Eric Biggers 3619dec510 dh key: fix rounding up KDF output length ... Commit 383203eff7 ("dh key: get rid of stack allocated array") changed kdf_ctr() to assume that the length of key material to derive is a multiple of the digest size. The length was supposed to be rounded up accordingly. However, the round_up() macro was used which only gives the correct result on power-of-2 arguments, whereas not all hash algorithms have power-of-2 digest sizes. In some cases this resulted in a write past the end of the 'outbuf' buffer. Fix it by switching to roundup(), which works for non-power-of-2 inputs. Reported-by: syzbot+486f97f892efeb2075a3@syzkaller.appspotmail.com Reported-by: syzbot+29d17b7898b41ee120a5@syzkaller.appspotmail.com Reported-by: syzbot+8a608baf8751184ec727@syzkaller.appspotmail.com Reported-by: syzbot+d04e58bd384f1fe0b112@syzkaller.appspotmail.com Fixes: 383203eff7 ("dh key: get rid of stack allocated array") Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: James Morris <james.morris@microsoft.com>		2018-06-26 09:43:05 -07:00
..
encrypted-keys	…
Kconfig	…
Makefile	…
big_key.c	big key: get rid of stack array allocation	2018-05-11 13:07:45 -07:00
compat.c	…
compat_dh.c	…
dh.c	dh key: fix rounding up KDF output length	2018-06-26 09:43:05 -07:00
gc.c	…
internal.h	…
key.c	security: keys: remove redundant assignment to key_ref	2017-12-08 15:13:29 +00:00
keyctl.c	KEYS: reject NULL restriction string when type is specified	2017-12-08 15:13:29 +00:00
keyring.c	…
permission.c	…
persistent.c	…
proc.c	proc: introduce proc_create_seq{,_data}	2018-05-16 07:23:35 +02:00
process_keys.c	…
request_key.c	KEYS: add missing permission check for request_key() destination	2017-12-08 15:13:27 +00:00
request_key_auth.c	…
sysctl.c	…
trusted.c	treewide: kmalloc() -> kmalloc_array()	2018-06-12 16:19:22 -07:00
trusted.h	…
user_defined.c	…