Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2455414pxj;
        Mon, 10 May 2021 03:28:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxpKwZm0Y6H3Mwek2nZMoWvwNfh9R/vQtXu7NUdel5oDO5ftxfcSXR4z1VxOCX6+WpyLJ/l
X-Received: by 2002:a17:906:c297:: with SMTP id r23mr24960602ejz.144.1620642527523;
        Mon, 10 May 2021 03:28:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620642527; cv=none;
        d=google.com; s=arc-20160816;
        b=KpDXXS4/6K1hLt3gnaTx6ywXdddY9mxlXZ8qzq2ggNVbsOH1omi5bB5jDlXxRQ3J1+
         A/m5cK7GVvfUC2DzZaubbzGu/lIu9wnywh7P6eeDLU2EQ8pT8U7hItwMI8TKwlLDVoby
         DB0+/HASA8uDui8hcq1m1jbqsJShSo9GiEDtBMNznw804pU86xKES6h0c9237vtTJrQu
         9b95LWuezV4dBE0uDWJWbM+l32rnz4os/1GTdTk5uzGdam6eVKebY+93MHTNLXqmOcoH
         bKTcGKHaVFYFMRbG+eEeUKPe8jCpkrfKCbDLhQ+kpfqZf9PvK1IBsTKgEPZdrPLTDmPN
         k8og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zb4jhEIrZlCikqF5dbMZxuTcxzsimJyfdWB6i6l9RLg=;
        b=IK1s1CRL/FDFOyekSAmluyqHpFQgCRehb/J0wtc8mwtkDysRC2TLeddUrqpqAp+o7F
         j78a42uaUBFMsNd5jjuhB3fcRS2XsODIbJs1CwI9aMd6R5MxGCD7zUh8tvotaezU1u5W
         MZp/R1LoDh3Eh7H0zFUWGyt0aRgrxcSau0x7MxSGhj6Tuj6zhsOxr/SnYunOht7BMtUT
         JD23wd89nFuk79S6IMvxXYNO6jBxklETQQRKdISsLmnTEBVrfNJGIGTh7hZLEDOf1ISB
         NIKUiOlgsemWY9JVOXMr2VFnNUw0M6pDB/JO97AIAbyztlQcKmvWHAWQwKMVgM8kpPgq
         rd6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TZow9ckp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s11si10304141ejz.440.2021.05.10.03.28.23;
        Mon, 10 May 2021 03:28:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TZow9ckp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231183AbhEJK1o (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Mon, 10 May 2021 06:27:44 -0400
Received: from mail.kernel.org ([198.145.29.99]:59904 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231434AbhEJK0Q (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 May 2021 06:26:16 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 344DA61424;
        Mon, 10 May 2021 10:25:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620642311;
        bh=wGRLrcJpSCb5EoOgwO2B6SFPu5ZR9CVHfUW1xQWuDYM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=TZow9ckpk++MP/taWzjutfVsERXIoSYqA1uoAovf2f4pILeTkH3/lqj1ARMZYjEVm
         TsGOHdJRCdkFbaG8CN/t2rdMe4+Wc35SlYCpv5UfhQJku2ghFCoR8BvTv9hIeHTPZw
         j7Dda8/ZWcZ+pxoyyM5wNsySASyxsuH91dV8dEhA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com,
        Eric Biggers <ebiggers@google.com>,
        Ard Biesheuvel <ardb@kernel.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 042/184] crypto: api - check for ERR pointers in crypto_destroy_tfm()
Date:   Mon, 10 May 2021 12:18:56 +0200
Message-Id: <20210510101951.590743855@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210510101950.200777181@linuxfoundation.org>
References: <20210510101950.200777181@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ard Biesheuvel <ardb@kernel.org>

[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]

Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
crashes on obscure error paths where such pointers are presented to
crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
before dereferencing the second argument as a struct crypto_tfm
pointer.

[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/

Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/api.c               | 2 +-
 include/crypto/acompress.h | 2 ++
 include/crypto/aead.h      | 2 ++
 include/crypto/akcipher.h  | 2 ++
 include/crypto/hash.h      | 4 ++++
 include/crypto/kpp.h       | 2 ++
 include/crypto/rng.h       | 2 ++
 include/crypto/skcipher.h  | 2 ++
 8 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/crypto/api.c b/crypto/api.c
index eda0c56b8615..c71d1485541c 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -568,7 +568,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
 {
 	struct crypto_alg *alg;
 
-	if (unlikely(!mem))
+	if (IS_ERR_OR_NULL(mem))
 		return;
 
 	alg = tfm->__crt_alg;
diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
index d873f999b334..3a801a7d3a0e 100644
--- a/include/crypto/acompress.h
+++ b/include/crypto/acompress.h
@@ -147,6 +147,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
  * crypto_free_acomp() -- free ACOMPRESS tfm handle
  *
  * @tfm:	ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_acomp(struct crypto_acomp *tfm)
 {
diff --git a/include/crypto/aead.h b/include/crypto/aead.h
index 3c245b1859e7..3b870b4e8275 100644
--- a/include/crypto/aead.h
+++ b/include/crypto/aead.h
@@ -179,6 +179,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
 /**
  * crypto_free_aead() - zeroize and free aead handle
  * @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_aead(struct crypto_aead *tfm)
 {
diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
index 6924b091adec..8913b42fcb34 100644
--- a/include/crypto/akcipher.h
+++ b/include/crypto/akcipher.h
@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
  * crypto_free_akcipher() - free AKCIPHER tfm handle
  *
  * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
 {
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 84e9f2380edf..e993c6beec07 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -260,6 +260,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
 /**
  * crypto_free_ahash() - zeroize and free the ahash handle
  * @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_ahash(struct crypto_ahash *tfm)
 {
@@ -703,6 +705,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
 /**
  * crypto_free_shash() - zeroize and free the message digest handle
  * @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_shash(struct crypto_shash *tfm)
 {
diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
index cd9a9b500624..19a2eadbef61 100644
--- a/include/crypto/kpp.h
+++ b/include/crypto/kpp.h
@@ -154,6 +154,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
  * crypto_free_kpp() - free KPP tfm handle
  *
  * @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_kpp(struct crypto_kpp *tfm)
 {
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index 8b4b844b4eef..17bb3673d3c1 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -111,6 +111,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
 /**
  * crypto_free_rng() - zeroize and free RNG handle
  * @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_rng(struct crypto_rng *tfm)
 {
diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
index aada87916918..0bce6005d325 100644
--- a/include/crypto/skcipher.h
+++ b/include/crypto/skcipher.h
@@ -203,6 +203,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
 /**
  * crypto_free_skcipher() - zeroize and free cipher handle
  * @tfm: cipher handle to be freed
+ *
+ * If @tfm is a NULL or error pointer, this function does nothing.
  */
 static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
 {
-- 
2.30.2