eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()
If data is NULL, msg_ctx->msg is set to NULL and then dereferenced afterwards. ecryptfs_send_raw_message() is the only place that ecryptfs_send_miscdev() is called with data being NULL, but the only caller of that function (ecryptfs_process_helo()) is never called. In short, there is currently no way to trigger the NULL pointer dereference. This patch removes the two unused functions and modifies ecryptfs_send_miscdev() to remove the NULL dereferences. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
This commit is contained in:
Tyler Hicks
parent
ae6e84596e
commit
57ea34d199
2 changed files with 11 additions and 99 deletions
|
|
@ -133,45 +133,6 @@ out:
|
|||
return rc;
|
||||
}
|
||||
|
||||
static int
|
||||
ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
|
||||
struct ecryptfs_msg_ctx **msg_ctx);
|
||||
|
||||
/**
|
||||
* ecryptfs_send_raw_message
|
||||
* @msg_type: Message type
|
||||
* @daemon: Daemon struct for recipient of message
|
||||
*
|
||||
* A raw message is one that does not include an ecryptfs_message
|
||||
* struct. It simply has a type.
|
||||
*
|
||||
* Must be called with ecryptfs_daemon_hash_mux held.
|
||||
*
|
||||
* Returns zero on success; non-zero otherwise
|
||||
*/
|
||||
static int ecryptfs_send_raw_message(u8 msg_type,
|
||||
struct ecryptfs_daemon *daemon)
|
||||
{
|
||||
struct ecryptfs_msg_ctx *msg_ctx;
|
||||
int rc;
|
||||
|
||||
rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
|
||||
if (rc) {
|
||||
printk(KERN_ERR "%s: Error whilst attempting to send "
|
||||
"message to ecryptfsd; rc = [%d]\n", __func__, rc);
|
||||
goto out;
|
||||
}
|
||||
/* Raw messages are logically context-free (e.g., no
|
||||
* reply is expected), so we set the state of the
|
||||
* ecryptfs_msg_ctx object to indicate that it should
|
||||
* be freed as soon as the message is sent. */
|
||||
mutex_lock(&msg_ctx->mux);
|
||||
msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
|
||||
mutex_unlock(&msg_ctx->mux);
|
||||
out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* ecryptfs_spawn_daemon - Create and initialize a new daemon struct
|
||||
* @daemon: Pointer to set to newly allocated daemon struct
|
||||
|
|
@ -211,49 +172,6 @@ out:
|
|||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* ecryptfs_process_helo
|
||||
* @euid: The user ID owner of the message
|
||||
* @user_ns: The namespace in which @euid applies
|
||||
* @pid: The process ID for the userspace program that sent the
|
||||
* message
|
||||
*
|
||||
* Adds the euid and pid values to the daemon euid hash. If an euid
|
||||
* already has a daemon pid registered, the daemon will be
|
||||
* unregistered before the new daemon is put into the hash list.
|
||||
* Returns zero after adding a new daemon to the hash list;
|
||||
* non-zero otherwise.
|
||||
*/
|
||||
int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
|
||||
struct pid *pid)
|
||||
{
|
||||
struct ecryptfs_daemon *new_daemon;
|
||||
struct ecryptfs_daemon *old_daemon;
|
||||
int rc;
|
||||
|
||||
mutex_lock(&ecryptfs_daemon_hash_mux);
|
||||
rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
|
||||
if (rc != 0) {
|
||||
printk(KERN_WARNING "Received request from user [%d] "
|
||||
"to register daemon [0x%p]; unregistering daemon "
|
||||
"[0x%p]\n", euid, pid, old_daemon->pid);
|
||||
rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
|
||||
if (rc)
|
||||
printk(KERN_WARNING "Failed to send QUIT "
|
||||
"message to daemon [0x%p]; rc = [%d]\n",
|
||||
old_daemon->pid, rc);
|
||||
hlist_del(&old_daemon->euid_chain);
|
||||
kfree(old_daemon);
|
||||
}
|
||||
rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
|
||||
if (rc)
|
||||
printk(KERN_ERR "%s: The gods are displeased with this attempt "
|
||||
"to create a new daemon object for euid [%d]; pid "
|
||||
"[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
|
||||
mutex_unlock(&ecryptfs_daemon_hash_mux);
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* ecryptfs_exorcise_daemon - Destroy the daemon struct
|
||||
*
|
||||
|
|
|
|||
|
|
@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
|
|||
int rc = 0;
|
||||
|
||||
mutex_lock(&msg_ctx->mux);
|
||||
if (data) {
|
||||
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
|
||||
GFP_KERNEL);
|
||||
if (!msg_ctx->msg) {
|
||||
rc = -ENOMEM;
|
||||
printk(KERN_ERR "%s: Out of memory whilst attempting "
|
||||
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
|
||||
(sizeof(*msg_ctx->msg) + data_size));
|
||||
goto out_unlock;
|
||||
}
|
||||
} else
|
||||
msg_ctx->msg = NULL;
|
||||
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
|
||||
GFP_KERNEL);
|
||||
if (!msg_ctx->msg) {
|
||||
rc = -ENOMEM;
|
||||
printk(KERN_ERR "%s: Out of memory whilst attempting "
|
||||
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
|
||||
(sizeof(*msg_ctx->msg) + data_size));
|
||||
goto out_unlock;
|
||||
}
|
||||
msg_ctx->msg->index = msg_ctx->index;
|
||||
msg_ctx->msg->data_len = data_size;
|
||||
msg_ctx->type = msg_type;
|
||||
if (data) {
|
||||
memcpy(msg_ctx->msg->data, data, data_size);
|
||||
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
|
||||
} else
|
||||
msg_ctx->msg_size = 0;
|
||||
memcpy(msg_ctx->msg->data, data, data_size);
|
||||
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
|
||||
mutex_lock(&daemon->mux);
|
||||
list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
|
||||
daemon->num_queued_msg_ctx++;
|
||||
|
|
|
|||
Loading…
Reference in a new issue