mailing list archives
CVE request: kernel: crypto: ghash: null pointer deref if no key is set
From: Eugene Teo <eugene () redhat com>
Date: Thu, 27 Oct 2011 17:10:07 +0800
Description from the commit: The ghash_update function passes a pointer
to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or
if the most recent call to ghash_setkey failed to allocate memory. This
causes an oops. Fix this up by returning an error code in the null case.
This is trivially triggered from unprivileged userspace through the
AF_ALG interface by simply writing to the socket without setting a key.
The ghash_final function has a similar issue, but triggering it requires
a memory allocation failure in ghash_setkey _after_ at least one
successful call to ghash_update.
was added in commit 2cdc6899, v2.6.32-rc1.
Eugene Teo / Red Hat Security Response Team
- CVE request: kernel: crypto: ghash: null pointer deref if no key is set Eugene Teo (Oct 27)