Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length

From: David Howells
Date: Mon Apr 03 2017 - 15:20:52 EST

Next message: kbuild test robot: "Re: [PATCH v3 3/3] usb: dwc3: Add dual-role support"
Previous message: Shaohua Li: "Re: [RFC] x86/tboot: add an option to disable iommu force on"
In reply to: Eric Biggers: "Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length"
Next in thread: Eric Biggers: "Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Biggers <ebiggers3@xxxxxxxxx> wrote:

> > > - if (_payload) {
> > > + if (plen) {
> >
> > "if (_payload && plen)" would be better.
> >
> > David
>
> No, that doesn't solve the problem. The problem is that userspace can pass
> in a NULL payload with nonzero length, causing the kernel to dereference a
> NULL pointer for some key types. For example:

Okay, in that case, I think there should be an else-statement that clears plen
if !_payload.

David

Next message: kbuild test robot: "Re: [PATCH v3 3/3] usb: dwc3: Add dual-role support"
Previous message: Shaohua Li: "Re: [RFC] x86/tboot: add an option to disable iommu force on"
In reply to: Eric Biggers: "Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length"
Next in thread: Eric Biggers: "Re: [PATCH] KEYS: fix dereferencing NULL payload with nonzero length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]