From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com,
Eric Biggers <ebiggers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sashal@kernel.org>,
linux-crypto@vger.kernel.org
Subject: [PATCH AUTOSEL 5.12 08/79] crypto: api - check for ERR pointers in crypto_destroy_tfm()
Date: Sun, 2 May 2021 10:02:05 -0400 [thread overview]
Message-ID: <20210502140316.2718705-8-sashal@kernel.org> (raw)
In-Reply-To: <20210502140316.2718705-1-sashal@kernel.org>
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]
Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
crashes on obscure error paths where such pointers are presented to
crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
before dereferencing the second argument as a struct crypto_tfm
pointer.
[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/
Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/api.c | 2 +-
include/crypto/acompress.h | 2 ++
include/crypto/aead.h | 2 ++
include/crypto/akcipher.h | 2 ++
include/crypto/hash.h | 4 ++++
include/crypto/kpp.h | 2 ++
include/crypto/rng.h | 2 ++
include/crypto/skcipher.h | 2 ++
8 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/crypto/api.c b/crypto/api.c
index ed08cbd5b9d3..c4eda56cff89 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -562,7 +562,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
{
struct crypto_alg *alg;
- if (unlikely(!mem))
+ if (IS_ERR_OR_NULL(mem))
return;
alg = tfm->__crt_alg;
diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
index fcde59c65a81..cb3d6b1c655d 100644
--- a/include/crypto/acompress.h
+++ b/include/crypto/acompress.h
@@ -165,6 +165,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
* crypto_free_acomp() -- free ACOMPRESS tfm handle
*
* @tfm: ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_acomp(struct crypto_acomp *tfm)
{
diff --git a/include/crypto/aead.h b/include/crypto/aead.h
index fcc12c593ef8..e728469c4ccc 100644
--- a/include/crypto/aead.h
+++ b/include/crypto/aead.h
@@ -185,6 +185,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
/**
* crypto_free_aead() - zeroize and free aead handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_aead(struct crypto_aead *tfm)
{
diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
index 1d3aa252caba..5764b46bd1ec 100644
--- a/include/crypto/akcipher.h
+++ b/include/crypto/akcipher.h
@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
* crypto_free_akcipher() - free AKCIPHER tfm handle
*
* @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
{
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 13f8a6a54ca8..b2bc1e46e86a 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -281,6 +281,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
/**
* crypto_free_ahash() - zeroize and free the ahash handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_ahash(struct crypto_ahash *tfm)
{
@@ -724,6 +726,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
/**
* crypto_free_shash() - zeroize and free the message digest handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_shash(struct crypto_shash *tfm)
{
diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
index 88b591215d5c..cccceadc164b 100644
--- a/include/crypto/kpp.h
+++ b/include/crypto/kpp.h
@@ -154,6 +154,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
* crypto_free_kpp() - free KPP tfm handle
*
* @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_kpp(struct crypto_kpp *tfm)
{
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index 8b4b844b4eef..17bb3673d3c1 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -111,6 +111,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
/**
* crypto_free_rng() - zeroize and free RNG handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_rng(struct crypto_rng *tfm)
{
diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
index 6a733b171a5d..ef0fc9ed4342 100644
--- a/include/crypto/skcipher.h
+++ b/include/crypto/skcipher.h
@@ -196,6 +196,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
/**
* crypto_free_skcipher() - zeroize and free cipher handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
{
--
2.30.2
next prev parent reply other threads:[~2021-05-02 14:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-02 14:01 [PATCH AUTOSEL 5.12 01/79] bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first Sasha Levin
2021-05-02 14:01 ` [PATCH AUTOSEL 5.12 02/79] staging: wimax/i2400m: fix byte-order issue Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 03/79] spi: ath79: always call chipselect function Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 04/79] spi: ath79: remove spi-master setup and cleanup assignment Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 05/79] bus: mhi: pci_generic: No-Op for device_wake operations Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 06/79] bus: mhi: core: Destroy SBL devices when moving to mission mode Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 07/79] bus: mhi: core: Process execution environment changes serially Sasha Levin
2021-05-02 14:02 ` Sasha Levin [this message]
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 09/79] crypto: qat - fix unmap invalid dma address Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 10/79] usb: gadget: uvc: add bInterval checking for HS mode Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 11/79] usb: webcam: Invalid size of Processing Unit Descriptor Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 12/79] x86/sev: Do not require Hypervisor CPUID bit for SEV guests Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 13/79] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 14/79] crypto: hisilicon/sec - fixes a printing error Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 15/79] genirq/matrix: Prevent allocation counter corruption Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 16/79] usb: dwc3: gadget: Remove invalid low-speed setting Sasha Levin
2021-05-02 14:56 ` Greg Kroah-Hartman
2021-05-07 10:47 ` Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 17/79] usb: gadget: f_uac2: validate input parameters Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 18/79] usb: gadget: f_uac1: " Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 19/79] usb: dwc3: gadget: Ignore EP queue requests during bus reset Sasha Levin
2021-05-02 14:02 ` [PATCH AUTOSEL 5.12 20/79] usb: xhci: Fix port minor revision Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210502140316.2718705-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ardb@kernel.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).