summaryrefslogtreecommitdiffstats
path: root/module
diff options
context:
space:
mode:
authorAttila Fülöp <[email protected]>2019-12-03 19:28:48 +0100
committerBrian Behlendorf <[email protected]>2019-12-03 10:28:47 -0800
commit54c8366e3984b710dc2ce99ffdce6dfb15e8eecf (patch)
tree526a15d8aea550947de739f98abc9a85cbf6b6b3 /module
parent7af72863fd0c995ea15f903273f93072bcfebc09 (diff)
ICP: Fix null pointer dereference and use after free
In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy is called with a NULL pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic(). The fix is to slightly rework error handling and check the return value in crypto_update_uio(). Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Tom Caputi <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes #9659
Diffstat (limited to 'module')
-rw-r--r--module/icp/algs/modes/gcm.c8
-rw-r--r--module/icp/core/kcf_prov_lib.c5
2 files changed, 9 insertions, 4 deletions
diff --git a/module/icp/algs/modes/gcm.c b/module/icp/algs/modes/gcm.c
index 195939b85..339ffb86f 100644
--- a/module/icp/algs/modes/gcm.c
+++ b/module/icp/algs/modes/gcm.c
@@ -300,11 +300,13 @@ gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
if (length > 0) {
new_len = ctx->gcm_pt_buf_len + length;
new = vmem_alloc(new_len, ctx->gcm_kmflag);
+ if (new == NULL) {
+ vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
+ ctx->gcm_pt_buf = NULL;
+ return (CRYPTO_HOST_MEMORY);
+ }
bcopy(ctx->gcm_pt_buf, new, ctx->gcm_pt_buf_len);
vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len);
- if (new == NULL)
- return (CRYPTO_HOST_MEMORY);
-
ctx->gcm_pt_buf = new;
ctx->gcm_pt_buf_len = new_len;
bcopy(data, &ctx->gcm_pt_buf[ctx->gcm_processed_data_len],
diff --git a/module/icp/core/kcf_prov_lib.c b/module/icp/core/kcf_prov_lib.c
index 3cae872dd..b2f2530c0 100644
--- a/module/icp/core/kcf_prov_lib.c
+++ b/module/icp/core/kcf_prov_lib.c
@@ -207,9 +207,12 @@ crypto_update_uio(void *ctx, crypto_data_t *input, crypto_data_t *output,
cur_len = MIN(uiop->uio_iov[vec_idx].iov_len -
offset, length);
- (cipher)(ctx, uiop->uio_iov[vec_idx].iov_base + offset,
+ int rv = (cipher)(ctx, uiop->uio_iov[vec_idx].iov_base + offset,
cur_len, (input == output) ? NULL : output);
+ if (rv != CRYPTO_SUCCESS) {
+ return (rv);
+ }
length -= cur_len;
vec_idx++;
offset = 0;