| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 05 Jul 2014 02:00:15 +0200
From: Stephan Mueller <smueller@...onox.de>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
kbuild test robot <fengguang.wu@...el.com>, kbuild@...org,
linux-kernel@...r.kernel.org,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>
Subject: Re: [PATCH] Potential NULL pointer deference in drbg_ctr_df
Am Freitag, 4. Juli 2014, 13:50:03 schrieb Dan Carpenter:
Hi Dan,
> On Wed, Jun 25, 2014 at 05:06:46PM +0800, Herbert Xu wrote:
> > On Sat, Jun 21, 2014 at 02:26:29PM +0200, Stephan Mueller wrote:
> > > The handling of additional input data / personalization string data may
> > > be subject to a NULL pointer deference for the CTR DRBG. The
> > > caller-provided data may be NULL which must be caught by the DRBG.
> > >
> > > Reported-by: kbuild test robot <fengguang.wu@...el.com>
>
> Oh, huh. This bug was actually reported by me but I forgot to change
> the from header and apparently my smtp server allows me to send emails
> as if I work for Intel. :P
>
> Fengguang is much nicer than I am. :P
Too late, your colleague's name is now in the patches ;-)
>
> > > Signed-off-by: Stephan Mueller <smueller@...onox.de>
> > > ---
> > >
> > > crypto/drbg.c | 23 +++++++++++++----------
> > > 1 file changed, 13 insertions(+), 10 deletions(-)
> > >
> > > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > > index faaa2ce..8e7c302 100644
> > > --- a/crypto/drbg.c
> > > +++ b/crypto/drbg.c
> > > @@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg,
> > >
> > > drbg_string_fill(&S2, L_N, sizeof(L_N));
> > > drbg_string_fill(&S4, pad, padlen);
> > > S1.next = &S2;
> > >
> > > - S2.next = addtl;
> > >
> > > - /*
> > > - * splice in addtl between S2 and S4 -- we place S4 at the end of the
> > > - * input data chain
> > > - */
> > > - tempstr = addtl;
> > > - for (; NULL != tempstr; tempstr = tempstr->next)
> > > - if (NULL == tempstr->next)
> > > - break;
> > > - tempstr->next = &S4;
> > > + if (NULL == addtl) {
> > > + S2.next = &S4;
> > > + } else {
> > > + /*
> > > + * splice in addtl between S2 and S4 -- we place S4 at the end
> > > + * of the input data chain
> > > + */
> > > + S2.next = addtl;
> > > + tempstr = addtl;
> > > + while (tempstr->next)
> > > + tempstr = tempstr->next;
> > > + tempstr->next = &S4;
> >
> > You've still got exactly the same NULL dereference.
>
> I was offline for a bit so I'm coming into this late. It's weird that
> Stephan isn't defending his patch but it looks ok to me...
It has been clarified in a later email that there was no NULL pointer after
all. I erroneously sent this message and initially missed the check that
guards against the NULL pointer.
>
> regards,
> dan carpenter
--
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists