ICP: Fix null pointer dereference and use after free - openzfs/zfs.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Attila Fülöp <[email protected]>	2019-12-03 19:28:48 +0100
committer	Brian Behlendorf <[email protected]>	2019-12-03 10:28:47 -0800
commit	54c8366e3984b710dc2ce99ffdce6dfb15e8eecf (patch)
tree	526a15d8aea550947de739f98abc9a85cbf6b6b3 /cmd/zdb
parent	7af72863fd0c995ea15f903273f93072bcfebc09 (diff)

ICP: Fix null pointer dereference and use after free

In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy is called with a NULL pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic(). The fix is to slightly rework error handling and check the return value in crypto_update_uio(). Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Tom Caputi <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes #9659

Diffstat (limited to 'cmd/zdb')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: