| Message ID | 20240606183401.11-1-alsp705@gmail.com (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: algif_aead: deref after NULL | expand |
On Thu, Jun 06, 2024 at 09:34:00PM +0300, Alexander Sapozhnikov wrote: > From: Alexandr Sapozhnikov <alsp705@gmail.com> > > After having been compared to a NULL value at algif_aead.c:191, > pointer 'tsgl_src' is passed as 2nd parameter in call to function > 'crypto_aead_copy_sgl' at algif_aead.c:244, where it is > dereferenced at algif_aead.c:85. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com> > --- > crypto/algif_aead.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c > index 42493b4..f757907 100644 > --- a/crypto/algif_aead.c > +++ b/crypto/algif_aead.c > @@ -191,7 +191,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, > if (tsgl_src) > break; > } > - if (processed && !tsgl_src) { > + if (processed || !tsgl_src) { I think this is a false positive. If processed is zero (which can only happen for encryption, i.e., a null message), tsgl_src won't be dereferenced by the Crypto API. For decryption processed is never zero as it always contains the authentication tag. Cheers,
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index 42493b4..f757907 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -191,7 +191,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, if (tsgl_src) break; } - if (processed && !tsgl_src) { + if (processed || !tsgl_src) { err = -EFAULT; goto free; }