Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp647627ybh; Tue, 10 Mar 2020 05:49:38 -0700 (PDT) X-Google-Smtp-Source: ADFU+vt/mE9IQ95t48PbkudL0+JHAsuFF+q79JMIyATFZGFTKpr6+rwcq0uXK6Bdhu+3RG4l+f3G X-Received: by 2002:a9d:7358:: with SMTP id l24mr15887032otk.228.1583844578084; Tue, 10 Mar 2020 05:49:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583844578; cv=none; d=google.com; s=arc-20160816; b=lsA1be/u2dEtaV/hUkqydatzpJ0A48S/EP3LvNldy7RABigePVNn8NteTL4lbc8crF pBmrQU9ftpZQxVaLmSp0uje/v2rBcEmIazTAsb5MkQ+If+akOvQrhS3kHzhd43xr5UVa vcztfsB7b725rj2kSj3n2bVjCj4tDENTzuCRRZKJwdySiBEYLRGO9Loqa8wjbUNRTmHb iVnXwWgG74sugQrZVBFCTkOn5+BaBj9JRpAYo4QGxq06WAA+FMMNPrKKv5QT8KoANcr1 IwSQbT7NlkE32SO/lVolxgUtMf93CxD8QL8ld6F5r5G9x2ecqBy3q7jlxj/X48orIcZo /23Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=O1U8b6yYwpi7+QnLwCRxtUrlCXjKyO2Kr4KlMzDCOSE=; b=UoSjCfPFUGJ8Oe+iKBVFRqy2ONhXmDlGRRJ8vxgo6oJW7m7ZOlcG5yBYCJYZkTZM3w wY9DnxK8LEANIJv0its7GRHEMhftwal+3ShNM8weW3v7H2ZnrtMQ1Ol73055+SyQXxJP QbS8ckl/7+6FDihW72Y5oxej+lAaiKJbbF3A2fwkC5EwatOaaA9itxuqTMhEfjQDzmz3 PjQWdMzq3Plud+i/farnoTtPKPsCW5kbvIEru9hAnD+w+qv6bm4kBel+Sw1AYjP+l6pE a862W4sRh9xhJ+Di0L11LUzOHtA3bhMVEbbqAVQG1BcNtXwgWg7eYDN9aAsX8rbrHeSS rjsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d9PsmU+Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w128si5529063oib.247.2020.03.10.05.49.26; Tue, 10 Mar 2020 05:49:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d9PsmU+Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727567AbgCJMrj (ORCPT + 99 others); Tue, 10 Mar 2020 08:47:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:51428 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727901AbgCJMrf (ORCPT ); Tue, 10 Mar 2020 08:47:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 62BBE2467D; Tue, 10 Mar 2020 12:47:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583844454; bh=m2VMjPdP7Tghk64h+YiyaAAmIOugxKZ/W6szpaKD2Vs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d9PsmU+QooTm+JrJJ2bNw3tmITheplZFsDLuQMVVnpS8RLnKhUJuyC32kaD/awuQI eSHmOeBupEzC/lLsBLFDtpabG+gAxKzppwN4R67HhzrLroYcxcVmphyBxFEQ05NTYl tH6YNNyxNwZVP+QbJJWtB8b0hLWHVOv8CNN+xVlQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , yangerkun Subject: [PATCH 4.9 88/88] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async Date: Tue, 10 Mar 2020 13:39:36 +0100 Message-Id: <20200310123625.434168321@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200310123606.543939933@linuxfoundation.org> References: <20200310123606.543939933@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: yangerkun Nowdays, we trigger a oops: ... kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP KASAN ... Call Trace: [] skcipher_recvmsg_async+0x3f1/0x1400 x86/../crypto/algif_skcipher.c:543 [] skcipher_recvmsg+0x93/0x7f0 x86/../crypto/algif_skcipher.c:723 [] sock_recvmsg_nosec x86/../net/socket.c:702 [inline] [] sock_recvmsg x86/../net/socket.c:710 [inline] [] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705 [] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787 [] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520 [] io_submit_one x86/../fs/aio.c:1630 [inline] [] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688 [] SYSC_io_submit x86/../fs/aio.c:1713 [inline] [] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710 [] tracesys_phase2+0x90/0x95 In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this, the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR. This function was introduced with ' commit a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous")', and has been removed with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")'. Reported-by: Hulk Robot Signed-off-by: yangerkun Signed-off-by: Greg Kroah-Hartman --- crypto/algif_skcipher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) v1->v2: update the commit message --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct lock_sock(sk); tx_nents = skcipher_all_sg_nents(ctx); sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); - if (unlikely(!sreq->tsg)) + if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg))) goto unlock; sg_init_table(sreq->tsg, tx_nents); memcpy(iv, ctx->iv, ivsize);