[PATCH] net: ceph: Fix a possible null-pointer dereference in ceph_crypto_key_destroy()

From: Jia-Ju Bai
Date: Wed Jul 24 2019 - 05:43:16 EST

Next message: Wanpeng Li: "[PATCH] KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption"
Previous message: Greg KH: "Re: [PATCH v3 04/12] fpga: dfl: afu: add AFU state related sysfs interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In set_secret(), key->tfm is assigned to NULL on line 55, and then
ceph_crypto_key_destroy(key) is executed.

ceph_crypto_key_destroy(key)
crypto_free_sync_skcipher(key->tfm)
crypto_skcipher_tfm(tfm)
return &tfm->base;

Thus, a possible null-pointer dereference may occur.

To fix this bug, key->tfm is checked before calling
crypto_free_sync_skcipher().

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
---
net/ceph/crypto.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
index 5d6724cee38f..ac28463bcfd8 100644
--- a/net/ceph/crypto.c
+++ b/net/ceph/crypto.c
@@ -136,7 +136,8 @@ void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
if (key) {
kfree(key->key);
key->key = NULL;
- crypto_free_sync_skcipher(key->tfm);
+ if (key->tfm)
+ crypto_free_sync_skcipher(key->tfm);
key->tfm = NULL;
}
}
--
2.17.0

Next message: Wanpeng Li: "[PATCH] KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption"
Previous message: Greg KH: "Re: [PATCH v3 04/12] fpga: dfl: afu: add AFU state related sysfs interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]