[bug report] nvme: NULL pointer dereference in nvmet_setup

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

* [bug report] nvme: NULL pointer dereference in nvmet_setup_auth
@ 2022-08-23 12:23 Tal Lossos
  2022-08-23 16:12 ` Christoph Hellwig
  0 siblings, 1 reply; 2+ messages in thread
From: Tal Lossos @ 2022-08-23 12:23 UTC (permalink / raw)
  To: hch, sagi, kch, linux-nvme, linux-kernel

Hello,
There is a NULL pointer dereference in nvmet_setup_auth() introduced
in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
As of v6.0-rc2, in target/auth.c:196, if there is an error with
ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
it gets dereferenced in the call for pr_debug():

ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
    host->dhchap_ctrl_key_hash);
if (IS_ERR(ctrl->ctrl_key)) {
    ret = PTR_ERR(ctrl->ctrl_key);
    ctrl->ctrl_key = NULL;   <--- Assigning NULL
}
pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
ctrl->ctrl_key->hash > 0 ?   <--- NULL pointer dereference
nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
(int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);

This bug occurs probably due to a missing goto statement (goto out_unlock).

Best Regards,
Tal Lossos

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth
  2022-08-23 12:23 [bug report] nvme: NULL pointer dereference in nvmet_setup_auth Tal Lossos
@ 2022-08-23 16:12 ` Christoph Hellwig
  0 siblings, 0 replies; 2+ messages in thread
From: Christoph Hellwig @ 2022-08-23 16:12 UTC (permalink / raw)
  To: Hannes Reinecke; +Cc: Tal Lossos, sagi, kch, linux-nvme, linux-kernel

On Tue, Aug 23, 2022 at 03:23:37PM +0300, Tal Lossos wrote:
> Hello,
> There is a NULL pointer dereference in nvmet_setup_auth() introduced
> in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
> As of v6.0-rc2, in target/auth.c:196, if there is an error with
> ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
> it gets dereferenced in the call for pr_debug():

Hannes, can you look into this?

> 
> ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
>     host->dhchap_ctrl_key_hash);
> if (IS_ERR(ctrl->ctrl_key)) {
>     ret = PTR_ERR(ctrl->ctrl_key);
>     ctrl->ctrl_key = NULL;   <--- Assigning NULL
> }
> pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
> ctrl->ctrl_key->hash > 0 ?   <--- NULL pointer dereference
> nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
> (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
> 
> This bug occurs probably due to a missing goto statement (goto out_unlock).
> 
> Best Regards,
> Tal Lossos
---end quoted text---


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-23 16:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-23 12:23 [bug report] nvme: NULL pointer dereference in nvmet_setup_auth Tal Lossos
2022-08-23 16:12 ` Christoph Hellwig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox