eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()

If data is NULL, msg_ctx->msg is set to NULL and then dereferenced afterwards. ecryptfs_send_raw_message() is the only place that ecryptfs_send_miscdev() is called with data being NULL, but the only caller of that function (ecryptfs_process_helo()) is never called. In short, there is currently no way to trigger the NULL pointer dereference. This patch removes the two unused functions and modifies ecryptfs_send_miscdev() to remove the NULL dereferences. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
author: Tyler Hicks <tyhicks@linux.vnet.ibm.com> 2009-03-15 15:17:01 -0400
committer: Tyler Hicks <tyhicks@linux.vnet.ibm.com> 2009-04-22 04:54:13 -0400
commit: 57ea34d19963781d05eb12f9b31bd4f70d61ec16 (patch)
tree: 5a912a7515234eb73147c32197ecbc7ca429bde8 /fs/ecryptfs
parent: ae6e84596e7b321d9a08e81679c6a3f799634636 (diff)
2 files changed, 11 insertions, 99 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index 295e7fa56755..f1c17e87c5fb 100644
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -133,45 +133,6 @@ out:
        return rc;
 }
-static int
-ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
-                             struct ecryptfs_msg_ctx **msg_ctx);
-/**
- * ecryptfs_send_raw_message
- * @msg_type: Message type
- * @daemon: Daemon struct for recipient of message
- *
- * A raw message is one that does not include an ecryptfs_message
- * struct. It simply has a type.
- *
- * Must be called with ecryptfs_daemon_hash_mux held.
- *
- * Returns zero on success; non-zero otherwise
- */
-static int ecryptfs_send_raw_message(u8 msg_type,
-                                     struct ecryptfs_daemon *daemon)
-{
-        struct ecryptfs_msg_ctx *msg_ctx;
-        int rc;
-        rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
-        if (rc) {
-                printk(KERN_ERR "%s: Error whilst attempting to send "
-                       "message to ecryptfsd; rc = [%d]\n", __func__, rc);
-                goto out;
-        }
-        /* Raw messages are logically context-free (e.g., no
-         * reply is expected), so we set the state of the
-         * ecryptfs_msg_ctx object to indicate that it should
-         * be freed as soon as the message is sent. */
-        mutex_lock(&msg_ctx->mux);
-        msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
-        mutex_unlock(&msg_ctx->mux);
-out:
-        return rc;
-}
 /**
 * ecryptfs_spawn_daemon - Create and initialize a new daemon struct
 * @daemon: Pointer to set to newly allocated daemon struct
@@ -212,49 +173,6 @@ out:
 }
 /**
- * ecryptfs_process_helo
- * @euid: The user ID owner of the message
- * @user_ns: The namespace in which @euid applies
- * @pid: The process ID for the userspace program that sent the
- *       message
- *
- * Adds the euid and pid values to the daemon euid hash.  If an euid
- * already has a daemon pid registered, the daemon will be
- * unregistered before the new daemon is put into the hash list.
- * Returns zero after adding a new daemon to the hash list;
- * non-zero otherwise.
- */
-int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
-                          struct pid *pid)
-{
-        struct ecryptfs_daemon *new_daemon;
-        struct ecryptfs_daemon *old_daemon;
-        int rc;
-        mutex_lock(&ecryptfs_daemon_hash_mux);
-        rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
-        if (rc != 0) {
-                printk(KERN_WARNING "Received request from user [%d] "
-                       "to register daemon [0x%p]; unregistering daemon "
-                       "[0x%p]\n", euid, pid, old_daemon->pid);
-                rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
-                if (rc)
-                        printk(KERN_WARNING "Failed to send QUIT "
-                               "message to daemon [0x%p]; rc = [%d]\n",
-                               old_daemon->pid, rc);
-                hlist_del(&old_daemon->euid_chain);
-                kfree(old_daemon);
-        }
-        rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
-        if (rc)
-                printk(KERN_ERR "%s: The gods are displeased with this attempt "
-                       "to create a new daemon object for euid [%d]; pid "
-                       "[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
-        mutex_unlock(&ecryptfs_daemon_hash_mux);
-        return rc;
-}
-/**
 * ecryptfs_exorcise_daemon - Destroy the daemon struct
 *
 * Must be called ceremoniously while in possession of
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
index dda3c58eefc0..4ec8f61ccf5a 100644
--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
@@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
        int rc = 0;
        mutex_lock(&msg_ctx->mux);
-        if (data) {
+        msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
-                msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
+                               GFP_KERNEL);
-                                       GFP_KERNEL);
+        if (!msg_ctx->msg) {
-                if (!msg_ctx->msg) {
+                rc = -ENOMEM;
-                        rc = -ENOMEM;
+                printk(KERN_ERR "%s: Out of memory whilst attempting "
-                        printk(KERN_ERR "%s: Out of memory whilst attempting "
+                       "to kmalloc(%zd, GFP_KERNEL)\n", __func__,
-                               "to kmalloc(%zd, GFP_KERNEL)\n", __func__,
+                       (sizeof(*msg_ctx->msg) + data_size));
-                               (sizeof(*msg_ctx->msg) + data_size));
+                goto out_unlock;
-                        goto out_unlock;
+        }
-                }
-        } else
-                msg_ctx->msg = NULL;
        msg_ctx->msg->index = msg_ctx->index;
        msg_ctx->msg->data_len = data_size;
        msg_ctx->type = msg_type;
-        if (data) {
+        memcpy(msg_ctx->msg->data, data, data_size);
-                memcpy(msg_ctx->msg->data, data, data_size);
+        msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
-                msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
-        } else
-                msg_ctx->msg_size = 0;
        mutex_lock(&daemon->mux);
        list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
        daemon->num_queued_msg_ctx++;
author	Tyler Hicks <tyhicks@linux.vnet.ibm.com>	2009-03-15 15:17:01 -0400
committer	Tyler Hicks <tyhicks@linux.vnet.ibm.com>	2009-04-22 04:54:13 -0400
commit	57ea34d19963781d05eb12f9b31bd4f70d61ec16 (patch)
tree	5a912a7515234eb73147c32197ecbc7ca429bde8 /fs/ecryptfs
parent	ae6e84596e7b321d9a08e81679c6a3f799634636 (diff)

diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c index 295e7fa56755..f1c17e87c5fb 100644 --- a/fs/ecryptfs/messaging.c +++ b/fs/ecryptfs/messaging.c
@@ -133,45 +133,6 @@ out:
133	return rc;	133	return rc;
134	}	134	}
135		135
136	static int
137	ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
138	struct ecryptfs_msg_ctx **msg_ctx);
139
140	/**
141	* ecryptfs_send_raw_message
142	* @msg_type: Message type
143	* @daemon: Daemon struct for recipient of message
144	*
145	* A raw message is one that does not include an ecryptfs_message
146	* struct. It simply has a type.
147	*
148	* Must be called with ecryptfs_daemon_hash_mux held.
149	*
150	* Returns zero on success; non-zero otherwise
151	*/
152	static int ecryptfs_send_raw_message(u8 msg_type,
153	struct ecryptfs_daemon *daemon)
154	{
155	struct ecryptfs_msg_ctx *msg_ctx;
156	int rc;
157
158	rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
159	if (rc) {
160	printk(KERN_ERR "%s: Error whilst attempting to send "
161	"message to ecryptfsd; rc = [%d]\n", __func__, rc);
162	goto out;
163	}
164	/* Raw messages are logically context-free (e.g., no
165	* reply is expected), so we set the state of the
166	* ecryptfs_msg_ctx object to indicate that it should
167	* be freed as soon as the message is sent. */
168	mutex_lock(&msg_ctx->mux);
169	msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
170	mutex_unlock(&msg_ctx->mux);
171	out:
172	return rc;
173	}
174
175	/**	136	/**
176	* ecryptfs_spawn_daemon - Create and initialize a new daemon struct	137	* ecryptfs_spawn_daemon - Create and initialize a new daemon struct
177	* @daemon: Pointer to set to newly allocated daemon struct	138	* @daemon: Pointer to set to newly allocated daemon struct
@@ -212,49 +173,6 @@ out:
212	}	173	}
213		174
214	/**	175	/**
215	* ecryptfs_process_helo
216	* @euid: The user ID owner of the message
217	* @user_ns: The namespace in which @euid applies
218	* @pid: The process ID for the userspace program that sent the
219	* message
220	*
221	* Adds the euid and pid values to the daemon euid hash. If an euid
222	* already has a daemon pid registered, the daemon will be
223	* unregistered before the new daemon is put into the hash list.
224	* Returns zero after adding a new daemon to the hash list;
225	* non-zero otherwise.
226	*/
227	int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
228	struct pid *pid)
229	{
230	struct ecryptfs_daemon *new_daemon;
231	struct ecryptfs_daemon *old_daemon;
232	int rc;
233
234	mutex_lock(&ecryptfs_daemon_hash_mux);
235	rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
236	if (rc != 0) {
237	printk(KERN_WARNING "Received request from user [%d] "
238	"to register daemon [0x%p]; unregistering daemon "
239	"[0x%p]\n", euid, pid, old_daemon->pid);
240	rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
241	if (rc)
242	printk(KERN_WARNING "Failed to send QUIT "
243	"message to daemon [0x%p]; rc = [%d]\n",
244	old_daemon->pid, rc);
245	hlist_del(&old_daemon->euid_chain);
246	kfree(old_daemon);
247	}
248	rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
249	if (rc)
250	printk(KERN_ERR "%s: The gods are displeased with this attempt "
251	"to create a new daemon object for euid [%d]; pid "
252	"[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
253	mutex_unlock(&ecryptfs_daemon_hash_mux);
254	return rc;
255	}
256
257	/**
258	* ecryptfs_exorcise_daemon - Destroy the daemon struct	176	* ecryptfs_exorcise_daemon - Destroy the daemon struct
259	*	177	*
260	* Must be called ceremoniously while in possession of	178	* Must be called ceremoniously while in possession of


diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index dda3c58eefc0..4ec8f61ccf5a 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c
@@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
193	int rc = 0;	193	int rc = 0;
194		194
195	mutex_lock(&msg_ctx->mux);	195	mutex_lock(&msg_ctx->mux);
196	if (data) {	196	msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
197	msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),	197	GFP_KERNEL);
198	GFP_KERNEL);	198	if (!msg_ctx->msg) {
199	if (!msg_ctx->msg) {	199	rc = -ENOMEM;
200	rc = -ENOMEM;	200	printk(KERN_ERR "%s: Out of memory whilst attempting "
201	printk(KERN_ERR "%s: Out of memory whilst attempting "	201	"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
202	"to kmalloc(%zd, GFP_KERNEL)\n", __func__,	202	(sizeof(*msg_ctx->msg) + data_size));
203	(sizeof(*msg_ctx->msg) + data_size));	203	goto out_unlock;
204	goto out_unlock;	204	}
205	}
206	} else
207	msg_ctx->msg = NULL;
208	msg_ctx->msg->index = msg_ctx->index;	205	msg_ctx->msg->index = msg_ctx->index;
209	msg_ctx->msg->data_len = data_size;	206	msg_ctx->msg->data_len = data_size;
210	msg_ctx->type = msg_type;	207	msg_ctx->type = msg_type;
211	if (data) {	208	memcpy(msg_ctx->msg->data, data, data_size);
212	memcpy(msg_ctx->msg->data, data, data_size);	209	msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
213	msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
214	} else
215	msg_ctx->msg_size = 0;
216	mutex_lock(&daemon->mux);	210	mutex_lock(&daemon->mux);
217	list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);	211	list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
218	daemon->num_queued_msg_ctx++;	212	daemon->num_queued_msg_ctx++;