Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp3323023rwo; Fri, 4 Aug 2023 03:07:28 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF0Z0oM03rx0BapxvsMyAedzAwdu3hj76bqdsc5VCWGL0Gz0BRE6gp5FsYczH7REL+FTUm0 X-Received: by 2002:a05:6402:546:b0:522:d6f4:c0e9 with SMTP id i6-20020a056402054600b00522d6f4c0e9mr1342684edx.38.1691143648105; Fri, 04 Aug 2023 03:07:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691143648; cv=none; d=google.com; s=arc-20160816; b=sYzp702gyunIJqPYX1KWAOg6AW66iyyFddKXYAp+Tn8pS3DpO7/FpCITSH6OnIuKBJ Bw57DDFlm+LYy4y0bf4ckFMxnrW9kusfhmB43s0jjTW6lvVZ5tms6eCUzuD4mACrwS3b xv7DXaO5AeeWCABvziJ3xGAngBB/tcisUmVr6X0A7o24FbCqVuRO0oHx8wL+Z7o1wan1 jz77HrKzDCR8bKApUdAVzAQDs2PUEN+9kUsWlxPtt4+q2eZWQ5HLneK/PhbUFLBepeBl qb3Qgn79pe5NsqJGKDcylYshfC5gb23tL1k7i0pzhPLVllRe5pPNdgtGpyMUh+eGSsev kpIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=JspPptF7F8DFVxZdcUlMlVQ6i6FW7Eq0nkwtmsjDzJI=; fh=SMw4+GE8r7f2h2HZVLxhT33huVNYzng1Bvfp+aOccY8=; b=KRsjJxv36cZO3Kzd3hJi+1CaRSQF0hlsGPuAy648673uE34/8uj7R4EUp4LNm3Jrdf 7Xa7PQx/83gg9rVuumw1igfPtGudiUJnL0UuXfZE9LLhZ2Of+I8/nOr4E42Q5jNRQWVS lPA0FZ9eXQyvpopbD9DwQtvAhsI3/s1FuwzsnwoU81sxuqk8TNiw3p/LvlsKPmmCadFv YLihi7MelriaZjmvzZoHfv5ebgij5UBt8d27XAmroR5gaOJcqVSQHg81aeFedtUjoGsV mYtrH4kF3DMm9MG3VTW7KpxJr5GPRegjN0KdkseuPeqvcU5SDrlLTWXLrDvgdugX8g1R bY7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@posteo.net header.s=2017 header.b=rOyCoJou; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=posteo.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x24-20020aa7d6d8000000b005221fa80fd8si1278961edr.617.2023.08.04.03.07.02; Fri, 04 Aug 2023 03:07:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@posteo.net header.s=2017 header.b=rOyCoJou; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=posteo.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230144AbjHDJmN (ORCPT + 99 others); Fri, 4 Aug 2023 05:42:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230164AbjHDJmK (ORCPT ); Fri, 4 Aug 2023 05:42:10 -0400 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B05530EA for ; Fri, 4 Aug 2023 02:42:09 -0700 (PDT) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 029CA240028 for ; Fri, 4 Aug 2023 11:42:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1691142127; bh=Hg8+Ie5zk1+PShUsC8fZxv3X5pNkB2BeLLwMP1rWmCU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version: Content-Transfer-Encoding:From; b=rOyCoJouUzqfpz1lQTwVMzRESTjBh5ZtloRWZTUOBM++GKBubjut+ihoPMF3VUhh/ 3Wo9oulQ/uVUmC/X3bgzSrGjXGLxN2u36kHRDi91WUZMMngngnm8u/YYguqd8wAT1N 3rHl0oOoM3jm3xgCztFoebcbbsKGcy5oXH3GYBRK+JjGPC9QUvB7wH+e6oFikoAj4V 3Ra9QvPGtGB72xfxp7hdFlGb6JhoFjF1cOXauMSESJtcY+vukmTYyk5YcCEdkAMD9j jn2/LOpwDNEiISj4yN5ihalN9E2zux4THVesyuI8C0/ZijoyOv3cz6k2apPg137ikO 9TC8MbZVEU55Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4RHLMx1w9tz6twV; Fri, 4 Aug 2023 11:42:05 +0200 (CEST) From: Mark O'Donovan To: linux-kernel@vger.kernel.org Cc: linux-crypto@vger.kernel.org, ebiggers@google.com, herbert@gondor.apana.org.au, Mark O'Donovan Subject: [PATCH RESEND] lib/mpi: avoid null pointer deref in mpi_cmp_ui() Date: Fri, 4 Aug 2023 09:32:18 +0000 Message-Id: <20230804093218.418276-1-shiftee@posteo.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman group and passing a correctly sized, but zeroed Diffie Hellamn value. mpi_cmp_ui() was detecting this if the second parameter was 0, but 1 is passed from dh_is_pubkey_valid(). This causes the null pointer u->d to be dereferenced towards the end of mpi_cmp_ui() Signed-off-by: Mark O'Donovan --- lib/mpi/mpi-cmp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c index c4cfa3ff0581..0835b6213235 100644 --- a/lib/mpi/mpi-cmp.c +++ b/lib/mpi/mpi-cmp.c @@ -25,8 +25,12 @@ int mpi_cmp_ui(MPI u, unsigned long v) mpi_limb_t limb = v; mpi_normalize(u); - if (!u->nlimbs && !limb) - return 0; + if (u->nlimbs == 0) { + if (v == 0) + return 0; + else + return -1; + } if (u->sign) return -1; if (u->nlimbs > 1) -- 2.39.2