[Bug 204009] [patch] buffer overflow when zerokey in AES ICM

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Oct 25 09:27:01 UTC 2015


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204009

            Bug ID: 204009
           Summary: [patch] buffer overflow when zerokey in AES ICM
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: luke.tw at gmail.com
          Keywords: patch

Created attachment 162438
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=162438&action=edit
AES ICM zerokey patch

* buffer allocation: malloc() 260 bytes

sched = malloc(sizeof(struct aes_icm_ctx), M_CRYPTO_DATA, M_NOWAIT | M_ZERO);
aes_icm_setkey() at aes_icm_setkey+0x67/frame 0xfffffe0616f8c340
swcr_newsession() at swcr_newsession+0x3b8/frame 0xfffffe0616f8c390
crypto_newsession() at crypto_newsession+0x1e9/frame 0xfffffe0616f8c3e0
esp_init() at esp_init+0x308/frame 0xfffffe0616f8c480
key_setsaval() at key_setsaval+0x2ba/frame 0xfffffe0616f8c4c0
key_newsav() at key_newsav+0xe4/frame 0xfffffe0616f8c500
key_add() at key_add+0x51f/frame 0xfffffe0616f8c5a0
key_parse() at key_parse+0x8cd/frame 0xfffffe0616f8c790
sosend_generic() at sosend_generic+0x42f/frame 0xfffffe0616f8c850
kern_sendit() at kern_sendit+0x21b/frame 0xfffffe0616f8c900
sendit() at sendit+0x126/frame 0xfffffe0616f8c950
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe0616f8c9a0
amd64_syscall() at amd64_syscall+0x2de/frame 0xfffffe0616f8cab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0616f8cab0


* buffer overflow: bzero() 488 bytes

bzero(*sched, sizeof(rijndael_ctx)); 
rijndael128_zerokey() at rijndael128_zerokey+0x26/frame 0xfffffe0616f8c400
swcr_freesession_locked() at swcr_freesession_locked+0x81/frame
0xfffffe0616f8c430
swcr_freesession() at swcr_freesession+0x29/frame 0xfffffe0616f8c450
crypto_freesession() at crypto_freesession+0xc1/frame 0xfffffe0616f8c490
ah_zeroize() at ah_zeroize+0x2e/frame 0xfffffe0616f8c4b0
esp_zeroize() at esp_zeroize+0xf/frame 0xfffffe0616f8c4d0
key_cleansav() at key_cleansav+0x1c/frame 0xfffffe0616f8c4f0
key_delsav() at key_delsav+0x5d/frame 0xfffffe0616f8c510
_key_freesp() at _key_freesp+0xaf/frame 0xfffffe0616f8c550
key_spdflush() at key_spdflush+0x1a7/frame 0xfffffe0616f8c5a0
key_parse() at key_parse+0x8cd/frame 0xfffffe0616f8c790
sosend_generic() at sosend_generic+0x42f/frame 0xfffffe0616f8c850
kern_sendit() at kern_sendit+0x21b/frame 0xfffffe0616f8c900
sendit() at sendit+0x126/frame 0xfffffe0616f8c950
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe0616f8c9a0
amd64_syscall() at amd64_syscall+0x2de/frame 0xfffffe0616f8cab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0616f8cab0

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list