[PATCH 5.4 078/475] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()

From: Greg Kroah-Hartman
Date: Thu Apr 14 2022 - 10:20:31 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.4 082/475] xtensa: fix xtensa_wsr always writing 0"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 079/475] DEC: Limit PMAX memory probing to R3k systems"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 079/475] DEC: Limit PMAX memory probing to R3k systems"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 082/475] xtensa: fix xtensa_wsr always writing 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Biggers <ebiggers@xxxxxxxxxx>

commit a24611ea356c7f3f0ec926da11b9482ac1f414fd upstream.

Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.

Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@xxxxxxxxxxxxxxx> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
crypto/rsa-pkcs1pad.c | 2 ++
1 file changed, 2 insertions(+)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -475,6 +475,8 @@ static int pkcs1pad_verify_complete(stru
pos++;

if (digest_info) {
+ if (digest_info->size > dst_len - pos)
+ goto done;
if (crypto_memneq(out_buf + pos, digest_info->data,
digest_info->size))
goto done;

Next message: Greg Kroah-Hartman: "[PATCH 5.4 082/475] xtensa: fix xtensa_wsr always writing 0"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 079/475] DEC: Limit PMAX memory probing to R3k systems"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 079/475] DEC: Limit PMAX memory probing to R3k systems"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 082/475] xtensa: fix xtensa_wsr always writing 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]