• Eric Biggers's avatar
    crypto: salsa20 - don't access already-freed walk.iv · d31e54a9
    Eric Biggers authored
    commit edaf28e9 upstream.
    
    If the user-provided IV needs to be aligned to the algorithm's
    alignmask, then skcipher_walk_virt() copies the IV into a new aligned
    buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
    if the caller unconditionally accesses walk.iv, it's a use-after-free.
    
    salsa20-generic doesn't set an alignmask, so currently it isn't affected
    by this despite unconditionally accessing walk.iv.  However this is more
    subtle than desired, and it was actually broken prior to the alignmask
    being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup
    and convert to skcipher API").
    
    Since salsa20-generic does not update the IV and does not need any IV
    alignment, update it to use req->iv instead of walk.iv.
    
    Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher")
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d31e54a9
salsa20_generic.c 6.01 KB