* [PATCH] net: ceph: Fix a possible null-pointer dereference in ceph_crypto_key_destroy()
@ 2019-07-24 9:43 Jia-Ju Bai
2019-07-30 9:41 ` Ilya Dryomov
0 siblings, 1 reply; 2+ messages in thread
From: Jia-Ju Bai @ 2019-07-24 9:43 UTC (permalink / raw)
To: idryomov, jlayton, sage, davem
Cc: ceph-devel, netdev, linux-kernel, Jia-Ju Bai
In set_secret(), key->tfm is assigned to NULL on line 55, and then
ceph_crypto_key_destroy(key) is executed.
ceph_crypto_key_destroy(key)
crypto_free_sync_skcipher(key->tfm)
crypto_skcipher_tfm(tfm)
return &tfm->base;
Thus, a possible null-pointer dereference may occur.
To fix this bug, key->tfm is checked before calling
crypto_free_sync_skcipher().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
net/ceph/crypto.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
index 5d6724cee38f..ac28463bcfd8 100644
--- a/net/ceph/crypto.c
+++ b/net/ceph/crypto.c
@@ -136,7 +136,8 @@ void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
if (key) {
kfree(key->key);
key->key = NULL;
- crypto_free_sync_skcipher(key->tfm);
+ if (key->tfm)
+ crypto_free_sync_skcipher(key->tfm);
key->tfm = NULL;
}
}
--
2.17.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: ceph: Fix a possible null-pointer dereference in ceph_crypto_key_destroy()
2019-07-24 9:43 [PATCH] net: ceph: Fix a possible null-pointer dereference in ceph_crypto_key_destroy() Jia-Ju Bai
@ 2019-07-30 9:41 ` Ilya Dryomov
0 siblings, 0 replies; 2+ messages in thread
From: Ilya Dryomov @ 2019-07-30 9:41 UTC (permalink / raw)
To: Jia-Ju Bai
Cc: Jeff Layton, Sage Weil, David S. Miller, Ceph Development, netdev, LKML
On Wed, Jul 24, 2019 at 11:43 AM Jia-Ju Bai <baijiaju1990@gmail.com> wrote:
>
> In set_secret(), key->tfm is assigned to NULL on line 55, and then
> ceph_crypto_key_destroy(key) is executed.
>
> ceph_crypto_key_destroy(key)
> crypto_free_sync_skcipher(key->tfm)
> crypto_skcipher_tfm(tfm)
> return &tfm->base;
>
> Thus, a possible null-pointer dereference may occur.
>
> To fix this bug, key->tfm is checked before calling
> crypto_free_sync_skcipher().
>
> This bug is found by a static analysis tool STCheck written by us.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
> net/ceph/crypto.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
> index 5d6724cee38f..ac28463bcfd8 100644
> --- a/net/ceph/crypto.c
> +++ b/net/ceph/crypto.c
> @@ -136,7 +136,8 @@ void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
> if (key) {
> kfree(key->key);
> key->key = NULL;
> - crypto_free_sync_skcipher(key->tfm);
> + if (key->tfm)
> + crypto_free_sync_skcipher(key->tfm);
> key->tfm = NULL;
> }
> }
Hi Jia-Ju,
Yeah, looks like the only reason this continued to work after
69d6302b65a8 ("libceph: Remove VLA usage of skcipher") is because
crypto_sync_skcipher is a trivial wrapper around crypto_skcipher
added just for type checking AFAICT.
struct crypto_sync_skcipher {
struct crypto_skcipher base;
};
Before that ceph_crypto_key_destroy() used crypto_free_skcipher(),
which is safe to call on a NULL tfm.
Applied with a slight modification -- I moved key->tfm = NULL under
the new if and amended the changelog.
https://github.com/ceph/ceph-client/commit/b3d79916ff99074d289d66f1643b423ae0008c50
Thanks,
Ilya
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-30 9:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24 9:43 [PATCH] net: ceph: Fix a possible null-pointer dereference in ceph_crypto_key_destroy() Jia-Ju Bai
2019-07-30 9:41 ` Ilya Dryomov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).