Bug 188521 - Function skcipher_recvmsg_async() does not set error code when the call to kcalloc() fails
Summary: Function skcipher_recvmsg_async() does not set error code when the call to kc...
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-25 10:28 UTC by bianpan
Modified: 2017-05-11 09:18 UTC (History)
0 users

See Also:
Kernel Version: linux-4.9-rc6
Subsystem:
Regression: No
Bisected commit-id:


Attachments
A patch to fix the bug (1.24 KB, patch)
2017-05-11 09:17 UTC, bianpan
Details | Diff

Description bianpan 2016-11-25 10:28:28 UTC
In function skcipher_recvmsg_async() defined in file crypto/algif_skcipher.c, the if-statement at line 569 checks whether kcalloc() successfully allocates memory. After the error check at line 548, the value of variable err must be 0. As a result, it may return 0 (indicates that no error occurs) even when there is no enough memory. Though this error may occur rarely, I think it's better to return a correct error code (e.g. -ENOMEM) when the call to kcalloc() fails. Codes related to this bug are summarised as follows.

skcipher_recvmsg_async @@ crypto/algif_skcipher.c
499 static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
500                   int flags)
501 {
        ...
517     int err = -ENOMEM;
        ...
542     while (iov_iter_count(&msg->msg_iter)) {
543         struct skcipher_async_rsgl *rsgl;
544         int used;
545 
546         if (!ctx->used) {
547             err = skcipher_wait_for_data(sk, flags);
548             if (err)
549                 goto free;
550         }
            ...
562         if (txbufs == tx_nents) {
563             struct scatterlist *tmp;
564             int x;
565             /* Ran out of tx slots in async request
566              * need to expand */
567             tmp = kcalloc(tx_nents * 2, sizeof(*tmp),
568                       GFP_KERNEL);
569             if (!tmp)
                   // Bug: the value of err may be 0
570                 goto free;
        ...
625 free:
626     skcipher_free_async_sgls(sreq);
627 unlock:
628     skcipher_wmem_wakeup(sk);
629     release_sock(sk);
630     kzfree(sreq);
631 out:
632     return err;
633 }

Thanks very much!
Comment 1 bianpan 2017-05-11 09:17:18 UTC
Created attachment 256371 [details]
A patch to fix the bug

The patch has been merged into the newest kernel. So I will close it.

Note You need to log in before you can comment on or make changes to this bug.