zfs/module/icp/algs/modes
Attila Fülöp 54c8366e39 ICP: Fix null pointer dereference and use after free
In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails,
bcopy is called with a NULL pointer destination and a length > 0.
This results in undefined behavior. Further ctx->gcm_pt_buf is
freed but not set to NULL, leading to a potential write after
free and a double free due to missing return value handling in
crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf
in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in
aes_decrypt_atomic().

The fix is to slightly rework error handling and check the return
value in crypto_update_uio().

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
Signed-off-by: Attila Fülöp <attila@fueloep.org>
Closes #9659
2019-12-03 10:28:47 -08:00
..
cbc.c Illumos Crypto Port module added to enable native encryption in zfs 2016-07-20 10:43:30 -07:00
ccm.c Fix kernel unaligned access on sparc64 2018-07-11 13:10:40 -07:00
ctr.c codebase style improvements for OpenZFS 6459 port 2017-01-22 13:25:40 -08:00
ecb.c Illumos Crypto Port module added to enable native encryption in zfs 2016-07-20 10:43:30 -07:00
gcm.c ICP: Fix null pointer dereference and use after free 2019-12-03 10:28:47 -08:00
gcm_generic.c Add support for selecting encryption backend 2018-08-02 11:59:24 -07:00
gcm_pclmulqdq.c OpenZFS restructuring - move platform specific headers 2019-09-05 09:34:54 -07:00
modes.c Illumos Crypto Port module added to enable native encryption in zfs 2016-07-20 10:43:30 -07:00