Bugzilla – Bug 1035673
VUL-0: CVE-2017-8065: kernel-source: crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interactsincorrectly with the CON...
Last modified: 2017-04-24 10:46:11 UTC
CVE-2017-8065 crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065 https://github.com/torvalds/linux/commit/3b30460c5b0ed762be75a004e924ec3f8711e032 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b30460c5b0ed762be75a004e924ec3f8711e032
only in 4.11 RCs when i read the fixes line right. crypto: ccm - move cbcmac input off the stack Commit f15f05b ("crypto: ccm - switch to separate cbcmac driver") refactored the CCM driver to allow separate implementations of the underlying MAC to be provided by a platform. However, in doing so, it moved some data from the linear region to the stack, which violates the SG constraints when the stack is virtually mapped. So move idata/odata back to the request ctx struct, of which we can reasonably expect that it has been allocated using kmalloc() et al. Reported-by: Johannes Berg <johannes@sipsolutions.net> Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver") Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>