| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <da903311-9fdb-d20a-9584-c35836947302@gmail.com>
Date: Mon, 29 Jul 2019 16:06:40 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: Steffen Klassert <steffen.klassert@...unet.com>
Cc: herbert@...dor.apana.org.au, davem@...emloft.net,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [BUG] net: xfrm: possible null-pointer dereferences in
xfrm_policy()
On 2019/7/29 16:03, Steffen Klassert wrote:
> On Mon, Jul 29, 2019 at 11:43:49AM +0800, Jia-Ju Bai wrote:
>> In xfrm_policy(), the while loop on lines 3802-3830 ends when dst->xfrm is
>> NULL.
> We don't have a xfrm_policy() function, and as said already the
> line numbers does not help much as long as you don't say which
> tree/branch this is and which commit is the head commit.
>
>> Then, dst->xfrm is used on line 3840:
>> xfrm_state_mtu(dst->xfrm, mtu);
>> if (x->km.state != XFRM_STATE_VALID...)
>> aead = x->data;
>>
>> Thus, possible null-pointer dereferences may occur.
> I guess you refer to xfrm_bundle_ok(). The dst pointer
> is reoaded after the loop, so the dereferenced pointer
> is not the one that had NULL at dst->xfrm.
>
>> These bugs are found by a static analysis tool STCheck written by us.
>>
>> I do not know how to correctly fix these bugs, so I only report them.
> I'd suggest you to manually review the reports of your
> tool and to fix the tool accordingly.
Oh, sorry for my mistakes.
I have found that dst is updated:
dst = &xdst->u.dst;
I will fix my tool, thanks.
Best wishes,
Jia-Ju Bai
Powered by blists - more mailing lists