linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Potential NULL pointer deference in drbg_ctr_df
       [not found] <20140620202418.GZ5015@mwanda>
@ 2014-06-21 12:26 ` Stephan Mueller
  2014-06-25  9:06   ` Herbert Xu
  0 siblings, 1 reply; 5+ messages in thread
From: Stephan Mueller @ 2014-06-21 12:26 UTC (permalink / raw)
  To: kbuild test robot, Herbert Xu; +Cc: kbuild, Dan Carpenter, linux-kernel

The handling of additional input data / personalization string data may
be subject to a NULL pointer deference for the CTR DRBG. The
caller-provided data may be NULL which must be caught by the DRBG.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/drbg.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index faaa2ce..8e7c302 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg,
 	drbg_string_fill(&S2, L_N, sizeof(L_N));
 	drbg_string_fill(&S4, pad, padlen);
 	S1.next = &S2;
-	S2.next = addtl;
 
-	/*
-	 * splice in addtl between S2 and S4 -- we place S4 at the end of the
-	 * input data chain
-	 */
-	tempstr = addtl;
-	for (; NULL != tempstr; tempstr = tempstr->next)
-		if (NULL == tempstr->next)
-			break;
-	tempstr->next = &S4;
+	if (NULL == addtl) {
+		S2.next = &S4;
+	} else {
+		/*
+		 * splice in addtl between S2 and S4 -- we place S4 at the end
+		 * of the input data chain
+		 */
+		S2.next = addtl;
+		tempstr = addtl;
+		while (tempstr->next)
+			tempstr = tempstr->next;
+		tempstr->next = &S4;
+	}
 
 	/* 10.4.2 step 9 */
 	while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
-- 
1.9.3



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] Potential NULL pointer deference in drbg_ctr_df
  2014-06-21 12:26 ` [PATCH] Potential NULL pointer deference in drbg_ctr_df Stephan Mueller
@ 2014-06-25  9:06   ` Herbert Xu
  2014-07-04 10:50     ` Dan Carpenter
  0 siblings, 1 reply; 5+ messages in thread
From: Herbert Xu @ 2014-06-25  9:06 UTC (permalink / raw)
  To: Stephan Mueller
  Cc: kbuild test robot, kbuild, Dan Carpenter, linux-kernel,
	Linux Crypto Mailing List

On Sat, Jun 21, 2014 at 02:26:29PM +0200, Stephan Mueller wrote:
> The handling of additional input data / personalization string data may
> be subject to a NULL pointer deference for the CTR DRBG. The
> caller-provided data may be NULL which must be caught by the DRBG.
> 
> Reported-by: kbuild test robot <fengguang.wu@intel.com>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
>  crypto/drbg.c | 23 +++++++++++++----------
>  1 file changed, 13 insertions(+), 10 deletions(-)
> 
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index faaa2ce..8e7c302 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg,
>  	drbg_string_fill(&S2, L_N, sizeof(L_N));
>  	drbg_string_fill(&S4, pad, padlen);
>  	S1.next = &S2;
> -	S2.next = addtl;
>  
> -	/*
> -	 * splice in addtl between S2 and S4 -- we place S4 at the end of the
> -	 * input data chain
> -	 */
> -	tempstr = addtl;
> -	for (; NULL != tempstr; tempstr = tempstr->next)
> -		if (NULL == tempstr->next)
> -			break;
> -	tempstr->next = &S4;
> +	if (NULL == addtl) {
> +		S2.next = &S4;
> +	} else {
> +		/*
> +		 * splice in addtl between S2 and S4 -- we place S4 at the end
> +		 * of the input data chain
> +		 */
> +		S2.next = addtl;
> +		tempstr = addtl;
> +		while (tempstr->next)
> +			tempstr = tempstr->next;
> +		tempstr->next = &S4;

You've still got exactly the same NULL dereference.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] Potential NULL pointer deference in drbg_ctr_df
  2014-06-25  9:06   ` Herbert Xu
@ 2014-07-04 10:50     ` Dan Carpenter
  2014-07-05  0:00       ` Stephan Mueller
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2014-07-04 10:50 UTC (permalink / raw)
  To: Herbert Xu
  Cc: Stephan Mueller, kbuild test robot, kbuild, linux-kernel,
	Linux Crypto Mailing List

On Wed, Jun 25, 2014 at 05:06:46PM +0800, Herbert Xu wrote:
> On Sat, Jun 21, 2014 at 02:26:29PM +0200, Stephan Mueller wrote:
> > The handling of additional input data / personalization string data may
> > be subject to a NULL pointer deference for the CTR DRBG. The
> > caller-provided data may be NULL which must be caught by the DRBG.
> > 
> > Reported-by: kbuild test robot <fengguang.wu@intel.com>


Oh, huh.  This bug was actually reported by me but I forgot to change
the from header and apparently my smtp server allows me to send emails
as if I work for Intel.  :P

Fengguang is much nicer than I am.  :P

> > Signed-off-by: Stephan Mueller <smueller@chronox.de>
> > ---
> >  crypto/drbg.c | 23 +++++++++++++----------
> >  1 file changed, 13 insertions(+), 10 deletions(-)
> > 
> > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > index faaa2ce..8e7c302 100644
> > --- a/crypto/drbg.c
> > +++ b/crypto/drbg.c
> > @@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg,
> >  	drbg_string_fill(&S2, L_N, sizeof(L_N));
> >  	drbg_string_fill(&S4, pad, padlen);
> >  	S1.next = &S2;
> > -	S2.next = addtl;
> >  
> > -	/*
> > -	 * splice in addtl between S2 and S4 -- we place S4 at the end of the
> > -	 * input data chain
> > -	 */
> > -	tempstr = addtl;
> > -	for (; NULL != tempstr; tempstr = tempstr->next)
> > -		if (NULL == tempstr->next)
> > -			break;
> > -	tempstr->next = &S4;
> > +	if (NULL == addtl) {
> > +		S2.next = &S4;
> > +	} else {
> > +		/*
> > +		 * splice in addtl between S2 and S4 -- we place S4 at the end
> > +		 * of the input data chain
> > +		 */
> > +		S2.next = addtl;
> > +		tempstr = addtl;
> > +		while (tempstr->next)
> > +			tempstr = tempstr->next;
> > +		tempstr->next = &S4;
> 
> You've still got exactly the same NULL dereference.

I was offline for a bit so I'm coming into this late.  It's weird that
Stephan isn't defending his patch but it looks ok to me...

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] Potential NULL pointer deference in drbg_ctr_df
  2014-07-04 10:50     ` Dan Carpenter
@ 2014-07-05  0:00       ` Stephan Mueller
  2014-07-05  0:36         ` Fengguang Wu
  0 siblings, 1 reply; 5+ messages in thread
From: Stephan Mueller @ 2014-07-05  0:00 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Herbert Xu, kbuild test robot, kbuild, linux-kernel,
	Linux Crypto Mailing List

Am Freitag, 4. Juli 2014, 13:50:03 schrieb Dan Carpenter:

Hi Dan,

> On Wed, Jun 25, 2014 at 05:06:46PM +0800, Herbert Xu wrote:
> > On Sat, Jun 21, 2014 at 02:26:29PM +0200, Stephan Mueller wrote:
> > > The handling of additional input data / personalization string data may
> > > be subject to a NULL pointer deference for the CTR DRBG. The
> > > caller-provided data may be NULL which must be caught by the DRBG.
> > > 
> > > Reported-by: kbuild test robot <fengguang.wu@intel.com>
> 
> Oh, huh.  This bug was actually reported by me but I forgot to change
> the from header and apparently my smtp server allows me to send emails
> as if I work for Intel.  :P
> 
> Fengguang is much nicer than I am.  :P

Too late, your colleague's name is now in the patches ;-)
> 
> > > Signed-off-by: Stephan Mueller <smueller@chronox.de>
> > > ---
> > > 
> > >  crypto/drbg.c | 23 +++++++++++++----------
> > >  1 file changed, 13 insertions(+), 10 deletions(-)
> > > 
> > > diff --git a/crypto/drbg.c b/crypto/drbg.c
> > > index faaa2ce..8e7c302 100644
> > > --- a/crypto/drbg.c
> > > +++ b/crypto/drbg.c
> > > @@ -513,17 +513,20 @@ static int drbg_ctr_df(struct drbg_state *drbg,
> > > 
> > >  	drbg_string_fill(&S2, L_N, sizeof(L_N));
> > >  	drbg_string_fill(&S4, pad, padlen);
> > >  	S1.next = &S2;
> > > 
> > > -	S2.next = addtl;
> > > 
> > > -	/*
> > > -	 * splice in addtl between S2 and S4 -- we place S4 at the end of the
> > > -	 * input data chain
> > > -	 */
> > > -	tempstr = addtl;
> > > -	for (; NULL != tempstr; tempstr = tempstr->next)
> > > -		if (NULL == tempstr->next)
> > > -			break;
> > > -	tempstr->next = &S4;
> > > +	if (NULL == addtl) {
> > > +		S2.next = &S4;
> > > +	} else {
> > > +		/*
> > > +		 * splice in addtl between S2 and S4 -- we place S4 at the end
> > > +		 * of the input data chain
> > > +		 */
> > > +		S2.next = addtl;
> > > +		tempstr = addtl;
> > > +		while (tempstr->next)
> > > +			tempstr = tempstr->next;
> > > +		tempstr->next = &S4;
> > 
> > You've still got exactly the same NULL dereference.
> 
> I was offline for a bit so I'm coming into this late.  It's weird that
> Stephan isn't defending his patch but it looks ok to me...

It has been clarified in a later email that there was no NULL pointer after 
all. I erroneously sent this message and initially missed the check that 
guards against the NULL pointer.
> 
> regards,
> dan carpenter


-- 
Ciao
Stephan

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] Potential NULL pointer deference in drbg_ctr_df
  2014-07-05  0:00       ` Stephan Mueller
@ 2014-07-05  0:36         ` Fengguang Wu
  0 siblings, 0 replies; 5+ messages in thread
From: Fengguang Wu @ 2014-07-05  0:36 UTC (permalink / raw)
  To: Stephan Mueller
  Cc: Dan Carpenter, Herbert Xu, kbuild, linux-kernel,
	Linux Crypto Mailing List

On Sat, Jul 05, 2014 at 02:00:15AM +0200, Stephan Mueller wrote:
> Am Freitag, 4. Juli 2014, 13:50:03 schrieb Dan Carpenter:
> 
> Hi Dan,
> 
> > On Wed, Jun 25, 2014 at 05:06:46PM +0800, Herbert Xu wrote:
> > > On Sat, Jun 21, 2014 at 02:26:29PM +0200, Stephan Mueller wrote:
> > > > The handling of additional input data / personalization string data may
> > > > be subject to a NULL pointer deference for the CTR DRBG. The
> > > > caller-provided data may be NULL which must be caught by the DRBG.
> > > > 
> > > > Reported-by: kbuild test robot <fengguang.wu@intel.com>
> > 
> > Oh, huh.  This bug was actually reported by me but I forgot to change
> > the from header and apparently my smtp server allows me to send emails
> > as if I work for Intel.  :P
> > 
> > Fengguang is much nicer than I am.  :P
> 
> Too late, your colleague's name is now in the patches ;-)

Thank you nice guys! :P

Thanks,
Fengguang

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-07-05  0:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20140620202418.GZ5015@mwanda>
2014-06-21 12:26 ` [PATCH] Potential NULL pointer deference in drbg_ctr_df Stephan Mueller
2014-06-25  9:06   ` Herbert Xu
2014-07-04 10:50     ` Dan Carpenter
2014-07-05  0:00       ` Stephan Mueller
2014-07-05  0:36         ` Fengguang Wu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).