[RESEND] lib/mpi: avoid null pointer deref in mpi_cmp_ui()

Message ID 20230804093218.418276-1-shiftee@posteo.net
State New
Headers
Series [RESEND] lib/mpi: avoid null pointer deref in mpi_cmp_ui() |

Commit Message

Mark O'Donovan Aug. 4, 2023, 9:32 a.m. UTC
  During NVMeTCP Authentication a controller can trigger a kernel
oops by specifying the 8192 bit Diffie Hellman group and passing
a correctly sized, but zeroed Diffie Hellamn value.
mpi_cmp_ui() was detecting this if the second parameter was 0,
but 1 is passed from dh_is_pubkey_valid(). This causes the null
pointer u->d to be dereferenced towards the end of mpi_cmp_ui()

Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
---
 lib/mpi/mpi-cmp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
  

Comments

Herbert Xu Aug. 11, 2023, 11:30 a.m. UTC | #1
On Fri, Aug 04, 2023 at 09:32:18AM +0000, Mark O'Donovan wrote:
> During NVMeTCP Authentication a controller can trigger a kernel
> oops by specifying the 8192 bit Diffie Hellman group and passing
> a correctly sized, but zeroed Diffie Hellamn value.
> mpi_cmp_ui() was detecting this if the second parameter was 0,
> but 1 is passed from dh_is_pubkey_valid(). This causes the null
> pointer u->d to be dereferenced towards the end of mpi_cmp_ui()
> 
> Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
> ---
>  lib/mpi/mpi-cmp.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Patch applied.  Thanks.
  

Patch

diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c
index c4cfa3ff0581..0835b6213235 100644
--- a/lib/mpi/mpi-cmp.c
+++ b/lib/mpi/mpi-cmp.c
@@ -25,8 +25,12 @@  int mpi_cmp_ui(MPI u, unsigned long v)
 	mpi_limb_t limb = v;
 
 	mpi_normalize(u);
-	if (!u->nlimbs && !limb)
-		return 0;
+	if (u->nlimbs == 0) {
+		if (v == 0)
+			return 0;
+		else
+			return -1;
+	}
 	if (u->sign)
 		return -1;
 	if (u->nlimbs > 1)