lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <e3277b8c7dfe09fae49d0ea7caacc2327f37a18261176964b0be6a67da50c6be@mail.kernel.org>
Date: Tue, 20 Jan 2026 19:13:40 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: git@...ielhodges.dev,bpf@...r.kernel.org
Cc: ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,vadim.fedorenko@...ux.dev,song@...nel.org,yatsenko@...a.com,martin.lau@...ux.dev,eddyz87@...il.com,haoluo@...gle.com,jolsa@...nel.org,john.fastabend@...il.com,kpsingh@...nel.org,sdf@...ichev.me,yonghong.song@...ux.dev,herbert@...dor.apana.org.au,davem@...emloft.net,linux-crypto@...r.kernel.org,linux-kernel@...r.kernel.org,linux-kselftest@...r.kernel.org,git@...ielhodges.dev,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v5 2/7] crypto: Add BPF hash algorithm type registration module

> diff --git a/crypto/bpf_crypto_shash.c b/crypto/bpf_crypto_shash.c
> new file mode 100644
> index 000000000000..6e9b0d757ec9
> --- /dev/null
> +++ b/crypto/bpf_crypto_shash.c

[ ... ]

> +static const struct bpf_crypto_type bpf_crypto_shash_type = {
> +	.alloc_tfm	= bpf_crypto_shash_alloc_tfm,
> +	.free_tfm	= bpf_crypto_shash_free_tfm,
> +	.has_algo	= bpf_crypto_shash_has_algo,
> +	.hash		= bpf_crypto_shash_hash,
> +	.digestsize	= bpf_crypto_shash_digestsize,
> +	.get_flags	= bpf_crypto_shash_get_flags,
> +	.owner		= THIS_MODULE,
> +	.type_id	= BPF_CRYPTO_TYPE_HASH,
> +	.name		= "hash",
> +};

Can this cause a NULL pointer dereference when a BPF program calls
bpf_crypto_ctx_create() with type="hash"?

The bpf_crypto_ctx_create() function in kernel/bpf/crypto.c unconditionally
calls type->setkey(), type->ivsize(), and type->statesize():

    *err = type->setkey(ctx->tfm, params->key, params->key_len);
    ...
    ctx->siv_len = type->ivsize(ctx->tfm) + type->statesize(ctx->tfm);

But bpf_crypto_shash_type does not implement these callbacks, leaving them
as NULL.

Note: This appears to be fixed later in the series by commit 76d771a64b50
("bpf: Add hash kfunc for cryptographic hashing") which adds NULL checks
before calling these function pointers. Should this commit be squashed
with 76d771a64b50 to ensure each patch in the series is bisectable without
introducing crashes?

> +module_init(bpf_crypto_shash_init);
> +module_exit(bpf_crypto_shash_exit);
> +MODULE_LICENSE("GPL");
> +MODULE_DESCRIPTION("Hash algorithm support for BPF");


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21183820118

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ