From 54c8366e3984b710dc2ce99ffdce6dfb15e8eecf Mon Sep 17 00:00:00 2001 From: Attila Fülöp Date: Tue, 3 Dec 2019 19:28:48 +0100 Subject: ICP: Fix null pointer dereference and use after free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy is called with a NULL pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic(). The fix is to slightly rework error handling and check the return value in crypto_update_uio(). Reviewed-by: Brian Behlendorf Reviewed-by: Tom Caputi Reviewed-by: Kjeld Schouten Signed-off-by: Attila Fülöp Closes #9659 --- module/icp/algs/modes/gcm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'module/icp/algs') diff --git a/module/icp/algs/modes/gcm.c b/module/icp/algs/modes/gcm.c index 195939b85..339ffb86f 100644 --- a/module/icp/algs/modes/gcm.c +++ b/module/icp/algs/modes/gcm.c @@ -300,11 +300,13 @@ gcm_mode_decrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length, if (length > 0) { new_len = ctx->gcm_pt_buf_len + length; new = vmem_alloc(new_len, ctx->gcm_kmflag); + if (new == NULL) { + vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len); + ctx->gcm_pt_buf = NULL; + return (CRYPTO_HOST_MEMORY); + } bcopy(ctx->gcm_pt_buf, new, ctx->gcm_pt_buf_len); vmem_free(ctx->gcm_pt_buf, ctx->gcm_pt_buf_len); - if (new == NULL) - return (CRYPTO_HOST_MEMORY); - ctx->gcm_pt_buf = new; ctx->gcm_pt_buf_len = new_len; bcopy(data, &ctx->gcm_pt_buf[ctx->gcm_processed_data_len], -- cgit v1.2.3