Re: [PATCH] crypto: algif_aead: deref after NULL

From: Herbert Xu
Date: Fri Jun 07 2024 - 07:41:27 EST


On Thu, Jun 06, 2024 at 09:34:00PM +0300, Alexander Sapozhnikov wrote:
> From: Alexandr Sapozhnikov <alsp705@xxxxxxxxx>
>
> After having been compared to a NULL value at algif_aead.c:191,
> pointer 'tsgl_src' is passed as 2nd parameter in call to function
> 'crypto_aead_copy_sgl' at algif_aead.c:244, where it is
> dereferenced at algif_aead.c:85.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Alexandr Sapozhnikov <alsp705@xxxxxxxxx>
> ---
> crypto/algif_aead.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
> index 42493b4..f757907 100644
> --- a/crypto/algif_aead.c
> +++ b/crypto/algif_aead.c
> @@ -191,7 +191,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
> if (tsgl_src)
> break;
> }
> - if (processed && !tsgl_src) {
> + if (processed || !tsgl_src) {

I think this is a false positive. If processed is zero (which can
only happen for encryption, i.e., a null message), tsgl_src won't
be dereferenced by the Crypto API. For decryption processed is
never zero as it always contains the authentication tag.

Cheers,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt