diff options
author | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-03-15 15:17:01 -0400 |
---|---|---|
committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-04-22 04:54:13 -0400 |
commit | 57ea34d19963781d05eb12f9b31bd4f70d61ec16 (patch) | |
tree | 5a912a7515234eb73147c32197ecbc7ca429bde8 /fs | |
parent | ae6e84596e7b321d9a08e81679c6a3f799634636 (diff) |
eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()
If data is NULL, msg_ctx->msg is set to NULL and then dereferenced
afterwards. ecryptfs_send_raw_message() is the only place that
ecryptfs_send_miscdev() is called with data being NULL, but the only
caller of that function (ecryptfs_process_helo()) is never called. In
short, there is currently no way to trigger the NULL pointer
dereference.
This patch removes the two unused functions and modifies
ecryptfs_send_miscdev() to remove the NULL dereferences.
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/ecryptfs/messaging.c | 82 | ||||
-rw-r--r-- | fs/ecryptfs/miscdev.c | 28 |
2 files changed, 11 insertions, 99 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c index 295e7fa56755..f1c17e87c5fb 100644 --- a/fs/ecryptfs/messaging.c +++ b/fs/ecryptfs/messaging.c | |||
@@ -133,45 +133,6 @@ out: | |||
133 | return rc; | 133 | return rc; |
134 | } | 134 | } |
135 | 135 | ||
136 | static int | ||
137 | ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type, | ||
138 | struct ecryptfs_msg_ctx **msg_ctx); | ||
139 | |||
140 | /** | ||
141 | * ecryptfs_send_raw_message | ||
142 | * @msg_type: Message type | ||
143 | * @daemon: Daemon struct for recipient of message | ||
144 | * | ||
145 | * A raw message is one that does not include an ecryptfs_message | ||
146 | * struct. It simply has a type. | ||
147 | * | ||
148 | * Must be called with ecryptfs_daemon_hash_mux held. | ||
149 | * | ||
150 | * Returns zero on success; non-zero otherwise | ||
151 | */ | ||
152 | static int ecryptfs_send_raw_message(u8 msg_type, | ||
153 | struct ecryptfs_daemon *daemon) | ||
154 | { | ||
155 | struct ecryptfs_msg_ctx *msg_ctx; | ||
156 | int rc; | ||
157 | |||
158 | rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx); | ||
159 | if (rc) { | ||
160 | printk(KERN_ERR "%s: Error whilst attempting to send " | ||
161 | "message to ecryptfsd; rc = [%d]\n", __func__, rc); | ||
162 | goto out; | ||
163 | } | ||
164 | /* Raw messages are logically context-free (e.g., no | ||
165 | * reply is expected), so we set the state of the | ||
166 | * ecryptfs_msg_ctx object to indicate that it should | ||
167 | * be freed as soon as the message is sent. */ | ||
168 | mutex_lock(&msg_ctx->mux); | ||
169 | msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY; | ||
170 | mutex_unlock(&msg_ctx->mux); | ||
171 | out: | ||
172 | return rc; | ||
173 | } | ||
174 | |||
175 | /** | 136 | /** |
176 | * ecryptfs_spawn_daemon - Create and initialize a new daemon struct | 137 | * ecryptfs_spawn_daemon - Create and initialize a new daemon struct |
177 | * @daemon: Pointer to set to newly allocated daemon struct | 138 | * @daemon: Pointer to set to newly allocated daemon struct |
@@ -212,49 +173,6 @@ out: | |||
212 | } | 173 | } |
213 | 174 | ||
214 | /** | 175 | /** |
215 | * ecryptfs_process_helo | ||
216 | * @euid: The user ID owner of the message | ||
217 | * @user_ns: The namespace in which @euid applies | ||
218 | * @pid: The process ID for the userspace program that sent the | ||
219 | * message | ||
220 | * | ||
221 | * Adds the euid and pid values to the daemon euid hash. If an euid | ||
222 | * already has a daemon pid registered, the daemon will be | ||
223 | * unregistered before the new daemon is put into the hash list. | ||
224 | * Returns zero after adding a new daemon to the hash list; | ||
225 | * non-zero otherwise. | ||
226 | */ | ||
227 | int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns, | ||
228 | struct pid *pid) | ||
229 | { | ||
230 | struct ecryptfs_daemon *new_daemon; | ||
231 | struct ecryptfs_daemon *old_daemon; | ||
232 | int rc; | ||
233 | |||
234 | mutex_lock(&ecryptfs_daemon_hash_mux); | ||
235 | rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns); | ||
236 | if (rc != 0) { | ||
237 | printk(KERN_WARNING "Received request from user [%d] " | ||
238 | "to register daemon [0x%p]; unregistering daemon " | ||
239 | "[0x%p]\n", euid, pid, old_daemon->pid); | ||
240 | rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon); | ||
241 | if (rc) | ||
242 | printk(KERN_WARNING "Failed to send QUIT " | ||
243 | "message to daemon [0x%p]; rc = [%d]\n", | ||
244 | old_daemon->pid, rc); | ||
245 | hlist_del(&old_daemon->euid_chain); | ||
246 | kfree(old_daemon); | ||
247 | } | ||
248 | rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid); | ||
249 | if (rc) | ||
250 | printk(KERN_ERR "%s: The gods are displeased with this attempt " | ||
251 | "to create a new daemon object for euid [%d]; pid " | ||
252 | "[0x%p]; rc = [%d]\n", __func__, euid, pid, rc); | ||
253 | mutex_unlock(&ecryptfs_daemon_hash_mux); | ||
254 | return rc; | ||
255 | } | ||
256 | |||
257 | /** | ||
258 | * ecryptfs_exorcise_daemon - Destroy the daemon struct | 176 | * ecryptfs_exorcise_daemon - Destroy the daemon struct |
259 | * | 177 | * |
260 | * Must be called ceremoniously while in possession of | 178 | * Must be called ceremoniously while in possession of |
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index dda3c58eefc0..4ec8f61ccf5a 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c | |||
@@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size, | |||
193 | int rc = 0; | 193 | int rc = 0; |
194 | 194 | ||
195 | mutex_lock(&msg_ctx->mux); | 195 | mutex_lock(&msg_ctx->mux); |
196 | if (data) { | 196 | msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size), |
197 | msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size), | 197 | GFP_KERNEL); |
198 | GFP_KERNEL); | 198 | if (!msg_ctx->msg) { |
199 | if (!msg_ctx->msg) { | 199 | rc = -ENOMEM; |
200 | rc = -ENOMEM; | 200 | printk(KERN_ERR "%s: Out of memory whilst attempting " |
201 | printk(KERN_ERR "%s: Out of memory whilst attempting " | 201 | "to kmalloc(%zd, GFP_KERNEL)\n", __func__, |
202 | "to kmalloc(%zd, GFP_KERNEL)\n", __func__, | 202 | (sizeof(*msg_ctx->msg) + data_size)); |
203 | (sizeof(*msg_ctx->msg) + data_size)); | 203 | goto out_unlock; |
204 | goto out_unlock; | 204 | } |
205 | } | ||
206 | } else | ||
207 | msg_ctx->msg = NULL; | ||
208 | msg_ctx->msg->index = msg_ctx->index; | 205 | msg_ctx->msg->index = msg_ctx->index; |
209 | msg_ctx->msg->data_len = data_size; | 206 | msg_ctx->msg->data_len = data_size; |
210 | msg_ctx->type = msg_type; | 207 | msg_ctx->type = msg_type; |
211 | if (data) { | 208 | memcpy(msg_ctx->msg->data, data, data_size); |
212 | memcpy(msg_ctx->msg->data, data, data_size); | 209 | msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size); |
213 | msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size); | ||
214 | } else | ||
215 | msg_ctx->msg_size = 0; | ||
216 | mutex_lock(&daemon->mux); | 210 | mutex_lock(&daemon->mux); |
217 | list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue); | 211 | list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue); |
218 | daemon->num_queued_msg_ctx++; | 212 | daemon->num_queued_msg_ctx++; |