If a zero length is passed to kmalloc() it returns 0x10, which is
not a valid address. gss_unwrap_resp_integ() subsequently crashes
when it attempts to dereference that pointer.
Signed-off-by: Chuck Lever <[email protected]>
---
net/sunrpc/auth_gss/auth_gss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index a31a27816cc0..7bb247c51e2f 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
goto unwrap_failed;
mic.len = len;
mic.data = kmalloc(len, GFP_KERNEL);
- if (!mic.data)
+ if (ZERO_OR_NULL_PTR(mic.data))
goto unwrap_failed;
if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
goto unwrap_failed;
> On Oct 8, 2022, at 2:58 PM, Chuck Lever <[email protected]> wrote:
>
> If a zero length is passed to kmalloc() it returns 0x10, which is
> not a valid address. gss_unwrap_resp_integ() subsequently crashes
> when it attempts to dereference that pointer.
>
> Signed-off-by: Chuck Lever <[email protected]>
Hi, is there a plan to merge this patch, or does the fix need
a different approach?
> ---
> net/sunrpc/auth_gss/auth_gss.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> index a31a27816cc0..7bb247c51e2f 100644
> --- a/net/sunrpc/auth_gss/auth_gss.c
> +++ b/net/sunrpc/auth_gss/auth_gss.c
> @@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
> goto unwrap_failed;
> mic.len = len;
> mic.data = kmalloc(len, GFP_KERNEL);
> - if (!mic.data)
> + if (ZERO_OR_NULL_PTR(mic.data))
> goto unwrap_failed;
> if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
> goto unwrap_failed;
>
>
--
Chuck Lever
Hi Chuck,
On Wed, Oct 19, 2022 at 11:50 AM Chuck Lever III <[email protected]> wrote:
>
>
>
> > On Oct 8, 2022, at 2:58 PM, Chuck Lever <[email protected]> wrote:
> >
> > If a zero length is passed to kmalloc() it returns 0x10, which is
> > not a valid address. gss_unwrap_resp_integ() subsequently crashes
> > when it attempts to dereference that pointer.
> >
> > Signed-off-by: Chuck Lever <[email protected]>
>
> Hi, is there a plan to merge this patch, or does the fix need
> a different approach?
Thanks for following up. I'm planning to include it in my next
bugfixes pull request.
Anna
>
>
> > ---
> > net/sunrpc/auth_gss/auth_gss.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> > index a31a27816cc0..7bb247c51e2f 100644
> > --- a/net/sunrpc/auth_gss/auth_gss.c
> > +++ b/net/sunrpc/auth_gss/auth_gss.c
> > @@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
> > goto unwrap_failed;
> > mic.len = len;
> > mic.data = kmalloc(len, GFP_KERNEL);
> > - if (!mic.data)
> > + if (ZERO_OR_NULL_PTR(mic.data))
> > goto unwrap_failed;
> > if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
> > goto unwrap_failed;
> >
> >
>
> --
> Chuck Lever
>
>
>