lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080716063510.GA13513@gondor.apana.org.au>
Date:	Wed, 16 Jul 2008 14:35:10 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Alexey Dobriyan <adobriyan@...il.com>, davem@...emloft.net,
	mingo@...e.hu, nhorman@...driver.com, simon@...e.lp0.eu,
	linux-kernel@...r.kernel.org
Subject: Re: BUG: unable to handle kernel NULL pointer dereference at 000000000000000e (reset_prng_context)

On Tue, Jul 15, 2008 at 11:17:34PM -0700, Andrew Morton wrote:
>
> On error the function will sometimes return -EFOO and other times will
> just return -1.  This is inconsistent and makes the error returns
> rather less useful than they could be.  I'd suggest that it be switched
> to -1 throughout or, better, to consistently use appropriate error codes.

Yes -1 should be replaced with a more meaningful error.
> 
> > +struct prng_context *alloc_prng_context(void)
> > +{
> > +	struct prng_context *ctx=kzalloc(sizeof(struct prng_context), GFP_KERNEL);
> > +
> > +	spin_lock_init(&ctx->prng_lock);
> > +
> > +	if (reset_prng_context(ctx, NULL, NULL, NULL, NULL)) {
> > +		kfree(ctx);
> > +		ctx = NULL;
> > +	}
> > +
> > +	dbgprint(KERN_CRIT "returning context %p\n",ctx);
> > +	return ctx;
> > +}
> > +
> > +EXPORT_SYMBOL_GPL(alloc_prng_context);
> > +
> > +void free_prng_context(struct prng_context *ctx)
> > +{
> > +	crypto_free_blkcipher(ctx->tfm);
> > +	kfree(ctx);
> > +}
> > +EXPORT_SYMBOL_GPL(free_prng_context);
> > +
> > +int reset_prng_context(struct prng_context *ctx,
> > +		       unsigned char *key, unsigned char *iv,
> > +		       unsigned char *V, unsigned char *DT)
> > +{
> > +	int ret;
> > +	int iv_len;
> > +	int rc = -EFAULT;
> > +
> > +	spin_lock(&ctx->prng_lock);
> > +	ctx->flags |= PRNG_NEED_RESET;
> > +
> > +	if (key)
> > +		memcpy(ctx->prng_key,key,strlen(ctx->prng_key));
> > +	else
> > +		ctx->prng_key = DEFAULT_PRNG_KEY;
> 
> This is very strange.  In one case we'll copy a string onto existing
> storage at ctx->prng_key.  In the other case we'll *modify*
> ctx->prng_key directly.

Indeed this is bogus.  We shouldn't store either the key or the
IV in the context since the tfm already holds a copy.

Neil, please remove prng_key and prng_iv completely.
 
> We don't support \0's in the key or the IV.  I assume that's OK?

No the caller should supply the length instead.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ