| Message ID | 166525550985.1954655.13884581337321315995.stgit@morisot.1015granger.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | SUNRPC: Fix crasher in gss_unwrap_resp_integ() | expand |
> On Oct 8, 2022, at 2:58 PM, Chuck Lever <chuck.lever@oracle.com> wrote: > > If a zero length is passed to kmalloc() it returns 0x10, which is > not a valid address. gss_unwrap_resp_integ() subsequently crashes > when it attempts to dereference that pointer. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Hi, is there a plan to merge this patch, or does the fix need a different approach? > --- > net/sunrpc/auth_gss/auth_gss.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c > index a31a27816cc0..7bb247c51e2f 100644 > --- a/net/sunrpc/auth_gss/auth_gss.c > +++ b/net/sunrpc/auth_gss/auth_gss.c > @@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, > goto unwrap_failed; > mic.len = len; > mic.data = kmalloc(len, GFP_KERNEL); > - if (!mic.data) > + if (ZERO_OR_NULL_PTR(mic.data)) > goto unwrap_failed; > if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len)) > goto unwrap_failed; > > -- Chuck Lever
Hi Chuck, On Wed, Oct 19, 2022 at 11:50 AM Chuck Lever III <chuck.lever@oracle.com> wrote: > > > > > On Oct 8, 2022, at 2:58 PM, Chuck Lever <chuck.lever@oracle.com> wrote: > > > > If a zero length is passed to kmalloc() it returns 0x10, which is > > not a valid address. gss_unwrap_resp_integ() subsequently crashes > > when it attempts to dereference that pointer. > > > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > > Hi, is there a plan to merge this patch, or does the fix need > a different approach? Thanks for following up. I'm planning to include it in my next bugfixes pull request. Anna > > > > --- > > net/sunrpc/auth_gss/auth_gss.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c > > index a31a27816cc0..7bb247c51e2f 100644 > > --- a/net/sunrpc/auth_gss/auth_gss.c > > +++ b/net/sunrpc/auth_gss/auth_gss.c > > @@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, > > goto unwrap_failed; > > mic.len = len; > > mic.data = kmalloc(len, GFP_KERNEL); > > - if (!mic.data) > > + if (ZERO_OR_NULL_PTR(mic.data)) > > goto unwrap_failed; > > if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len)) > > goto unwrap_failed; > > > > > > -- > Chuck Lever > > >
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index a31a27816cc0..7bb247c51e2f 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1989,7 +1989,7 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, goto unwrap_failed; mic.len = len; mic.data = kmalloc(len, GFP_KERNEL); - if (!mic.data) + if (ZERO_OR_NULL_PTR(mic.data)) goto unwrap_failed; if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len)) goto unwrap_failed;
If a zero length is passed to kmalloc() it returns 0x10, which is not a valid address. gss_unwrap_resp_integ() subsequently crashes when it attempts to dereference that pointer. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- net/sunrpc/auth_gss/auth_gss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)