Project

General

Profile

Bug #12047

gcm_mode_decrypt_contiguous_blocks() can dereference NULL pointer

Added by Jason King 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
kernel
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

From ZoL#9659:

In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy() is called with a null pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic().

The fix is to slightly rework error handling in gcm_mode_decrypt_contiguous_blocks() and check the return value in crypto_update_uio().

Also available in: Atom PDF