From patchwork Mon Nov 15 16:01:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tadeusz Struk X-Patchwork-Id: 12619887 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23D16C433EF for ; Mon, 15 Nov 2021 16:02:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EAF4C61AD1 for ; Mon, 15 Nov 2021 16:02:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236608AbhKOQFg (ORCPT ); Mon, 15 Nov 2021 11:05:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232638AbhKOQFM (ORCPT ); Mon, 15 Nov 2021 11:05:12 -0500 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A52A1C061766 for ; Mon, 15 Nov 2021 08:02:13 -0800 (PST) Received: by mail-pg1-x52a.google.com with SMTP id q12so3267564pgh.5 for ; Mon, 15 Nov 2021 08:02:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tivrXntTWIbCkVzZC4y1HIyO4FqKtX6bYEAzYxt9B4c=; b=oWCc1n4tm5zCJxae3xkGIvL4qNO5jJQK2PhsxaekoUCUdhsyS7fg9L2yaSfdbujV6o Nxst2ng8GqpnJQDUI63bIJ9xF+qaMBDWS8GZZ6aPcOTldEZM5rehKQwQnphbJz2UsHyt VEiEBBs85fhJgJd4r6lseabO8YMZjqRaKncMOBiOVwBIu1Mujam77+cBPU1X303T/eNA f4jYM1hLklyJnwCD4BJBnhFX1rkPuAGRZkO/m4okbBL/i6/JnjpAP82/ZWWkSfaFR+xY r1NWO0EsdOZt6G/ek3HGZRAaKGon42iM9vQaiXnB8LBn52A3DXSZYYIzW1UCu3zHOHp0 GLBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tivrXntTWIbCkVzZC4y1HIyO4FqKtX6bYEAzYxt9B4c=; b=SSnij01RLHwUotqZbVFh3SZvrhe6vVkYNuzxj+NNoaKn7b/RwRCdq0JTmqgHugFneZ qt+SGWEy6U80E2ImK5TpsogyuzVrXxCUWyqS1dTWzpb1pzGQHjgmG1bCY7zUgbIO+39k lRRwGgwKlLsUD6rzMGpw2Q1zuNiR9uciTxWv4P2CUR8Kf/BmeMSLLhF2sLKnziQjyfHL 1Oay2t0whyHwtu11YiXWhIw1Bf3Ies/kfaQDjnMbpb9aQ+dS007EV5LEuL0pr7qVC512 mFMreyZhUre2PgoaNLUXK/dbPvbNNf949GAkL+40seT5RLQ2FqFsG+l/CSJt2L0HGJgV cLSQ== X-Gm-Message-State: AOAM533ecn+k9hyDZBV3lEMJJgUl8CUGLO6CKB0IYzqaqyWAkhRWRPzv Tfm6nlTIOOX5Sib46YXHCzxZzw== X-Google-Smtp-Source: ABdhPJzwcqJ6KzoH1s6JCM7i7hqtm/wv2VNT0LxCOTZuK4dKTRSpry+DXx0j2CMmYHa146COp1uoBw== X-Received: by 2002:a63:bf45:: with SMTP id i5mr25148151pgo.161.1636992133191; Mon, 15 Nov 2021 08:02:13 -0800 (PST) Received: from localhost.localdomain ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id o2sm16331383pfu.206.2021.11.15.08.02.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Nov 2021 08:02:12 -0800 (PST) From: Tadeusz Struk To: davem@davemloft.net Cc: Tadeusz Struk , Jon Maloy , Ying Xue , Jakub Kicinski , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Dmitry Vyukov Subject: [PATCH v2] tipc: check for null after calling kmemdup Date: Mon, 15 Nov 2021 08:01:43 -0800 Message-Id: <20211115160143.5099-1-tadeusz.struk@linaro.org> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org kmemdup can return a null pointer so need to check for it, otherwise the null key will be dereferenced later in tipc_crypto_key_xmit as can be seen in the trace [1]. Cc: Jon Maloy Cc: Ying Xue Cc: "David S. Miller" Cc: Jakub Kicinski Cc: netdev@vger.kernel.org Cc: tipc-discussion@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # 5.15, 5.14, 5.10 [1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58 Reported-by: Dmitry Vyukov Signed-off-by: Tadeusz Struk Acked-by: Ying Xue Reported-by: Dmitry Vyukov Signed-off-by: Tadeusz Struk Acked-by: Jon Maloy --- Changed in v2: - use tipc_aead_free() to free all crytpo tfm instances that might have been allocated before the fail. --- net/tipc/crypto.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index dc60c32bb70d..d293614d5fc6 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -597,6 +597,10 @@ static int tipc_aead_init(struct tipc_aead **aead, struct tipc_aead_key *ukey, tmp->cloned = NULL; tmp->authsize = TIPC_AES_GCM_TAG_SIZE; tmp->key = kmemdup(ukey, tipc_aead_key_size(ukey), GFP_KERNEL); + if (!tmp->key) { + tipc_aead_free(&tmp->rcu); + return -ENOMEM; + } memcpy(&tmp->salt, ukey->key + keylen, TIPC_AES_GCM_SALT_SIZE); atomic_set(&tmp->users, 0); atomic64_set(&tmp->seqno, 0);