File fix-out-of-bounds-write-in-aes-gcm.patch of Package libica.10421
From cf5b6d1a13e4fedc0ef90905b835bf4235ed18e5 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Mon, 26 Feb 2018 20:18:36 +0000
Subject: [PATCH] fix out-of-bounds write in aes-gcm
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
src/fips.c | 2 +-
src/include/s390_gcm.h | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/fips.c b/src/fips.c
index 4b0e64f..d09a553 100644
--- a/src/fips.c
+++ b/src/fips.c
@@ -443,7 +443,7 @@ aes_gcm_kat(void) {
goto _err_;
memset(tag, 0, AES_BLKSIZE);
- memset(out, 0, AES_BLKSIZE);
+ memset(out, 0, tv->len);
memset(icb, 0, sizeof(icb));
memset(icb, 0, sizeof(ucb));
memset(subkey, 0, sizeof(subkey));
diff --git a/src/include/s390_gcm.h b/src/include/s390_gcm.h
index e856a1c..849de3b 100644
--- a/src/include/s390_gcm.h
+++ b/src/include/s390_gcm.h
@@ -405,13 +405,14 @@ static inline int s390_gcm(unsigned int function_code,
tag, tag_length, 1, 1);
} else {
/* encrypt */
- memset(tag, 0, AES_BLOCK_SIZE);
+ memset(tmp_tag, 0, AES_BLOCK_SIZE);
rc = s390_aes_gcm(function_code,
plaintext, ciphertext, text_length,
key, j0, GCM_CTR_WIDTH,
tmp_ctr, GCM_CTR_WIDTH,
aad, aad_length, subkey_h,
- tag, tag_length, 1, 1);
+ tmp_tag, tag_length, 1, 1);
+ memcpy(tag, tmp_tag, tag_length);
}
return rc;
--
2.13.7