From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com,
Eric Biggers <ebiggers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sashal@kernel.org>,
linux-crypto@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 02/21] crypto: api - check for ERR pointers in crypto_destroy_tfm()
Date: Sun, 2 May 2021 10:04:58 -0400 [thread overview]
Message-ID: <20210502140517.2719912-2-sashal@kernel.org> (raw)
In-Reply-To: <20210502140517.2719912-1-sashal@kernel.org>
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]
Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
crashes on obscure error paths where such pointers are presented to
crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
before dereferencing the second argument as a struct crypto_tfm
pointer.
[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/
Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/api.c | 2 +-
include/crypto/acompress.h | 2 ++
include/crypto/aead.h | 2 ++
include/crypto/akcipher.h | 2 ++
include/crypto/hash.h | 4 ++++
include/crypto/kpp.h | 2 ++
include/crypto/rng.h | 2 ++
include/crypto/skcipher.h | 2 ++
8 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/crypto/api.c b/crypto/api.c
index 1909195b2c70..5efd4d6e6312 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -571,7 +571,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
{
struct crypto_alg *alg;
- if (unlikely(!mem))
+ if (IS_ERR_OR_NULL(mem))
return;
alg = tfm->__crt_alg;
diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
index e328b52425a8..1ff78365607c 100644
--- a/include/crypto/acompress.h
+++ b/include/crypto/acompress.h
@@ -152,6 +152,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
* crypto_free_acomp() -- free ACOMPRESS tfm handle
*
* @tfm: ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_acomp(struct crypto_acomp *tfm)
{
diff --git a/include/crypto/aead.h b/include/crypto/aead.h
index 1e26f790b03f..c69c545ba39a 100644
--- a/include/crypto/aead.h
+++ b/include/crypto/aead.h
@@ -187,6 +187,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
/**
* crypto_free_aead() - zeroize and free aead handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_aead(struct crypto_aead *tfm)
{
diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
index b5e11de4d497..9817f2e5bff8 100644
--- a/include/crypto/akcipher.h
+++ b/include/crypto/akcipher.h
@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
* crypto_free_akcipher() - free AKCIPHER tfm handle
*
* @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
{
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 76e432cab75d..552517dcf9e4 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -257,6 +257,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
/**
* crypto_free_ahash() - zeroize and free the ahash handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_ahash(struct crypto_ahash *tfm)
{
@@ -692,6 +694,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
/**
* crypto_free_shash() - zeroize and free the message digest handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_shash(struct crypto_shash *tfm)
{
diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
index 1bde0a6514fa..1a34630fc371 100644
--- a/include/crypto/kpp.h
+++ b/include/crypto/kpp.h
@@ -159,6 +159,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
* crypto_free_kpp() - free KPP tfm handle
*
* @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_kpp(struct crypto_kpp *tfm)
{
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index b95ede354a66..a788c1e5a121 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -116,6 +116,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
/**
* crypto_free_rng() - zeroize and free RNG handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_rng(struct crypto_rng *tfm)
{
diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
index 2f327f090c3e..c7553f8b1bb6 100644
--- a/include/crypto/skcipher.h
+++ b/include/crypto/skcipher.h
@@ -206,6 +206,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
/**
* crypto_free_skcipher() - zeroize and free cipher handle
* @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
*/
static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
{
--
2.30.2
next prev parent reply other threads:[~2021-05-02 14:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-02 14:04 [PATCH AUTOSEL 4.19 01/21] staging: wimax/i2400m: fix byte-order issue Sasha Levin
2021-05-02 14:04 ` Sasha Levin [this message]
2021-05-02 14:04 ` [PATCH AUTOSEL 4.19 03/21] usb: gadget: uvc: add bInterval checking for HS mode Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 04/21] genirq/matrix: Prevent allocation counter corruption Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 05/21] usb: gadget: f_uac1: validate input parameters Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 06/21] usb: dwc3: gadget: Ignore EP queue requests during bus reset Sasha Levin
2021-05-10 12:03 ` Pavel Machek
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 07/21] usb: xhci: Fix port minor revision Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 08/21] PCI: PM: Do not read power state in pci_enable_device_flags() Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 09/21] x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 10/21] tee: optee: do not check memref size on return from Secure World Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 11/21] perf/arm_pmu_platform: Fix error handling Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 12/21] usb: xhci-mtk: support quirk to disable usb2 lpm Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 13/21] xhci: check control context is valid before dereferencing it Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 14/21] xhci: fix potential array out of bounds with several interrupters Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 15/21] spi: dln2: Fix reference leak to master Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 16/21] spi: omap-100k: " Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 17/21] platform/x86: thinkpad_acpi: Correct thermal sensor allocation Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 18/21] intel_th: Consistency and off-by-one fix Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 19/21] phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 20/21] crypto: omap-aes - Fix PM reference leak on omap-aes.c Sasha Levin
2021-05-02 14:05 ` [PATCH AUTOSEL 4.19 21/21] btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210502140517.2719912-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ardb@kernel.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).