Message ID | 20230804093218.418276-1-shiftee@posteo.net |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:44a:b0:3f2:4152:657d with SMTP id ez10csp160423vqb; Fri, 4 Aug 2023 03:21:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHKD2hKeJ+qr3BpsvHy+95K7ALfOdp9+hz7W1iUY97ExMETIovkh/ncN8XL8iQxjeHs37aL X-Received: by 2002:a05:6a00:10c6:b0:668:6445:8931 with SMTP id d6-20020a056a0010c600b0066864458931mr1595548pfu.29.1691144468629; Fri, 04 Aug 2023 03:21:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691144468; cv=none; d=google.com; s=arc-20160816; b=0t7fiftYlduSgxeGCi4pJb5CTsQilnLUyw8j7XpwXgTojWXvDzQONLW5LEAuaVFvGB BUUTe0t4Q0Pd+nYviqof3ppS+UmjrqXBe29Oov4tClYASKX91BpdCusaUM1tKFZhyU9S 6OQfRVtXSixECu1gSGuveAxCRvok/jGf9rsbrZ0UpFK+M/GWVqtIa85MQfdriQ5Lblbl rRozf/XLLZGiq+zB//qPEveIFCVbNrsETAv/S/O8QZd4ObaHnMzIj418uUKTwk3q7Dcz Iz9t8kQs5OTXJNl7q8mvUuIulk7juBVnTsI+r2Pu1X5jR3E+AU+eBd1ozCvAx1FdyV0H K/QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=JspPptF7F8DFVxZdcUlMlVQ6i6FW7Eq0nkwtmsjDzJI=; fh=SMw4+GE8r7f2h2HZVLxhT33huVNYzng1Bvfp+aOccY8=; b=KRsjJxv36cZO3Kzd3hJi+1CaRSQF0hlsGPuAy648673uE34/8uj7R4EUp4LNm3Jrdf 7Xa7PQx/83gg9rVuumw1igfPtGudiUJnL0UuXfZE9LLhZ2Of+I8/nOr4E42Q5jNRQWVS lPA0FZ9eXQyvpopbD9DwQtvAhsI3/s1FuwzsnwoU81sxuqk8TNiw3p/LvlsKPmmCadFv YLihi7MelriaZjmvzZoHfv5ebgij5UBt8d27XAmroR5gaOJcqVSQHg81aeFedtUjoGsV mYtrH4kF3DMm9MG3VTW7KpxJr5GPRegjN0KdkseuPeqvcU5SDrlLTWXLrDvgdugX8g1R bY7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@posteo.net header.s=2017 header.b=rOyCoJou; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=posteo.net Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 8-20020a631548000000b0054fe07d2f49si1552209pgv.657.2023.08.04.03.20.54; Fri, 04 Aug 2023 03:21:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@posteo.net header.s=2017 header.b=rOyCoJou; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=posteo.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230359AbjHDJmN (ORCPT <rfc822;sukrut.bellary@gmail.com> + 99 others); Fri, 4 Aug 2023 05:42:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230164AbjHDJmK (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 4 Aug 2023 05:42:10 -0400 Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B05530EA for <linux-kernel@vger.kernel.org>; Fri, 4 Aug 2023 02:42:09 -0700 (PDT) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 029CA240028 for <linux-kernel@vger.kernel.org>; Fri, 4 Aug 2023 11:42:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1691142127; bh=Hg8+Ie5zk1+PShUsC8fZxv3X5pNkB2BeLLwMP1rWmCU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version: Content-Transfer-Encoding:From; b=rOyCoJouUzqfpz1lQTwVMzRESTjBh5ZtloRWZTUOBM++GKBubjut+ihoPMF3VUhh/ 3Wo9oulQ/uVUmC/X3bgzSrGjXGLxN2u36kHRDi91WUZMMngngnm8u/YYguqd8wAT1N 3rHl0oOoM3jm3xgCztFoebcbbsKGcy5oXH3GYBRK+JjGPC9QUvB7wH+e6oFikoAj4V 3Ra9QvPGtGB72xfxp7hdFlGb6JhoFjF1cOXauMSESJtcY+vukmTYyk5YcCEdkAMD9j jn2/LOpwDNEiISj4yN5ihalN9E2zux4THVesyuI8C0/ZijoyOv3cz6k2apPg137ikO 9TC8MbZVEU55Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4RHLMx1w9tz6twV; Fri, 4 Aug 2023 11:42:05 +0200 (CEST) From: Mark O'Donovan <shiftee@posteo.net> To: linux-kernel@vger.kernel.org Cc: linux-crypto@vger.kernel.org, ebiggers@google.com, herbert@gondor.apana.org.au, Mark O'Donovan <shiftee@posteo.net> Subject: [PATCH RESEND] lib/mpi: avoid null pointer deref in mpi_cmp_ui() Date: Fri, 4 Aug 2023 09:32:18 +0000 Message-Id: <20230804093218.418276-1-shiftee@posteo.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1773293502193972064 X-GMAIL-MSGID: 1773293502193972064 |
Series |
[RESEND] lib/mpi: avoid null pointer deref in mpi_cmp_ui()
|
|
Commit Message
Mark O'Donovan
Aug. 4, 2023, 9:32 a.m. UTC
During NVMeTCP Authentication a controller can trigger a kernel
oops by specifying the 8192 bit Diffie Hellman group and passing
a correctly sized, but zeroed Diffie Hellamn value.
mpi_cmp_ui() was detecting this if the second parameter was 0,
but 1 is passed from dh_is_pubkey_valid(). This causes the null
pointer u->d to be dereferenced towards the end of mpi_cmp_ui()
Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
---
lib/mpi/mpi-cmp.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Comments
On Fri, Aug 04, 2023 at 09:32:18AM +0000, Mark O'Donovan wrote: > During NVMeTCP Authentication a controller can trigger a kernel > oops by specifying the 8192 bit Diffie Hellman group and passing > a correctly sized, but zeroed Diffie Hellamn value. > mpi_cmp_ui() was detecting this if the second parameter was 0, > but 1 is passed from dh_is_pubkey_valid(). This causes the null > pointer u->d to be dereferenced towards the end of mpi_cmp_ui() > > Signed-off-by: Mark O'Donovan <shiftee@posteo.net> > --- > lib/mpi/mpi-cmp.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) Patch applied. Thanks.
diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c index c4cfa3ff0581..0835b6213235 100644 --- a/lib/mpi/mpi-cmp.c +++ b/lib/mpi/mpi-cmp.c @@ -25,8 +25,12 @@ int mpi_cmp_ui(MPI u, unsigned long v) mpi_limb_t limb = v; mpi_normalize(u); - if (!u->nlimbs && !limb) - return 0; + if (u->nlimbs == 0) { + if (v == 0) + return 0; + else + return -1; + } if (u->sign) return -1; if (u->nlimbs > 1)