Page MenuHomeFreeBSD

cryptodev: Fix some input validation bugs
ClosedPublic

Authored by markj on May 6 2021, 11:07 PM.

Details

Summary


- When we do not have a separate IV, make sure that the IV length
specified by the session is not larger than the payload size.
- Disallow AEAD requests without a separate IV. crp_sanity() asserts
that CRYPTO_F_IV_SEPARATE is set. I'm not sure if this is the correct
solution. Some drivers permit inline IVs with GCM and CCM. Others
(e.g., cryptosoft, aesni, ccr) explicitly do not. So it may be
reasonable to simply drop this assertion.

Reported by: syzbot+c9e8f6ff5cb7fa6a1250@syzkaller.appspotmail.com
Reported by: syzbot+007341439ae295cee74f@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

markj requested review of this revision.May 6 2021, 11:07 PM

Ping? This is responsible for 4-5 syzbot reports now, it would be nice to get this fixed soon.

I don't really know why some of the drivers mandate separate IVs for CCM/GCM. I did that in ccr(4) because I was copying what was done in cryptosoft and was less familiar with how GCM worked, per se. That said, it seems like all the use cases of AEAD ciphers require some part of the IV/nonce to be implicit, so inline IVs don't seem practical for AEAD.

This revision is now accepted and ready to land.May 11 2021, 8:51 PM
This revision was automatically updated to reflect the committed changes.