[bug report] nvme: NULL pointer dereference in nvmet_setup_auth

From: Tal Lossos
Date: Tue Aug 23 2022 - 10:59:42 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v1] ACPI: processor: Remove freq Qos request for all CPUs"
Previous message: Alexander Aring: "Re: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg"
Next in thread: Christoph Hellwig: "Re: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
There is a NULL pointer dereference in nvmet_setup_auth() introduced
in commit db1312dd95488b5e6ff362ff66fcf953a46b1821 causing a DoS.
As of v6.0-rc2, in target/auth.c:196, if there is an error with
ctrl->ctrl_key, it gets reassigned to NULL, and one line afterwards,
it gets dereferenced in the call for pr_debug():

ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
host->dhchap_ctrl_key_hash);
if (IS_ERR(ctrl->ctrl_key)) {
ret = PTR_ERR(ctrl->ctrl_key);
ctrl->ctrl_key = NULL; <--- Assigning NULL
}
pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
ctrl->ctrl_key->hash > 0 ? <--- NULL pointer dereference
nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
(int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);

This bug occurs probably due to a missing goto statement (goto out_unlock).

Best Regards,
Tal Lossos

Next message: Rafael J. Wysocki: "Re: [PATCH v1] ACPI: processor: Remove freq Qos request for all CPUs"
Previous message: Alexander Aring: "Re: [PATCH] net/ieee802154: fix uninit value bug in dgram_sendmsg"
Next in thread: Christoph Hellwig: "Re: [bug report] nvme: NULL pointer dereference in nvmet_setup_auth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]