In gf128mul_lle() and gf128mul_bbe() r isn't completely initialized with
zero because the size argument passed to memset() is the size of the
pointer, not the structure it points to.
Luckily there are no in-kernel users of those functions so the ABI
change implied by this fix should break no existing code.
Based on a patch by the PaX Team.
Signed-off-by: Mathias Krause <[email protected]>
Cc: PaX Team <[email protected]>
---
crypto/gf128mul.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/gf128mul.c b/crypto/gf128mul.c
index df35e4c..5276607 100644
--- a/crypto/gf128mul.c
+++ b/crypto/gf128mul.c
@@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128 *b)
for (i = 0; i < 7; ++i)
gf128mul_x_lle(&p[i + 1], &p[i]);
- memset(r, 0, sizeof(r));
+ memset(r, 0, sizeof(*r));
for (i = 0;;) {
u8 ch = ((u8 *)b)[15 - i];
@@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128 *b)
for (i = 0; i < 7; ++i)
gf128mul_x_bbe(&p[i + 1], &p[i]);
- memset(r, 0, sizeof(r));
+ memset(r, 0, sizeof(*r));
for (i = 0;;) {
u8 ch = ((u8 *)b)[i];
--
1.5.6.5
From: Mathias Krause <[email protected]>
Date: Thu, 7 Jul 2011 10:33:50 +0200
> In gf128mul_lle() and gf128mul_bbe() r isn't completely initialized with
> zero because the size argument passed to memset() is the size of the
> pointer, not the structure it points to.
>
> Luckily there are no in-kernel users of those functions so the ABI
> change implied by this fix should break no existing code.
>
> Based on a patch by the PaX Team.
>
> Signed-off-by: Mathias Krause <[email protected]>
> Cc: PaX Team <[email protected]>
Acked-by: David S. Miller <[email protected]>
On 7 Jul 2011 at 10:33, Mathias Krause wrote:
> In gf128mul_lle() and gf128mul_bbe() r isn't completely initialized with
> zero because the size argument passed to memset() is the size of the
> pointer, not the structure it points to.
>
> Luckily there are no in-kernel users of those functions so the ABI
> change implied by this fix should break no existing code.
>
> Based on a patch by the PaX Team.
just for the record, the bug was pointed out by a recent clang analysis pass.
On Thu, Jul 07, 2011 at 02:10:39AM -0700, David Miller wrote:
> From: Mathias Krause <[email protected]>
> Date: Thu, 7 Jul 2011 10:33:50 +0200
>
> > In gf128mul_lle() and gf128mul_bbe() r isn't completely initialized with
> > zero because the size argument passed to memset() is the size of the
> > pointer, not the structure it points to.
> >
> > Luckily there are no in-kernel users of those functions so the ABI
> > change implied by this fix should break no existing code.
> >
> > Based on a patch by the PaX Team.
> >
> > Signed-off-by: Mathias Krause <[email protected]>
> > Cc: PaX Team <[email protected]>
>
> Acked-by: David S. Miller <[email protected]>
Patch applied. Thanks a lot!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt