| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z_-6yKUdJO0yDe9-@stanley.mountain>
Date: Wed, 16 Apr 2025 17:12:24 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: David Howells <dhowells@...hat.com>
Cc: linux-afs@...ts.infradead.org, netdev@...r.kernel.org
Subject: [bug report] rxrpc: rxgk: Implement the yfs-rxgk security class
(GSSAPI)
Hello David Howells,
Commit 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security
class (GSSAPI)") from Apr 11, 2025 (linux-next), leads to the
following Smatch static checker warning:
net/rxrpc/rxgk_app.c:240 rxgk_extract_token()
error: uninitialized symbol 'ec'.
net/rxrpc/rxgk_app.c
180 int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
181 unsigned int token_offset, unsigned int token_len,
182 struct key **_key)
183 {
184 const struct krb5_enctype *krb5;
185 const struct krb5_buffer *server_secret;
186 struct crypto_aead *token_enc = NULL;
187 struct key *server_key;
188 unsigned int ticket_offset, ticket_len;
189 u32 kvno, enctype;
190 int ret, ec;
191
192 struct {
193 __be32 kvno;
194 __be32 enctype;
195 __be32 token_len;
196 } container;
197
198 /* Decode the RXGK_TokenContainer object. This tells us which server
199 * key we should be using. We can then fetch the key, get the secret
200 * and set up the crypto to extract the token.
201 */
202 if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
203 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
204 rxgk_abort_resp_tok_short);
205
206 kvno = ntohl(container.kvno);
207 enctype = ntohl(container.enctype);
208 ticket_len = ntohl(container.token_len);
209 ticket_offset = token_offset + sizeof(container);
210
211 if (xdr_round_up(ticket_len) > token_len - 3 * 4)
212 return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO,
213 rxgk_abort_resp_tok_short);
214
215 _debug("KVNO %u", kvno);
216 _debug("ENC %u", enctype);
217 _debug("TLEN %u", ticket_len);
218
219 server_key = rxrpc_look_up_server_security(conn, skb, kvno, enctype);
220 if (IS_ERR(server_key))
221 goto cant_get_server_key;
222
223 down_read(&server_key->sem);
224 server_secret = (const void *)&server_key->payload.data[2];
225 ret = rxgk_set_up_token_cipher(server_secret, &token_enc, enctype, &krb5, GFP_NOFS);
226 up_read(&server_key->sem);
227 key_put(server_key);
228 if (ret < 0)
229 goto cant_get_token;
230
231 /* We can now decrypt and parse the token/ticket. This allows us to
232 * gain access to K0, from which we can derive the transport key and
233 * thence decode the authenticator.
234 */
235 ret = rxgk_decrypt_skb(krb5, token_enc, skb,
236 &ticket_offset, &ticket_len, &ec);
^^^
ec is only sometimes set here.
237 crypto_free_aead(token_enc);
238 token_enc = NULL;
--> 239 if (ret < 0)
240 return rxrpc_abort_conn(conn, skb, ec, ret,
^^
This is Undefined Behavior.
241 rxgk_abort_resp_tok_dec);
242
243 ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
244 ticket_len, _key);
245 if (ret < 0)
regards,
dan carpenter
Powered by blists - more mailing lists