From: Nick Bowler <nbowler@elliptictech.com>
To: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] crypto: ghash: Avoid null pointer dereference if no key is set.
Date: Fri, 14 Oct 2011 13:13:58 -0400 [thread overview]
Message-ID: <20111014171358.GA15626@elliptictech.com> (raw)
In-Reply-To: <1318603040-1360-1-git-send-email-nbowler@elliptictech.com>
On 2011-10-14 10:37 -0400, Nick Bowler wrote:
> The ghash_update function passes a pointer to gf128mul_4k_lle which will
> be NULL if ghash_setkey is not called or if the most recent call to
> ghash_setkey failed to allocate memory. This causes an oops. Fix this
> up by returning an error code in the null case.
>
> This is trivially triggered from unpriviliged userspace through the
> AF_ALG interface by simply writing to the socket without setting a key.
It looks like this can also happen in ghash_final if an evil user calls
setkey, update with a length that's not a multiple of the block size,
then setkey again (this time failing due to an allocation failure) then
final. Thus, I suppose that final needs the same check.
v2 forthcoming...
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)
next prev parent reply other threads:[~2011-10-14 17:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-14 14:37 [PATCH] crypto: ghash: Avoid null pointer dereference if no key is set Nick Bowler
2011-10-14 14:37 ` Nick Bowler
2011-10-14 17:13 ` Nick Bowler [this message]
2011-10-14 17:53 ` [PATCH v2] " Nick Bowler
2011-10-14 17:53 ` Nick Bowler
2011-10-20 12:19 ` Herbert Xu
2011-10-20 12:19 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111014171358.GA15626@elliptictech.com \
--to=nbowler@elliptictech.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.