eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()

If data is NULL, msg_ctx->msg is set to NULL and then dereferenced
afterwards.  ecryptfs_send_raw_message() is the only place that
ecryptfs_send_miscdev() is called with data being NULL, but the only
caller of that function (ecryptfs_process_helo()) is never called.  In
short, there is currently no way to trigger the NULL pointer
dereference.

This patch removes the two unused functions and modifies
ecryptfs_send_miscdev() to remove the NULL dereferences.

Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
This commit is contained in:
Tyler Hicks 2009-03-15 14:17:01 -05:00
parent ae6e84596e
commit 57ea34d199
2 changed files with 11 additions and 99 deletions

View file

@ -133,45 +133,6 @@ out:
return rc;
}
static int
ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
struct ecryptfs_msg_ctx **msg_ctx);
/**
* ecryptfs_send_raw_message
* @msg_type: Message type
* @daemon: Daemon struct for recipient of message
*
* A raw message is one that does not include an ecryptfs_message
* struct. It simply has a type.
*
* Must be called with ecryptfs_daemon_hash_mux held.
*
* Returns zero on success; non-zero otherwise
*/
static int ecryptfs_send_raw_message(u8 msg_type,
struct ecryptfs_daemon *daemon)
{
struct ecryptfs_msg_ctx *msg_ctx;
int rc;
rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
if (rc) {
printk(KERN_ERR "%s: Error whilst attempting to send "
"message to ecryptfsd; rc = [%d]\n", __func__, rc);
goto out;
}
/* Raw messages are logically context-free (e.g., no
* reply is expected), so we set the state of the
* ecryptfs_msg_ctx object to indicate that it should
* be freed as soon as the message is sent. */
mutex_lock(&msg_ctx->mux);
msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
mutex_unlock(&msg_ctx->mux);
out:
return rc;
}
/**
* ecryptfs_spawn_daemon - Create and initialize a new daemon struct
* @daemon: Pointer to set to newly allocated daemon struct
@ -211,49 +172,6 @@ out:
return rc;
}
/**
* ecryptfs_process_helo
* @euid: The user ID owner of the message
* @user_ns: The namespace in which @euid applies
* @pid: The process ID for the userspace program that sent the
* message
*
* Adds the euid and pid values to the daemon euid hash. If an euid
* already has a daemon pid registered, the daemon will be
* unregistered before the new daemon is put into the hash list.
* Returns zero after adding a new daemon to the hash list;
* non-zero otherwise.
*/
int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
struct pid *pid)
{
struct ecryptfs_daemon *new_daemon;
struct ecryptfs_daemon *old_daemon;
int rc;
mutex_lock(&ecryptfs_daemon_hash_mux);
rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
if (rc != 0) {
printk(KERN_WARNING "Received request from user [%d] "
"to register daemon [0x%p]; unregistering daemon "
"[0x%p]\n", euid, pid, old_daemon->pid);
rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
if (rc)
printk(KERN_WARNING "Failed to send QUIT "
"message to daemon [0x%p]; rc = [%d]\n",
old_daemon->pid, rc);
hlist_del(&old_daemon->euid_chain);
kfree(old_daemon);
}
rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
if (rc)
printk(KERN_ERR "%s: The gods are displeased with this attempt "
"to create a new daemon object for euid [%d]; pid "
"[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
mutex_unlock(&ecryptfs_daemon_hash_mux);
return rc;
}
/**
* ecryptfs_exorcise_daemon - Destroy the daemon struct
*

View file

@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
int rc = 0;
mutex_lock(&msg_ctx->mux);
if (data) {
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
GFP_KERNEL);
if (!msg_ctx->msg) {
rc = -ENOMEM;
printk(KERN_ERR "%s: Out of memory whilst attempting "
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
(sizeof(*msg_ctx->msg) + data_size));
goto out_unlock;
}
} else
msg_ctx->msg = NULL;
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
GFP_KERNEL);
if (!msg_ctx->msg) {
rc = -ENOMEM;
printk(KERN_ERR "%s: Out of memory whilst attempting "
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
(sizeof(*msg_ctx->msg) + data_size));
goto out_unlock;
}
msg_ctx->msg->index = msg_ctx->index;
msg_ctx->msg->data_len = data_size;
msg_ctx->type = msg_type;
if (data) {
memcpy(msg_ctx->msg->data, data, data_size);
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
} else
msg_ctx->msg_size = 0;
memcpy(msg_ctx->msg->data, data, data_size);
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
mutex_lock(&daemon->mux);
list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
daemon->num_queued_msg_ctx++;