Page MenuHomeFreeBSD

opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
ClosedPublic

Authored by markj on Jun 5 2023, 10:33 PM.
Tags
None
Referenced Files
F107292426: D40428.id122870.diff
Sun, Jan 12, 2:31 AM
Unknown Object (File)
Mon, Jan 6, 9:51 PM
Unknown Object (File)
Dec 5 2024, 4:22 PM
Unknown Object (File)
Nov 19 2024, 2:37 PM
Unknown Object (File)
Nov 19 2024, 2:33 PM
Unknown Object (File)
Nov 19 2024, 1:59 PM
Unknown Object (File)
Nov 19 2024, 12:52 PM
Unknown Object (File)
Nov 11 2024, 6:26 AM

Details

Summary

Some consumers, e.g., swcr_encdec(), may call crypto_cursor_segment()
after having advanced the cursor to the end of the buffer. In this case
I believe the right behaviour is to return NULL and a length of 0.

When this occurs with a CRYPTO_BUF_VMPAGE buffer, the cc_vmpage pointer
will point past the end of the page pointer array, so
crypto_cursor_segment() ends up dereferencing a random pointer before
the function returns a length of 0. I believe the uio-backed cursor has
a similar problem.

Fix the problem by checking cc_buf_len before doing anything else.

PR: 271766

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 51914
Build 48805: arc lint + arc unit

Event Timeline

markj requested review of this revision.Jun 5 2023, 10:33 PM
markj planned changes to this revision.Jun 6 2023, 1:43 AM

This isn't quite right, some cursor types don't maintain cc_buf_len.

Maintain cc_buf_len for uio cursors; keep the existing check for mbuf cursors.

olce added inline comments.
sys/opencrypto/criov.c
507

Typo?

markj marked an inline comment as done.

Fix a typo.

sys/opencrypto/criov.c
507

Indeed, thank you.

Humm, I had originally considered this a break of the API contract FWIW that callers shouldn't try to use a cursor after advancing past the end (though perhaps I broke that contract myself). Hmm, reading swcr_encdec, it might indeed be a bit annoying to avoid calling crypto_cursor_segment for this case.

This revision is now accepted and ready to land.Jun 7 2023, 6:52 PM