linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-05  8:50 [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
@ 2020-03-05  8:25 ` yangerkun
  0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-03-05  8:25 UTC (permalink / raw)
  To: gregkh, herbert; +Cc: stable, linux-crypto, yangerkun

Drop this, the attach call trace is wrong...

I am so sorry for this. Will send v2.

On 2020/3/5 16:50, yangerkun wrote:
> Nowdays, we trigger a oops:
> ...
> kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
> ...
>   [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
>   [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
>   [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
>   [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
>   [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
>   [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
>   [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
>   [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
>   [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
>   [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a
>
> In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
> calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
> the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.
>
> This function was introduced with ' commit a596999b7ddf ("crypto:
> algif - change algif_skcipher to be asynchronous")', and has been removed
> with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
> management")'.
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: yangerkun <yangerkun@huawei.com>
> ---
>   crypto/algif_skcipher.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index d12782dc9683..9bd4691cc5c5 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
>   	lock_sock(sk);
>   	tx_nents = skcipher_all_sg_nents(ctx);
>   	sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
> -	if (unlikely(!sreq->tsg))
> +	if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
>   		goto unlock;
>   	sg_init_table(sreq->tsg, tx_nents);
>   	memcpy(iv, ctx->iv, ivsize);


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
@ 2020-03-05  8:50 yangerkun
  2020-03-05  8:25 ` yangerkun
  0 siblings, 1 reply; 3+ messages in thread
From: yangerkun @ 2020-03-05  8:50 UTC (permalink / raw)
  To: gregkh, herbert; +Cc: stable, linux-crypto, yangerkun

Nowdays, we trigger a oops:
...
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
...
 [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
 [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
 [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
 [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
 [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
 [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
 [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
 [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
 [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
 [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a

In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.

This function was introduced with ' commit a596999b7ddf ("crypto:
algif - change algif_skcipher to be asynchronous")', and has been removed
with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
management")'.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
 crypto/algif_skcipher.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index d12782dc9683..9bd4691cc5c5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
 	lock_sock(sk);
 	tx_nents = skcipher_all_sg_nents(ctx);
 	sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
-	if (unlikely(!sreq->tsg))
+	if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
 		goto unlock;
 	sg_init_table(sreq->tsg, tx_nents);
 	memcpy(iv, ctx->iv, ivsize);
-- 
2.17.2


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
@ 2020-03-05  8:50 yangerkun
  0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-03-05  8:50 UTC (permalink / raw)
  To: gregkh, herbert; +Cc: stable, linux-crypto

Nowdays, we trigger a oops:
...
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000
...
 [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266
 [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043
 [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445
 [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708
 [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline]
 [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823
 [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849
 [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline]
 [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913
 [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a

In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.

This function was introduced with ' commit a596999b7ddf ("crypto:
algif - change algif_skcipher to be asynchronous")', and has been removed
with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
management")'.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
 crypto/algif_skcipher.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index d12782dc9683..9bd4691cc5c5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
 	lock_sock(sk);
 	tx_nents = skcipher_all_sg_nents(ctx);
 	sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
-	if (unlikely(!sreq->tsg))
+	if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
 		goto unlock;
 	sg_init_table(sreq->tsg, tx_nents);
 	memcpy(iv, ctx->iv, ivsize);
-- 
2.17.2


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-03-05  8:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05  8:50 [PATCH 4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
2020-03-05  8:25 ` yangerkun
  -- strict thread matches above, loose matches on Subject: below --
2020-03-05  8:50 yangerkun

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).