| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Aug 2023 21:04:15 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: David Howells <dhowells@...hat.com>
Cc: herbert@...dor.apana.org.au, davem@...emloft.net,
pabeni@...hat.com, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+cba21d50095623218389@...kaller.appspotmail.com
Subject: Re: [PATCH] crypto: fix uninit-value in af_alg_free_resources
Hi David,
David Howells <dhowells@...hat.com> says:
> Pavel Skripkin <paskripkin@...il.com> wrote:
>
>> Syzbot was able to trigger use of uninitialized memory in
>> af_alg_free_resources.
>>
>> Bug is caused by missing initialization of rsgl->sgl.need_unpin before
>> adding to rsgl_list. Then in case of extract_iter_to_sg() failure, rsgl
>> is left with uninitialized need_unpin which is read during clean up
>
> Looks feasible :-).
>
>> + rsgl->sgl.need_unpin = 0;
>> +
>
> The blank line isn't really necessary and it's a bool, so can you use 'false'
> rather than '0'?
>
> Alternatively, it might be better to move:
>
> rsgl->sgl.need_unpin =
> iov_iter_extract_will_pin(&msg->msg_iter);
>
> up instead.
>
Thank you for review! I've just posted v2 :)
With regards,
Pavel Skripkin
Powered by blists - more mailing lists