jcs.org / qemu
qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio
fork atom

crypto: afalg: fix a NULL pointer dereference

Test-crypto-hash calls qcrypto_hash_bytesv/digest/base64 with
errp=NULL, this will cause a NULL pointer dereference if afalg_driver
doesn't support requested algos:

ret = qcrypto_hash_afalg_driver.hash_bytesv(alg, iov, niov,
result, resultlen,
errp);
if (ret == 0) {
return ret;
}

error_free(*errp); // <--- here

Because the error message is thrown away immediately, we should
just pass NULL to hash_bytesv(). There is also the same problem in
afalg-backend cipher & hmac, let's fix them together.

Reviewed-by: Eric Blake <eblake@redhat.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Longpeng <longpeng2@huawei.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

authored by

Longpeng and committed by
Daniel P. Berrange f1710638 b417a762

+7 -15
+1 -4
crypto/cipher.c
··· 164 164 { 165 165 QCryptoCipher *cipher; 166 166 void *ctx = NULL; 167 - Error *err2 = NULL; 168 167 QCryptoCipherDriver *drv = NULL; 169 168 170 169 #ifdef CONFIG_AF_ALG 171 - ctx = qcrypto_afalg_cipher_ctx_new(alg, mode, key, nkey, &err2); 170 + ctx = qcrypto_afalg_cipher_ctx_new(alg, mode, key, nkey, NULL); 172 171 if (ctx) { 173 172 drv = &qcrypto_cipher_afalg_driver; 174 173 } ··· 177 176 if (!ctx) { 178 177 ctx = qcrypto_cipher_ctx_new(alg, mode, key, nkey, errp); 179 178 if (!ctx) { 180 - error_free(err2); 181 179 return NULL; 182 180 } 183 181 184 182 drv = &qcrypto_cipher_lib_driver; 185 - error_free(err2); 186 183 } 187 184 188 185 cipher = g_new0(QCryptoCipher, 1);
+5 -8
crypto/hash.c
··· 48 48 { 49 49 #ifdef CONFIG_AF_ALG 50 50 int ret; 51 - 51 + /* 52 + * TODO: 53 + * Maybe we should treat some afalg errors as fatal 54 + */ 52 55 ret = qcrypto_hash_afalg_driver.hash_bytesv(alg, iov, niov, 53 56 result, resultlen, 54 - errp); 57 + NULL); 55 58 if (ret == 0) { 56 59 return ret; 57 60 } 58 - 59 - /* 60 - * TODO: 61 - * Maybe we should treat some afalg errors as fatal 62 - */ 63 - error_free(*errp); 64 61 #endif 65 62 66 63 return qcrypto_hash_lib_driver.hash_bytesv(alg, iov, niov,
+1 -3
crypto/hmac.c
··· 90 90 { 91 91 QCryptoHmac *hmac; 92 92 void *ctx = NULL; 93 - Error *err2 = NULL; 94 93 QCryptoHmacDriver *drv = NULL; 95 94 96 95 #ifdef CONFIG_AF_ALG 97 - ctx = qcrypto_afalg_hmac_ctx_new(alg, key, nkey, &err2); 96 + ctx = qcrypto_afalg_hmac_ctx_new(alg, key, nkey, NULL); 98 97 if (ctx) { 99 98 drv = &qcrypto_hmac_afalg_driver; 100 99 } ··· 107 106 } 108 107 109 108 drv = &qcrypto_hmac_lib_driver; 110 - error_free(err2); 111 109 } 112 110 113 111 hmac = g_new0(QCryptoHmac, 1);