* [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
@ 2020-03-05 8:50 yangerkun
2020-03-05 8:25 ` yangerkun
0 siblings, 1 reply; 3+ messages in thread
From: yangerkun @ 2020-03-05 8:50 UTC (permalink / raw)
To: gregkh, herbert; +Cc: stable, linux-crypto, yangerkun
Nowdays, we trigger a oops:
...
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
...
[<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
[<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
[<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
[<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
[<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
[<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
[<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
[<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
[<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
[<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a
In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.
This function was introduced with ' commit a596999b7ddf ("crypto:
algif - change algif_skcipher to be asynchronous")', and has been removed
with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
management")'.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
crypto/algif_skcipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index d12782dc9683..9bd4691cc5c5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
tx_nents = skcipher_all_sg_nents(ctx);
sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
- if (unlikely(!sreq->tsg))
+ if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
goto unlock;
sg_init_table(sreq->tsg, tx_nents);
memcpy(iv, ctx->iv, ivsize);
--
2.17.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
2020-03-05 8:50 [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
@ 2020-03-05 8:25 ` yangerkun
0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-03-05 8:25 UTC (permalink / raw)
To: gregkh, herbert; +Cc: stable, linux-crypto, yangerkun
Drop this, the attach call trace is wrong...
I am so sorry for this. Will send v2.
On 2020/3/5 16:50, yangerkun wrote:
> Nowdays, we trigger a oops:
> ...
> kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
> ...
> [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
> [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
> [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
> [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
> [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
> [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
> [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
> [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
> [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
> [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a
>
> In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
> calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
> the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.
>
> This function was introduced with ' commit a596999b7ddf ("crypto:
> algif - change algif_skcipher to be asynchronous")', and has been removed
> with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
> management")'.
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: yangerkun <yangerkun@huawei.com>
> ---
> crypto/algif_skcipher.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index d12782dc9683..9bd4691cc5c5 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
> lock_sock(sk);
> tx_nents = skcipher_all_sg_nents(ctx);
> sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
> - if (unlikely(!sreq->tsg))
> + if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
> goto unlock;
> sg_init_table(sreq->tsg, tx_nents);
> memcpy(iv, ctx->iv, ivsize);
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
@ 2020-03-05 8:50 yangerkun
0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-03-05 8:50 UTC (permalink / raw)
To: gregkh, herbert; +Cc: stable, linux-crypto
Nowdays, we trigger a oops:
...
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
...
[<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
[<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
[<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
[<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
[<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
[<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
[<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
[<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
[<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
[<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a
In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.
This function was introduced with ' commit a596999b7ddf ("crypto:
algif - change algif_skcipher to be asynchronous")', and has been removed
with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
management")'.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
crypto/algif_skcipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index d12782dc9683..9bd4691cc5c5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
tx_nents = skcipher_all_sg_nents(ctx);
sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
- if (unlikely(!sreq->tsg))
+ if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
goto unlock;
sg_init_table(sreq->tsg, tx_nents);
memcpy(iv, ctx->iv, ivsize);
--
2.17.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-05 8:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05 8:50 [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
2020-03-05 8:25 ` yangerkun
-- strict thread matches above, loose matches on Subject: below --
2020-03-05 8:50 yangerkun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).