From: Christoph Hellwig <hch@lst.de>
To: Hannes Reinecke <hare@suse.de>
Cc: Tal Lossos <tallossos@gmail.com>,
sagi@grimberg.me, kch@nvidia.com, linux-nvme@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth
Date: Tue, 23 Aug 2022 18:12:55 +0200 [thread overview]
Message-ID: <20220823161255.GA21462@lst.de> (raw)
In-Reply-To: <CAO15rPn8MBD5+QX31xjFsccT_1bRSuYYm2P1cTWqTydZTkiH+g@mail.gmail.com>
On Tue, Aug 23, 2022 at 03:23:37PM +0300, Tal Lossos wrote:
> Hello,
> There is a NULL pointer dereference in nvmet_setup_auth() introduced
> in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
> As of v6.0-rc2, in target/auth.c:196, if there is an error with
> ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
> it gets dereferenced in the call for pr_debug():
Hannes, can you look into this?
>
> ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
> host->dhchap_ctrl_key_hash);
> if (IS_ERR(ctrl->ctrl_key)) {
> ret = PTR_ERR(ctrl->ctrl_key);
> ctrl->ctrl_key = NULL; <--- Assigning NULL
> }
> pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
> ctrl->ctrl_key->hash > 0 ? <--- NULL pointer dereference
> nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
> (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
>
> This bug occurs probably due to a missing goto statement (goto out_unlock).
>
> Best Regards,
> Tal Lossos
---end quoted text---
prev parent reply other threads:[~2022-08-23 16:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-23 12:23 [bug report] nvme: NULL pointer dereference in nvmet_setup_auth Tal Lossos
2022-08-23 16:12 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220823161255.GA21462@lst.de \
--to=hch@lst.de \
--cc=hare@suse.de \
--cc=kch@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=tallossos@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.