CVE-2015-3331

The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket.

Severity: CRITICAL (9.3)

References:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
SUSE-SU-2015:1478
SUSE-SU-2015:1478
SUSE-SU-2015:1487
SUSE-SU-2015:1487
SUSE-SU-2015:1488
SUSE-SU-2015:1488
SUSE-SU-2015:1489
SUSE-SU-2015:1489
SUSE-SU-2015:1491
SUSE-SU-2015:1491
RHSA-2015:1081
RHSA-2015:1081
RHSA-2015:1199
RHSA-2015:1199
DSA-3237
DSA-3237
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.19.3
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.19.3
[oss-security] 20150414 Buffer overruns in Linux kernel RFC4106 implementation using AESNI
[oss-security] 20150414 Buffer overruns in Linux kernel RFC4106 implementation using AESNI
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
1032416
1032416
USN-2631-1
USN-2631-1
USN-2632-1
USN-2632-1
https://bugzilla.redhat.com/show_bug.cgi?id=1213322
https://bugzilla.redhat.com/show_bug.cgi?id=1213322
https://github.com/torvalds/linux/commit/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
https://github.com/torvalds/linux/commit/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a

Version: 2.1.0

Branch t7 update on 2015-04-15

ALT-BU-2015-2412-1

ALT-PU-2015-1380-1

Closed vulnerabilities

CVE-2015-3331