Re: [PATCH v2] tipc: check for null after calling kmemdup

Acked-by: Jon Maloy jmaloy@redhat.com

On 11/15/21 11:01, Tadeusz Struk wrote:

kmemdup can return a null pointer so need to check for it, otherwise the null key will be dereferenced later in tipc_crypto_key_xmit as can be seen in the trace [1].

Cc: Jon Maloy jmaloy@redhat.com Cc: Ying Xue ying.xue@windriver.com Cc: "David S. Miller" davem@davemloft.net Cc: Jakub Kicinski kuba@kernel.org Cc: netdev@vger.kernel.org Cc: tipc-discussion@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # 5.15, 5.14, 5.10

[1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a5...

Reported-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Tadeusz Struk tadeusz.struk@linaro.org

---

Changed in v2:

• use tipc_aead_free() to free all crytpo tfm instances that might have been allocated before the fail.

---

net/tipc/crypto.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index dc60c32bb70d..d293614d5fc6 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -597,6 +597,10 @@ static int tipc_aead_init(struct tipc_aead **aead, struct tipc_aead_key *ukey, tmp->cloned = NULL; tmp->authsize = TIPC_AES_GCM_TAG_SIZE; tmp->key = kmemdup(ukey, tipc_aead_key_size(ukey), GFP_KERNEL);

• if (!tmp->key) {

• tipc_aead_free(&tmp->rcu);
  

• return -ENOMEM;
  

• } memcpy(&tmp->salt, ukey->key + keylen, TIPC_AES_GCM_SALT_SIZE); atomic_set(&tmp->users, 0); atomic64_set(&tmp->seqno, 0);