Bug #12047: gcm_mode_decrypt_contiguous_blocks() can dereference NULL pointer - illumos gate - illumos

Actions

Copy link

Bug #12047

open

gcm_mode_decrypt_contiguous_blocks() can dereference NULL pointer

Added by Jason King almost 4 years ago.

Status:

New

Priority:

Normal

Assignee:

Jason King

Category:

kernel

Start date:

Due date:

% Done:

Estimated time:

Difficulty:

Medium

Tags:

Gerrit CR:

External Bug:

Description

From ZoL#9659:

In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy() is called with a null pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic().

The fix is to slightly rework error handling in gcm_mode_decrypt_contiguous_blocks() and check the return value in crypto_update_uio().

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

illumos gate

Custom queries

Bug #12047

gcm_mode_decrypt_contiguous_blocks() can dereference NULL pointer