lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.2.00.1102062320230.13593@swampdragon.chaosbits.net>
Date:	Sun, 6 Feb 2011 23:31:13 +0100 (CET)
From:	Jesper Juhl <jj@...osbits.net>
To:	linux-kernel@...r.kernel.org
cc:	Alexander Kjeldaas <astor@...t.no>,
	David Woodhouse <David.Woodhouse@...el.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Pekka Enberg <penberg@...helsinki.fi>
Subject: NULL deref in drivers/md/dm-crypt.c:crypt_convert()

The coverity checker found this. I don't know how to fix it, so I'll just 
report it and hope that someone else can address the issue.

In drivers/md/dm-crypt.c:crypt_convert() we have this code:
...
  		while(ctx->idx_in < ctx->bio_in->bi_vcnt &&
  		      ctx->idx_out < ctx->bio_out->bi_vcnt) {
  	
  			crypt_alloc_req(cc, ctx);
  	
  			atomic_inc(&ctx->pending);
  	
  			r = crypt_convert_block(cc, ctx, this_cc->req);
  	
  			switch (r) {
  			/* async */
 			case -EBUSY:
  				wait_for_completion(&ctx->restart);
  				INIT_COMPLETION(ctx->restart);
  				/* fall through*/
  			case -EINPROGRESS:
  				this_cc->req = NULL;
  				ctx->sector++;
  				continue;
...

If we take the first pass through the 'while' loop and hit the 
'-EINPROGRESS' case of the switch, then the second time around we'll pass 
a NULL 'this_cc->req' to 'crypt_convert_block()'. 'crypt_convert_block()' 
passes the pointer to 'ablkcipher_request_set_crypt()' which dereferences
it:
...
  	static inline void ablkcipher_request_set_crypt(
  		struct ablkcipher_request *req,
  		struct scatterlist *src, struct scatterlist *dst,
  		unsigned int nbytes, void *iv)
  	{
  		req->src = src;
...

That's going to go "BOOM" - definately no what we want, so we need a fix 
somehow...

-- 
Jesper Juhl <jj@...osbits.net>            http://www.chaosbits.net/
Plain text mails only, please.
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ