Re: BUG: unable to handle kernel NULL pointer dereference at 000000000000000e (reset_prng_context)

From: Herbert Xu
Date: Wed Jul 16 2008 - 02:36:00 EST

Next message: Max Krasnyansky: "Re: current linux-2.6.git: cpusets completely broken"
Previous message: Max Krasnyansky: "Re: [PATCH] stopmachine: add stopmachine_timeout v2"
In reply to: Andrew Morton: "Re: BUG: unable to handle kernel NULL pointer dereference at000000000000000e (reset_prng_context)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 15, 2008 at 11:17:34PM -0700, Andrew Morton wrote:
>
> On error the function will sometimes return -EFOO and other times will
> just return -1. This is inconsistent and makes the error returns
> rather less useful than they could be. I'd suggest that it be switched
> to -1 throughout or, better, to consistently use appropriate error codes.

Yes -1 should be replaced with a more meaningful error.
>
> > +struct prng_context *alloc_prng_context(void)
> > +{
> > + struct prng_context *ctx=kzalloc(sizeof(struct prng_context), GFP_KERNEL);
> > +
> > + spin_lock_init(&ctx->prng_lock);
> > +
> > + if (reset_prng_context(ctx, NULL, NULL, NULL, NULL)) {
> > + kfree(ctx);
> > + ctx = NULL;
> > + }
> > +
> > + dbgprint(KERN_CRIT "returning context %p\n",ctx);
> > + return ctx;
> > +}
> > +
> > +EXPORT_SYMBOL_GPL(alloc_prng_context);
> > +
> > +void free_prng_context(struct prng_context *ctx)
> > +{
> > + crypto_free_blkcipher(ctx->tfm);
> > + kfree(ctx);
> > +}
> > +EXPORT_SYMBOL_GPL(free_prng_context);
> > +
> > +int reset_prng_context(struct prng_context *ctx,
> > + unsigned char *key, unsigned char *iv,
> > + unsigned char *V, unsigned char *DT)
> > +{
> > + int ret;
> > + int iv_len;
> > + int rc = -EFAULT;
> > +
> > + spin_lock(&ctx->prng_lock);
> > + ctx->flags |= PRNG_NEED_RESET;
> > +
> > + if (key)
> > + memcpy(ctx->prng_key,key,strlen(ctx->prng_key));
> > + else
> > + ctx->prng_key = DEFAULT_PRNG_KEY;
>
> This is very strange. In one case we'll copy a string onto existing
> storage at ctx->prng_key. In the other case we'll *modify*
> ctx->prng_key directly.

Indeed this is bogus. We shouldn't store either the key or the
IV in the context since the tfm already holds a copy.

Neil, please remove prng_key and prng_iv completely.

> We don't support \0's in the key or the IV. I assume that's OK?

No the caller should supply the length instead.

Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Max Krasnyansky: "Re: current linux-2.6.git: cpusets completely broken"
Previous message: Max Krasnyansky: "Re: [PATCH] stopmachine: add stopmachine_timeout v2"
In reply to: Andrew Morton: "Re: BUG: unable to handle kernel NULL pointer dereference at000000000000000e (reset_prng_context)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]