* [PATCH 1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol()
@ 2019-07-24 3:49 Jia-Ju Bai
2019-07-24 11:48 ` Roland Kammerer
0 siblings, 1 reply; 2+ messages in thread
From: Jia-Ju Bai @ 2019-07-24 3:49 UTC (permalink / raw)
To: philipp.reisner, lars.ellenberg, axboe
Cc: drbd-dev, linux-block, linux-kernel, Jia-Ju Bai
In receive_protocol(), when crypto_alloc_shash() on line 3754 fails,
peer_integrity_tfm is NULL, and error handling code is executed.
In this code, crypto_free_shash() is called with NULL, which can cause a
null-pointer dereference, because:
crypto_free_shash(NULL)
crypto_ahash_tfm(NULL)
"return &NULL->base"
To fix this bug, peer_integrity_tfm is checked before calling
crypto_free_shash().
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
drivers/block/drbd/drbd_receiver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 90ebfcae0ce6..a4df2b8291f6 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -3807,7 +3807,8 @@ static int receive_protocol(struct drbd_connection *connection, struct packet_in
disconnect_rcu_unlock:
rcu_read_unlock();
disconnect:
- crypto_free_shash(peer_integrity_tfm);
+ if (peer_integrity_tfm)
+ crypto_free_shash(peer_integrity_tfm);
kfree(int_dig_in);
kfree(int_dig_vv);
conn_request_state(connection, NS(conn, C_DISCONNECTING), CS_HARD);
--
2.17.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol()
2019-07-24 3:49 [PATCH 1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol() Jia-Ju Bai
@ 2019-07-24 11:48 ` Roland Kammerer
0 siblings, 0 replies; 2+ messages in thread
From: Roland Kammerer @ 2019-07-24 11:48 UTC (permalink / raw)
To: Jia-Ju Bai
Cc: philipp.reisner, lars.ellenberg, axboe, drbd-dev, linux-block,
linux-kernel, Jia-Ju Bai
On Wed, Jul 24, 2019 at 11:49:16AM +0800, Jia-Ju Bai wrote:
> In receive_protocol(), when crypto_alloc_shash() on line 3754 fails,
> peer_integrity_tfm is NULL, and error handling code is executed.
> In this code, crypto_free_shash() is called with NULL, which can cause a
> null-pointer dereference, because:
> crypto_free_shash(NULL)
> crypto_ahash_tfm(NULL)
> "return &NULL->base"
>
> To fix this bug, peer_integrity_tfm is checked before calling
> crypto_free_shash().
>
> This bug is found by a static analysis tool STCheck written by us.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Roland Kammerer <roland.kammerer@linbit.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-24 11:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24 3:49 [PATCH 1/2] block: drbd: Fix a possible null-pointer dereference in receive_protocol() Jia-Ju Bai
2019-07-24 11:48 ` Roland Kammerer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).