[PATCH] fs: crypto: keyinfo: Fix a possible null-pointer dereference in derive_key_aes()

From: Jia-Ju Bai
Date: Wed Jul 24 2019 - 06:02:14 EST

Next message: Christoph Hellwig: "Re: 5.3-rc1 BUGS in dma_addressing_limited"
Previous message: Chanwoo Choi: "Re: [PATCH 1/1] extcon: extcon-max77843: convert to i2c_new_dummy_device"
Next in thread: Eric Biggers: "Re: [PATCH] fs: crypto: keyinfo: Fix a possible null-pointer dereference in derive_key_aes()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In derive_key_aes(), tfm is assigned to NULL on line 46, and then
crypto_free_skcipher(tfm) is executed.

crypto_free_skcipher(tfm)
crypto_skcipher_tfm(tfm)
return &tfm->base;

Thus, a possible null-pointer dereference may occur.

To fix this bug, tfm is checked before calling crypto_free_skcipher().

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
---
fs/crypto/keyinfo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 207ebed918c1..b419720cac54 100644
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -66,7 +66,8 @@ static int derive_key_aes(const u8 *master_key,
res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
out:
skcipher_request_free(req);
- crypto_free_skcipher(tfm);
+ if (tfm)
+ crypto_free_skcipher(tfm);
return res;
}

--
2.17.0

Next message: Christoph Hellwig: "Re: 5.3-rc1 BUGS in dma_addressing_limited"
Previous message: Chanwoo Choi: "Re: [PATCH 1/1] extcon: extcon-max77843: convert to i2c_new_dummy_device"
Next in thread: Eric Biggers: "Re: [PATCH] fs: crypto: keyinfo: Fix a possible null-pointer dereference in derive_key_aes()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]