• Mathias Krause's avatar
    crypto: user - fix info leaks in report API · 9a5467bf
    Mathias Krause authored
    Three errors resulting in kernel memory disclosure:
    
    1/ The structures used for the netlink based crypto algorithm report API
    are located on the stack. As snprintf() does not fill the remainder of
    the buffer with null bytes, those stack bytes will be disclosed to users
    of the API. Switch to strncpy() to fix this.
    
    2/ crypto_report_one() does not initialize all field of struct
    crypto_user_alg. Fix this to fix the heap info leak.
    
    3/ For the module name we should copy only as many bytes as
    module_name() returns -- not as much as the destination buffer could
    hold. But the current code does not and therefore copies random data
    from behind the end of the module name, as the module name is always
    shorter than CRYPTO_MAX_ALG_NAME.
    
    Also switch to use strncpy() to copy the algorithm's name and
    driver_name. They are strings, after all.
    Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    9a5467bf
shash.c 17.5 KB