aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorTyler Hicks <tyhicks@linux.vnet.ibm.com>2009-03-15 15:17:01 -0400
committerTyler Hicks <tyhicks@linux.vnet.ibm.com>2009-04-22 04:54:13 -0400
commit57ea34d19963781d05eb12f9b31bd4f70d61ec16 (patch)
tree5a912a7515234eb73147c32197ecbc7ca429bde8 /fs
parentae6e84596e7b321d9a08e81679c6a3f799634636 (diff)
eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()
If data is NULL, msg_ctx->msg is set to NULL and then dereferenced afterwards. ecryptfs_send_raw_message() is the only place that ecryptfs_send_miscdev() is called with data being NULL, but the only caller of that function (ecryptfs_process_helo()) is never called. In short, there is currently no way to trigger the NULL pointer dereference. This patch removes the two unused functions and modifies ecryptfs_send_miscdev() to remove the NULL dereferences. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/ecryptfs/messaging.c82
-rw-r--r--fs/ecryptfs/miscdev.c28
2 files changed, 11 insertions, 99 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index 295e7fa56755..f1c17e87c5fb 100644
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -133,45 +133,6 @@ out:
133 return rc; 133 return rc;
134} 134}
135 135
136static int
137ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
138 struct ecryptfs_msg_ctx **msg_ctx);
139
140/**
141 * ecryptfs_send_raw_message
142 * @msg_type: Message type
143 * @daemon: Daemon struct for recipient of message
144 *
145 * A raw message is one that does not include an ecryptfs_message
146 * struct. It simply has a type.
147 *
148 * Must be called with ecryptfs_daemon_hash_mux held.
149 *
150 * Returns zero on success; non-zero otherwise
151 */
152static int ecryptfs_send_raw_message(u8 msg_type,
153 struct ecryptfs_daemon *daemon)
154{
155 struct ecryptfs_msg_ctx *msg_ctx;
156 int rc;
157
158 rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
159 if (rc) {
160 printk(KERN_ERR "%s: Error whilst attempting to send "
161 "message to ecryptfsd; rc = [%d]\n", __func__, rc);
162 goto out;
163 }
164 /* Raw messages are logically context-free (e.g., no
165 * reply is expected), so we set the state of the
166 * ecryptfs_msg_ctx object to indicate that it should
167 * be freed as soon as the message is sent. */
168 mutex_lock(&msg_ctx->mux);
169 msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
170 mutex_unlock(&msg_ctx->mux);
171out:
172 return rc;
173}
174
175/** 136/**
176 * ecryptfs_spawn_daemon - Create and initialize a new daemon struct 137 * ecryptfs_spawn_daemon - Create and initialize a new daemon struct
177 * @daemon: Pointer to set to newly allocated daemon struct 138 * @daemon: Pointer to set to newly allocated daemon struct
@@ -212,49 +173,6 @@ out:
212} 173}
213 174
214/** 175/**
215 * ecryptfs_process_helo
216 * @euid: The user ID owner of the message
217 * @user_ns: The namespace in which @euid applies
218 * @pid: The process ID for the userspace program that sent the
219 * message
220 *
221 * Adds the euid and pid values to the daemon euid hash. If an euid
222 * already has a daemon pid registered, the daemon will be
223 * unregistered before the new daemon is put into the hash list.
224 * Returns zero after adding a new daemon to the hash list;
225 * non-zero otherwise.
226 */
227int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
228 struct pid *pid)
229{
230 struct ecryptfs_daemon *new_daemon;
231 struct ecryptfs_daemon *old_daemon;
232 int rc;
233
234 mutex_lock(&ecryptfs_daemon_hash_mux);
235 rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
236 if (rc != 0) {
237 printk(KERN_WARNING "Received request from user [%d] "
238 "to register daemon [0x%p]; unregistering daemon "
239 "[0x%p]\n", euid, pid, old_daemon->pid);
240 rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
241 if (rc)
242 printk(KERN_WARNING "Failed to send QUIT "
243 "message to daemon [0x%p]; rc = [%d]\n",
244 old_daemon->pid, rc);
245 hlist_del(&old_daemon->euid_chain);
246 kfree(old_daemon);
247 }
248 rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
249 if (rc)
250 printk(KERN_ERR "%s: The gods are displeased with this attempt "
251 "to create a new daemon object for euid [%d]; pid "
252 "[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
253 mutex_unlock(&ecryptfs_daemon_hash_mux);
254 return rc;
255}
256
257/**
258 * ecryptfs_exorcise_daemon - Destroy the daemon struct 176 * ecryptfs_exorcise_daemon - Destroy the daemon struct
259 * 177 *
260 * Must be called ceremoniously while in possession of 178 * Must be called ceremoniously while in possession of
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
index dda3c58eefc0..4ec8f61ccf5a 100644
--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
@@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
193 int rc = 0; 193 int rc = 0;
194 194
195 mutex_lock(&msg_ctx->mux); 195 mutex_lock(&msg_ctx->mux);
196 if (data) { 196 msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
197 msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size), 197 GFP_KERNEL);
198 GFP_KERNEL); 198 if (!msg_ctx->msg) {
199 if (!msg_ctx->msg) { 199 rc = -ENOMEM;
200 rc = -ENOMEM; 200 printk(KERN_ERR "%s: Out of memory whilst attempting "
201 printk(KERN_ERR "%s: Out of memory whilst attempting " 201 "to kmalloc(%zd, GFP_KERNEL)\n", __func__,
202 "to kmalloc(%zd, GFP_KERNEL)\n", __func__, 202 (sizeof(*msg_ctx->msg) + data_size));
203 (sizeof(*msg_ctx->msg) + data_size)); 203 goto out_unlock;
204 goto out_unlock; 204 }
205 }
206 } else
207 msg_ctx->msg = NULL;
208 msg_ctx->msg->index = msg_ctx->index; 205 msg_ctx->msg->index = msg_ctx->index;
209 msg_ctx->msg->data_len = data_size; 206 msg_ctx->msg->data_len = data_size;
210 msg_ctx->type = msg_type; 207 msg_ctx->type = msg_type;
211 if (data) { 208 memcpy(msg_ctx->msg->data, data, data_size);
212 memcpy(msg_ctx->msg->data, data, data_size); 209 msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
213 msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
214 } else
215 msg_ctx->msg_size = 0;
216 mutex_lock(&daemon->mux); 210 mutex_lock(&daemon->mux);
217 list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue); 211 list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
218 daemon->num_queued_msg_ctx++; 212 daemon->num_queued_msg_ctx++;