lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 23 Aug 2022 15:23:37 +0300
From:   Tal Lossos <tallossos@...il.com>
To:     hch@....de, sagi@...mberg.me, kch@...dia.com,
        linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth

Hello,
There is a NULL pointer dereference in nvmet_setup_auth() introduced
in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
As of v6.0-rc2, in target/auth.c:196, if there is an error with
ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
it gets dereferenced in the call for pr_debug():

ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
    host->dhchap_ctrl_key_hash);
if (IS_ERR(ctrl->ctrl_key)) {
    ret = PTR_ERR(ctrl->ctrl_key);
    ctrl->ctrl_key = NULL;   <--- Assigning NULL
}
pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
ctrl->ctrl_key->hash > 0 ?   <--- NULL pointer dereference
nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
(int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);

This bug occurs probably due to a missing goto statement (goto out_unlock).

Best Regards,
Tal Lossos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ