On 2011-10-14 10:37 -0400, Nick Bowler wrote: > The ghash_update function passes a pointer to gf128mul_4k_lle which will > be NULL if ghash_setkey is not called or if the most recent call to > ghash_setkey failed to allocate memory. This causes an oops. Fix this > up by returning an error code in the null case. > > This is trivially triggered from unpriviliged userspace through the > AF_ALG interface by simply writing to the socket without setting a key.
It looks like this can also happen in ghash_final if an evil user calls setkey, update with a length that's not a multiple of the block size, then setkey again (this time failing due to an allocation failure) then final. Thus, I suppose that final needs the same check. v2 forthcoming... -- Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
