| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241030132352.154488-1-islituo@gmail.com>
Date: Thu, 31 Oct 2024 00:23:52 +1100
From: Tuo Li <islituo@...il.com>
To: ayush.sawal@...lsio.com,
andrew+netdev@...n.ch,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
almasrymina@...gle.com,
dtatulea@...dia.com,
jacob.e.keller@...el.com
Cc: netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
baijiaju1990@...il.com,
Tuo Li <islituo@...il.com>
Subject: [PATCH] chcr_ktls: fix a possible null-pointer dereference in chcr_ktls_dev_add()
There is a possible null-pointer dereference related to the wait-completion
synchronization mechanism in the function chcr_ktls_dev_add().
Consider the following execution scenario:
chcr_ktls_cpl_act_open_rpl() //641
u_ctx = adap->uld[CXGB4_ULD_KTLS].handle; //686
if (u_ctx) { //687
complete(&tx_info->completion); //704
The variable u_ctx is checked by an if statement at Line 687, which means
it can be NULL. Then, complete() is called at Line 704, which will wake
up wait_for_completion_xxx().
Consider the wait_for_completion_timeout() in chcr_ktls_dev_add():
chcr_ktls_dev_add() //412
u_ctx = adap->uld[CXGB4_ULD_KTLS].handle; //432
wait_for_completion_timeout(&tx_info->completion, 30 * HZ); //551
xa_erase(&u_ctx->tid_list, tx_info->tid); //580
The variable u_ctx is dereferenced without being rechecked at Line 580
after the wait_for_completion_timeout(), which can introduce a null-pointer
dereference. Besides, the variable u_ctx is also checked at Line 442 in
chcr_ktls_dev_add(), which indicates that u_ctx is likely to be NULL in
some execution contexts.
To fix this possible null-pointer dereference, a NULL check is put ahead of
the call to xa_erase().
This potential bug was discovered using an experimental static analysis
tool developed by our team. The tool deduces complete() and
wait_for_completion() pairs using alias analysis. It then applies data
flow analysis to detect null-pointer dereferences across synchronization
points.
Fixes: 65e302a9bd57 ("cxgb4/ch_ktls: Clear resources when pf4 device is removed")
Signed-off-by: Tuo Li <islituo@...il.com>
---
drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
index e8e460a92e0e..524c8e032bc8 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
@@ -577,7 +577,8 @@ static int chcr_ktls_dev_add(struct net_device *netdev, struct sock *sk,
cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan,
tx_info->tid, tx_info->ip_family);
- xa_erase(&u_ctx->tid_list, tx_info->tid);
+ if (u_ctx)
+ xa_erase(&u_ctx->tid_list, tx_info->tid);
put_module:
/* release module refcount */
--
2.43.0
Powered by blists - more mailing lists