| Message ID | 20210107092855.76093-1-tianjia.zhang@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | X.509: Fix crash caused by NULL pointer | expand |
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> wrote: > On the following call path, `sig->pkey_algo` is not assigned > in asymmetric_key_verify_signature(), which causes runtime > crash in public_key_verify_signature(). > > keyctl_pkey_verify > asymmetric_key_verify_signature > verify_signature > public_key_verify_signature > > This patch simply check this situation and fixes the crash > caused by NULL pointer. > > Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") > Cc: stable@vger.kernel.org # v5.10+ > Reported-by: Tobias Markus <tobias@markus-regensburg.de> > Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Looks reasonable: Acked-by: David Howells <dhowells@redhat.com> I wonder, though, if cert_sig_digest_update() should be obtained by some sort of function pointer. It doesn't really seem to belong in this file. But this is a separate issue. David
On 1/7/21 6:58 PM, David Howells wrote: > Tianjia Zhang <tianjia.zhang@linux.alibaba.com> wrote: > >> On the following call path, `sig->pkey_algo` is not assigned >> in asymmetric_key_verify_signature(), which causes runtime >> crash in public_key_verify_signature(). >> >> keyctl_pkey_verify >> asymmetric_key_verify_signature >> verify_signature >> public_key_verify_signature >> >> This patch simply check this situation and fixes the crash >> caused by NULL pointer. >> >> Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") >> Cc: stable@vger.kernel.org # v5.10+ >> Reported-by: Tobias Markus <tobias@markus-regensburg.de> >> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> > > Looks reasonable: > > Acked-by: David Howells <dhowells@redhat.com> > > I wonder, though, if cert_sig_digest_update() should be obtained by some sort > of function pointer. It doesn't really seem to belong in this file. But this > is a separate issue. > > David > Yes, this is indeed the logic of the SM2 module. I have tried to dynamically load and obtain the pointer of this function through `request_module` before, but this method still does not seem very suitable. Here are some unfinished codes I tried before: https://github.com/uudiin/linux/commit/55bca48c6282415d94c53a7692622d544da99342 It would be great if you have some good experience to share with me, I will continue to try to optimize this code. Best regards, Tianjia
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index 8892908ad58c..788a4ba1e2e7 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -356,7 +356,8 @@ int public_key_verify_signature(const struct public_key *pkey, if (ret) goto error_free_key; - if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) { + if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 && + sig->data_size) { ret = cert_sig_digest_update(sig, tfm); if (ret) goto error_free_key;
On the following call path, `sig->pkey_algo` is not assigned in asymmetric_key_verify_signature(), which causes runtime crash in public_key_verify_signature(). keyctl_pkey_verify asymmetric_key_verify_signature verify_signature public_key_verify_signature This patch simply check this situation and fixes the crash caused by NULL pointer. Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") Cc: stable@vger.kernel.org # v5.10+ Reported-by: Tobias Markus <tobias@markus-regensburg.de> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> --- crypto/asymmetric_keys/public_key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)