | 121 | ||
| 122 | if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP, | 122 | if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP, |
| 123 | sizeof(struct crypto_report_acomp), &racomp)) | 123 | sizeof(struct crypto_report_acomp), &racomp)) |
| @@ -132,7 +132,7 @@ static int crypto_report_akcipher(struct sk_buff *skb, struct crypto_alg *alg) | |||
| 132 | { | 132 | { |
| 133 | struct crypto_report_akcipher rakcipher; | 133 | struct crypto_report_akcipher rakcipher; |
| 134 | 134 | ||
| 135 | strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type)); | 135 | strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type)); |
| 136 | 136 | ||
| 137 | if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER, | 137 | if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER, |
| 138 | sizeof(struct crypto_report_akcipher), &rakcipher)) | 138 | sizeof(struct crypto_report_akcipher), &rakcipher)) |
| @@ -147,7 +147,7 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg) | |||
| 147 | { | 147 | { |
| 148 | struct crypto_report_kpp rkpp; | 148 | struct crypto_report_kpp rkpp; |
| 149 | 149 | ||
| 150 | strlcpy(rkpp.type, "kpp", sizeof(rkpp.type)); | 150 | strncpy(rkpp.type, "kpp", sizeof(rkpp.type)); |
| 151 | 151 | ||
| 152 | if (nla_put(skb, CRYPTOCFGA_REPORT_KPP, | 152 | if (nla_put(skb, CRYPTOCFGA_REPORT_KPP, |
| 153 | sizeof(struct crypto_report_kpp), &rkpp)) | 153 | sizeof(struct crypto_report_kpp), &rkpp)) |
| @@ -161,10 +161,10 @@ nla_put_failure: | |||
| 161 | static int crypto_report_one(struct crypto_alg *alg, | 161 | static int crypto_report_one(struct crypto_alg *alg, |
| 162 | struct crypto_user_alg *ualg, struct sk_buff *skb) | 162 | struct crypto_user_alg *ualg, struct sk_buff *skb) |
| 163 | { | 163 | { |
| 164 | strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); | 164 | strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name)); |
| 165 | strlcpy(ualg->cru_driver_name, alg->cra_driver_name, | 165 | strncpy(ualg->cru_driver_name, alg->cra_driver_name, |
| 166 | sizeof(ualg->cru_driver_name)); | 166 | sizeof(ualg->cru_driver_name)); |
| 167 | strlcpy(ualg->cru_module_name, module_name(alg->cra_module), | 167 | strncpy(ualg->cru_module_name, module_name(alg->cra_module), |
| 168 | sizeof(ualg->cru_module_name)); | 168 | sizeof(ualg->cru_module_name)); |
| 169 | 169 | ||
| 170 | ualg->cru_type = 0; | 170 | ualg->cru_type = 0; |
| @@ -177,7 +177,7 @@ static int crypto_report_one(struct crypto_alg *alg, | |||
| 177 | if (alg->cra_flags & CRYPTO_ALG_LARVAL) { | 177 | if (alg->cra_flags & CRYPTO_ALG_LARVAL) { |
| 178 | struct crypto_report_larval rl; | 178 | struct crypto_report_larval rl; |
| 179 | 179 | ||
| 180 | strlcpy(rl.type, "larval", sizeof(rl.type)); | 180 | strncpy(rl.type, "larval", sizeof(rl.type)); |
| 181 | if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, | 181 | if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL, |
| 182 | sizeof(struct crypto_report_larval), &rl)) | 182 | sizeof(struct crypto_report_larval), &rl)) |
| 183 | goto nla_put_failure; | 183 | goto nla_put_failure; |