crypto: lrw - Fix out-of bounds access on counter overflow

commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream. When the LRW block counter overflows, the current implementation returns 128 as the index to the precomputed multiplication table, which has 128 entries. This patch fixes it to return the correct value (127). Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode") Cc: <stable@vger.kernel.org> # 2.6.20+ Reported-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ondrej Mosnacek <omosnace@redhat.com> 2018-09-13 10:51:31 +0200
committer: Moyster <oysterized@gmail.com> 2018-12-01 23:17:07 +0100
commit: dcd513d146724415cab84ce15d55cd11d99cd288 (patch)
tree: 55cc35b789287e202295d7281a5beb478a413573
parent: 6279909f88e857917903ef387c53bc8487c291e4 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/crypto/lrw.c b/crypto/lrw.c
index 6f9908a7e..d38a382b0 100644
--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -132,7 +132,12 @@ static inline int get_index128(be128 *block)
 		return x + ffz(val);
 	}
 
-	return x;
+	/*
+	 * If we get here, then x == 128 and we are incrementing the counter
+	 * from all ones to all zeros. This means we must return index 127, i.e.
+	 * the one corresponding to key2*{ 1,...,1 }.
+	 */
+	return 127;
 }
 
 static int crypt(struct blkcipher_desc *d,
author	Ondrej Mosnacek <omosnace@redhat.com>	2018-09-13 10:51:31 +0200
committer	Moyster <oysterized@gmail.com>	2018-12-01 23:17:07 +0100
commit	dcd513d146724415cab84ce15d55cd11d99cd288 (patch)
tree	55cc35b789287e202295d7281a5beb478a413573
parent	6279909f88e857917903ef387c53bc8487c291e4 (diff)