Date: Sun, 25 Oct 2015 09:27:01 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 204009] [patch] buffer overflow when zerokey in AES ICM Message-ID: <bug-204009-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204009 Bug ID: 204009 Summary: [patch] buffer overflow when zerokey in AES ICM Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: luke.tw@gmail.com Keywords: patch Created attachment 162438 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=162438&action=edit AES ICM zerokey patch * buffer allocation: malloc() 260 bytes sched = malloc(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, M_NOWAIT | M_ZERO); aes_icm_setkey() at aes_icm_setkey+0x67/frame 0xfffffe0616f8c340 swcr_newsession() at swcr_newsession+0x3b8/frame 0xfffffe0616f8c390 crypto_newsession() at crypto_newsession+0x1e9/frame 0xfffffe0616f8c3e0 esp_init() at esp_init+0x308/frame 0xfffffe0616f8c480 key_setsaval() at key_setsaval+0x2ba/frame 0xfffffe0616f8c4c0 key_newsav() at key_newsav+0xe4/frame 0xfffffe0616f8c500 key_add() at key_add+0x51f/frame 0xfffffe0616f8c5a0 key_parse() at key_parse+0x8cd/frame 0xfffffe0616f8c790 sosend_generic() at sosend_generic+0x42f/frame 0xfffffe0616f8c850 kern_sendit() at kern_sendit+0x21b/frame 0xfffffe0616f8c900 sendit() at sendit+0x126/frame 0xfffffe0616f8c950 sys_sendto() at sys_sendto+0x4d/frame 0xfffffe0616f8c9a0 amd64_syscall() at amd64_syscall+0x2de/frame 0xfffffe0616f8cab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0616f8cab0 * buffer overflow: bzero() 488 bytes bzero(*sched, sizeof(rijndael_ctx)); rijndael128_zerokey() at rijndael128_zerokey+0x26/frame 0xfffffe0616f8c400 swcr_freesession_locked() at swcr_freesession_locked+0x81/frame 0xfffffe0616f8c430 swcr_freesession() at swcr_freesession+0x29/frame 0xfffffe0616f8c450 crypto_freesession() at crypto_freesession+0xc1/frame 0xfffffe0616f8c490 ah_zeroize() at ah_zeroize+0x2e/frame 0xfffffe0616f8c4b0 esp_zeroize() at esp_zeroize+0xf/frame 0xfffffe0616f8c4d0 key_cleansav() at key_cleansav+0x1c/frame 0xfffffe0616f8c4f0 key_delsav() at key_delsav+0x5d/frame 0xfffffe0616f8c510 _key_freesp() at _key_freesp+0xaf/frame 0xfffffe0616f8c550 key_spdflush() at key_spdflush+0x1a7/frame 0xfffffe0616f8c5a0 key_parse() at key_parse+0x8cd/frame 0xfffffe0616f8c790 sosend_generic() at sosend_generic+0x42f/frame 0xfffffe0616f8c850 kern_sendit() at kern_sendit+0x21b/frame 0xfffffe0616f8c900 sendit() at sendit+0x126/frame 0xfffffe0616f8c950 sys_sendto() at sys_sendto+0x4d/frame 0xfffffe0616f8c9a0 amd64_syscall() at amd64_syscall+0x2de/frame 0xfffffe0616f8cab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0616f8cab0 -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204009-8>