Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 02:31:47 +0100
From: Ben Hutchings <>
To: oss-security <>
Subject: Re: Buffer overruns in Linux kernel RFC4106 implementation using

On Tue, 2015-04-14 at 21:46 +0100, Ben Hutchings wrote:
> Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
> GCM decryption") fixes two bugs in pointer arithmetic that lead to
> buffer overruns (even with valid parameters!):
> These are described as resulting in DoS (local or remote), but are
> presumably also exploitable for privilege escalation.
> The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto:
> aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in
> Linux 2.6.38.

After some discussion of these bugs, I'd like to provide my current
understanding of the attack vectors.  I haven't reproduced the bug or
analysed the code myself; this is only based on what I've been told.

- The affected code paths are reachable through AF_ALG, but only using
  the algif_aead module which has not been included in any released
  kernel.  The module and the fix will be part of Linux 4.1.  So this
  attack vector can be largely ignored.

- The kernel developers thought that these code paths were not used for
  decrypting packets for IPsec tunnels.  However, they are if a packet
  is reassembled from IP fragments.  This really does cause DoS,
  confirmed in <>.


Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ