[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: crypto: ghash: null pointer
From:       Huzaifa Sidhpurwala <huzaifas () redhat ! com>
Date:       2011-10-27 9:42:24
Message-ID: 4EA924B0.5080208 () redhat ! com
[Download RAW message or body]

On 10/27/2011 02:40 PM, Eugene Teo wrote:
> Description from the commit: The ghash_update function passes a pointer
> to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or
> if the most recent call to ghash_setkey failed to allocate memory.  This
> causes an oops.  Fix this up by returning an error code in the null case.
>
> This is trivially triggered from unprivileged userspace through the
> AF_ALG interface by simply writing to the socket without setting a key.
>
> The ghash_final function has a similar issue, but triggering it requires
> a memory allocation failure in ghash_setkey _after_ at least one
> successful call to ghash_update.
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=749475
> https://secunia.com/advisories/46584/
> https://bugs.gentoo.org/show_bug.cgi?id=388581
>
> Upstream commit:
> http://git.kernel.org/linus/7ed47b7d142ec99ad6880bbbec51e9f12b3af74c
>
> +config CRYPTO_GHASH
> was added in commit 2cdc6899, v2.6.32-rc1.
>

This has been assigned CVE-2011-4081


-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]