Page MenuHomeFreeBSD
Differential D40428

opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
ClosedPublic
Actions

Authored by markj on Jun 5 2023, 10:33 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 11, 6:26 AM
Unknown Object (File)
Mon, Oct 28, 12:46 AM
Unknown Object (File)
Sun, Oct 20, 2:02 PM
Unknown Object (File)
Sun, Oct 20, 2:02 PM
Unknown Object (File)
Oct 11 2024, 7:30 AM
Unknown Object (File)
Oct 11 2024, 7:28 AM
Unknown Object (File)
Oct 11 2024, 7:28 AM
Unknown Object (File)
Oct 11 2024, 7:25 AM
View All 81 Files
Subscribers
bevan_bi-co.net
imp
olce

Details

Reviewers
jhb
asomers
Commits
rG299a7961f47d: opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
rG718d4a1d5643: opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
Summary

Some consumers, e.g., swcr_encdec(), may call crypto_cursor_segment()
after having advanced the cursor to the end of the buffer. In this case
I believe the right behaviour is to return NULL and a length of 0.

When this occurs with a CRYPTO_BUF_VMPAGE buffer, the cc_vmpage pointer
will point past the end of the page pointer array, so
crypto_cursor_segment() ends up dereferencing a random pointer before
the function returns a length of 0. I believe the uio-backed cursor has
a similar problem.

Fix the problem by checking cc_buf_len before doing anything else.

PR: 271766

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jun 5 2023, 10:33 PM
Herald added a subscriber: imp. · View Herald TranscriptJun 5 2023, 10:33 PM
markj requested review of this revision.Jun 5 2023, 10:33 PM
Harbormaster completed remote builds in B51914: Diff 122870.Jun 5 2023, 10:33 PM
markj planned changes to this revision.Jun 6 2023, 1:43 AM

This isn't quite right, some cursor types don't maintain cc_buf_len.

markj updated this revision to Diff 122895.Jun 6 2023, 1:41 PM

Maintain cc_buf_len for uio cursors; keep the existing check for mbuf cursors.

Harbormaster completed remote builds in B51931: Diff 122895.Jun 6 2023, 1:41 PM
olce added a subscriber: olce.Jun 6 2023, 2:40 PM
olce added inline comments.
sys/opencrypto/criov.c
525

Typo?

markj updated this revision to Diff 122897.Jun 6 2023, 2:42 PM
markj marked an inline comment as done.

Fix a typo.

Harbormaster completed remote builds in B51933: Diff 122897.Jun 6 2023, 2:42 PM
markj added inline comments.Jun 6 2023, 2:43 PM
sys/opencrypto/criov.c
525

Indeed, thank you.

jhb accepted this revision.Jun 7 2023, 6:52 PM

Humm, I had originally considered this a break of the API contract FWIW that callers shouldn't try to use a cursor after advancing past the end (though perhaps I broke that contract myself). Hmm, reading swcr_encdec, it might indeed be a bit annoying to avoid calling crypto_cursor_segment for this case.

This revision is now accepted and ready to land.Jun 7 2023, 6:52 PM
bevan_bi-co.net added a subscriber: bevan_bi-co.net.Jun 7 2023, 8:54 PM
Closed by commit rG718d4a1d5643: opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment() (authored by markj). · Explain WhyJun 12 2023, 4:52 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG718d4a1d5643: opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment().
markj added a commit: rG299a7961f47d: opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment().Jun 19 2023, 1:08 PM

Revision Contents
Changeset List

PathSize
sys/
opencrypto/
34 lines

Diff 123115

View Options

sys/opencrypto/criov.c

Loading...