Re: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth
From: Christoph Hellwig
Date: Tue Aug 23 2022 - 14:06:18 EST
On Tue, Aug 23, 2022 at 03:23:37PM +0300, Tal Lossos wrote:
> Hello,
> There is a NULL pointer dereference in nvmet_setup_auth() introduced
> in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
> As of v6.0-rc2, in target/auth.c:196, if there is an error with
> ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
> it gets dereferenced in the call for pr_debug():
Hannes, can you look into this?
>
> ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
> host->dhchap_ctrl_key_hash);
> if (IS_ERR(ctrl->ctrl_key)) {
> ret = PTR_ERR(ctrl->ctrl_key);
> ctrl->ctrl_key = NULL; <--- Assigning NULL
> }
> pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
> ctrl->ctrl_key->hash > 0 ? <--- NULL pointer dereference
> nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
> (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
>
> This bug occurs probably due to a missing goto statement (goto out_unlock).
>
> Best Regards,
> Tal Lossos
---end quoted text---