Bug 188891 - Function public_key_verify_signature() does not set error code when the call to kmalloc() fails.
Summary: Function public_key_verify_signature() does not set error code when the call ...
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-25 11:06 UTC by bianpan
Modified: 2017-05-12 00:06 UTC (History)
0 users

See Also:
Kernel Version: linux-4.9-rc6
Tree: Mainline
Regression: No


Attachments

Description bianpan 2016-11-25 11:06:47 UTC
Function kmalloc() returns a NULL pointer if there is no enough memory. The function public_key_verify_signature() defined in file crypto/asymmetric_keys/public_key.c calls kmalloc() and checks its return value against NULL (at line 126). When the return value is NULL, the control flow jumps to label "error_free_req" and returns the value of variable ret. Because the check of variable ret at line 121, the value of it must be 0. As a result, function public_key_verify_signature() may return 0 (indicates success) even on failures. Maybe it is better to assign "-ENOMEM" to ret before the jump instruction at line 127. Codes related to this bug are summarised as follows.

public_key_verify_signature @@ crypto/asymmetric_keys/public_key.c
 79 int public_key_verify_signature(const struct public_key *pkey,
 80                 const struct public_key_signature *sig)
 81 {
        ...
 90     int ret = -ENOMEM;
        ...
120     ret = crypto_akcipher_set_pub_key(tfm, pkey->key, pkey->keylen);
121     if (ret)
122         goto error_free_req;
123 
124     outlen = crypto_akcipher_maxsize(tfm);
125     output = kmalloc(outlen, GFP_KERNEL);
126     if (!output)
            // insert "ret = -ENOMEM;"?
127         goto error_free_req;
        ...
155 out_free_output:
156     kfree(output);
157 error_free_req:
158     akcipher_request_free(req);
159 error_free_tfm:
160     crypto_free_akcipher(tfm);
161     pr_devel("<==%s() = %d\n", __func__, ret);
162     return ret;
163 }

Thanks very much!
Comment 1 bianpan 2017-05-12 00:06:08 UTC
Fixed in linux-v4.10

Patch: https://patchwork.kernel.org/patch/9470901/

Note You need to log in before you can comment on or make changes to this bug.