| Message ID | 20200305085040.21551-1-yangerkun@huawei.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | [4.4.y] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async | expand |
Drop this, the attach call trace is wrong... I am so sorry for this. Will send v2. On 2020/3/5 16:50, yangerkun wrote: > Nowdays, we trigger a oops: > ... > kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 > ... > [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266 > [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043 > [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445 > [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708 > [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline] > [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823 > [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849 > [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline] > [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913 > [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a > > In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we > calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this, > the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR. > > This function was introduced with ' commit a596999b7ddf ("crypto: > algif - change algif_skcipher to be asynchronous")', and has been removed > with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory > management")'. > > Reported-by: Hulk Robot <hulkci@huawei.com> > Signed-off-by: yangerkun <yangerkun@huawei.com> > --- > crypto/algif_skcipher.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c > index d12782dc9683..9bd4691cc5c5 100644 > --- a/crypto/algif_skcipher.c > +++ b/crypto/algif_skcipher.c > @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, > lock_sock(sk); > tx_nents = skcipher_all_sg_nents(ctx); > sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); > - if (unlikely(!sreq->tsg)) > + if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg))) > goto unlock; > sg_init_table(sreq->tsg, tx_nents); > memcpy(iv, ctx->iv, ivsize);
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index d12782dc9683..9bd4691cc5c5 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, lock_sock(sk); tx_nents = skcipher_all_sg_nents(ctx); sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); - if (unlikely(!sreq->tsg)) + if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg))) goto unlock; sg_init_table(sreq->tsg, tx_nents); memcpy(iv, ctx->iv, ivsize);
Nowdays, we trigger a oops: ... kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 ... [<ffffffff8114ab47>] do_async_page_fault+0x37/0xb0 x86/../arch/x86/kernel/kvm.c:266 [<ffffffff828b4a48>] async_page_fault+0x28/0x30 x86/../arch/x86/entry/entry_64.S:1043 [<ffffffff81b47c2a>] iov_iter_zero+0x15a/0x850 x86/../lib/iov_iter.c:445 [<ffffffff81e8ca2f>] read_iter_zero+0xcf/0x1b0 x86/../drivers/char/mem.c:708 [<ffffffff816ea7c8>] do_iter_readv_writev x86/../fs/read_write.c:679 [inline] [<ffffffff816ea7c8>] do_readv_writev+0x448/0x8e0 x86/../fs/read_write.c:823 [<ffffffff816eacdf>] vfs_readv+0x7f/0xb0 x86/../fs/read_write.c:849 [<ffffffff816edac3>] SYSC_preadv x86/../fs/read_write.c:927 [inline] [<ffffffff816edac3>] SyS_preadv+0x193/0x240 x86/../fs/read_write.c:913 [<ffffffff828b3261>] entry_SYSCALL_64_fastpath+0x1e/0x9a In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this, the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR. This function was introduced with ' commit a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous")', and has been removed with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")'. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: yangerkun <yangerkun@huawei.com> --- crypto/algif_skcipher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)