Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
GCM decryption") fixes two bugs in pointer arithmetic that lead to
buffer overruns (even with valid parameters!):
https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
These are described as resulting in DoS (local or remote), but are
presumably also exploitable for privilege escalation.
The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto:
aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in
Linux 2.6.38.
The above fix is included in Linux 4.0 and the following stable updates:
v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption
v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption
v3.14.37: e9b15363c101 crypto: aesni - fix memory usage in GCM decryption
v3.18.11: 3b389956156c crypto: aesni - fix memory usage in GCM decryption
v3.19.3: b90935f1d9a0 crypto: aesni - fix memory usage in GCM decryption
v3.13.11-ckt19: 40e073009626 crypto: aesni - fix memory usage in GCM decryption
Please assign a CVE ID for this.
Ben.
--
Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding stump
of a severed limb. - me, 29 June 1999
Attachment:
signature.asc
Description: This is a digitally signed message part