lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a3721585-c38f-f222-9a0e-4b268a48491b@gmail.com>
Date:   Mon, 14 Aug 2023 21:04:15 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     David Howells <dhowells@...hat.com>
Cc:     herbert@...dor.apana.org.au, davem@...emloft.net,
        pabeni@...hat.com, linux-crypto@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        syzbot+cba21d50095623218389@...kaller.appspotmail.com
Subject: Re: [PATCH] crypto: fix uninit-value in af_alg_free_resources

Hi David,

David Howells <dhowells@...hat.com> says:
> Pavel Skripkin <paskripkin@...il.com> wrote:
> 
>> Syzbot was able to trigger use of uninitialized memory in
>> af_alg_free_resources.
>> 
>> Bug is caused by missing initialization of rsgl->sgl.need_unpin before
>> adding to rsgl_list. Then in case of extract_iter_to_sg() failure, rsgl
>> is left with uninitialized need_unpin which is read during clean up
> 
> Looks feasible :-).
> 
>> +		rsgl->sgl.need_unpin = 0;
>> +
> 
> The blank line isn't really necessary and it's a bool, so can you use 'false'
> rather than '0'?
> 
> Alternatively, it might be better to move:
> 
> 		rsgl->sgl.need_unpin =
> 			iov_iter_extract_will_pin(&msg->msg_iter);
> 
> up instead.
> 

Thank you for review! I've just posted v2 :)



With regards,
Pavel Skripkin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ