Re: CVE request: kernel: crypto: ghash: null pointer deref if no key is set

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

On 10/27/2011 02:40 PM, Eugene Teo wrote:
> Description from the commit: The ghash_update function passes a pointer
> to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or
> if the most recent call to ghash_setkey failed to allocate memory.  This
> causes an oops.  Fix this up by returning an error code in the null case.
>
> This is trivially triggered from unprivileged userspace through the
> AF_ALG interface by simply writing to the socket without setting a key.
>
> The ghash_final function has a similar issue, but triggering it requires
> a memory allocation failure in ghash_setkey _after_ at least one
> successful call to ghash_update.
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=749475
> https://secunia.com/advisories/46584/
> https://bugs.gentoo.org/show_bug.cgi?id=388581
>
> Upstream commit:
> http://git.kernel.org/linus/7ed47b7d142ec99ad6880bbbec51e9f12b3af74c
>
> +config CRYPTO_GHASH
> was added in commit 2cdc6899, v2.6.32-rc1.

This has been assigned CVE-2011-4081


--
Huzaifa Sidhpurwala / Red Hat Security Response Team