Bug 188521
| Summary: | Function skcipher_recvmsg_async() does not set error code when the call to kcalloc() fails | ||
|---|---|---|---|
| Product: | Other | Reporter: | bianpan (bianpan2010) |
| Component: | Other | Assignee: | other_other |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | linux-4.9-rc6 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | A patch to fix the bug | ||
Created attachment 256371 [details]
A patch to fix the bug
The patch has been merged into the newest kernel. So I will close it.
|
In function skcipher_recvmsg_async() defined in file crypto/algif_skcipher.c, the if-statement at line 569 checks whether kcalloc() successfully allocates memory. After the error check at line 548, the value of variable err must be 0. As a result, it may return 0 (indicates that no error occurs) even when there is no enough memory. Though this error may occur rarely, I think it's better to return a correct error code (e.g. -ENOMEM) when the call to kcalloc() fails. Codes related to this bug are summarised as follows. skcipher_recvmsg_async @@ crypto/algif_skcipher.c 499 static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, 500 int flags) 501 { ... 517 int err = -ENOMEM; ... 542 while (iov_iter_count(&msg->msg_iter)) { 543 struct skcipher_async_rsgl *rsgl; 544 int used; 545 546 if (!ctx->used) { 547 err = skcipher_wait_for_data(sk, flags); 548 if (err) 549 goto free; 550 } ... 562 if (txbufs == tx_nents) { 563 struct scatterlist *tmp; 564 int x; 565 /* Ran out of tx slots in async request 566 * need to expand */ 567 tmp = kcalloc(tx_nents * 2, sizeof(*tmp), 568 GFP_KERNEL); 569 if (!tmp) // Bug: the value of err may be 0 570 goto free; ... 625 free: 626 skcipher_free_async_sgls(sreq); 627 unlock: 628 skcipher_wmem_wakeup(sk); 629 release_sock(sk); 630 kzfree(sreq); 631 out: 632 return err; 633 } Thanks very much!