mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()
If data is NULL, msg_ctx->msg is set to NULL and then dereferenced afterwards. ecryptfs_send_raw_message() is the only place that ecryptfs_send_miscdev() is called with data being NULL, but the only caller of that function (ecryptfs_process_helo()) is never called. In short, there is currently no way to trigger the NULL pointer dereference. This patch removes the two unused functions and modifies ecryptfs_send_miscdev() to remove the NULL dereferences. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
This commit is contained in:
parent
ae6e84596e
commit
57ea34d199
2 changed files with 11 additions and 99 deletions
|
@ -133,45 +133,6 @@ out:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,
|
|
||||||
struct ecryptfs_msg_ctx **msg_ctx);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* ecryptfs_send_raw_message
|
|
||||||
* @msg_type: Message type
|
|
||||||
* @daemon: Daemon struct for recipient of message
|
|
||||||
*
|
|
||||||
* A raw message is one that does not include an ecryptfs_message
|
|
||||||
* struct. It simply has a type.
|
|
||||||
*
|
|
||||||
* Must be called with ecryptfs_daemon_hash_mux held.
|
|
||||||
*
|
|
||||||
* Returns zero on success; non-zero otherwise
|
|
||||||
*/
|
|
||||||
static int ecryptfs_send_raw_message(u8 msg_type,
|
|
||||||
struct ecryptfs_daemon *daemon)
|
|
||||||
{
|
|
||||||
struct ecryptfs_msg_ctx *msg_ctx;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);
|
|
||||||
if (rc) {
|
|
||||||
printk(KERN_ERR "%s: Error whilst attempting to send "
|
|
||||||
"message to ecryptfsd; rc = [%d]\n", __func__, rc);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
/* Raw messages are logically context-free (e.g., no
|
|
||||||
* reply is expected), so we set the state of the
|
|
||||||
* ecryptfs_msg_ctx object to indicate that it should
|
|
||||||
* be freed as soon as the message is sent. */
|
|
||||||
mutex_lock(&msg_ctx->mux);
|
|
||||||
msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;
|
|
||||||
mutex_unlock(&msg_ctx->mux);
|
|
||||||
out:
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ecryptfs_spawn_daemon - Create and initialize a new daemon struct
|
* ecryptfs_spawn_daemon - Create and initialize a new daemon struct
|
||||||
* @daemon: Pointer to set to newly allocated daemon struct
|
* @daemon: Pointer to set to newly allocated daemon struct
|
||||||
|
@ -211,49 +172,6 @@ out:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* ecryptfs_process_helo
|
|
||||||
* @euid: The user ID owner of the message
|
|
||||||
* @user_ns: The namespace in which @euid applies
|
|
||||||
* @pid: The process ID for the userspace program that sent the
|
|
||||||
* message
|
|
||||||
*
|
|
||||||
* Adds the euid and pid values to the daemon euid hash. If an euid
|
|
||||||
* already has a daemon pid registered, the daemon will be
|
|
||||||
* unregistered before the new daemon is put into the hash list.
|
|
||||||
* Returns zero after adding a new daemon to the hash list;
|
|
||||||
* non-zero otherwise.
|
|
||||||
*/
|
|
||||||
int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,
|
|
||||||
struct pid *pid)
|
|
||||||
{
|
|
||||||
struct ecryptfs_daemon *new_daemon;
|
|
||||||
struct ecryptfs_daemon *old_daemon;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
mutex_lock(&ecryptfs_daemon_hash_mux);
|
|
||||||
rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);
|
|
||||||
if (rc != 0) {
|
|
||||||
printk(KERN_WARNING "Received request from user [%d] "
|
|
||||||
"to register daemon [0x%p]; unregistering daemon "
|
|
||||||
"[0x%p]\n", euid, pid, old_daemon->pid);
|
|
||||||
rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);
|
|
||||||
if (rc)
|
|
||||||
printk(KERN_WARNING "Failed to send QUIT "
|
|
||||||
"message to daemon [0x%p]; rc = [%d]\n",
|
|
||||||
old_daemon->pid, rc);
|
|
||||||
hlist_del(&old_daemon->euid_chain);
|
|
||||||
kfree(old_daemon);
|
|
||||||
}
|
|
||||||
rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);
|
|
||||||
if (rc)
|
|
||||||
printk(KERN_ERR "%s: The gods are displeased with this attempt "
|
|
||||||
"to create a new daemon object for euid [%d]; pid "
|
|
||||||
"[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);
|
|
||||||
mutex_unlock(&ecryptfs_daemon_hash_mux);
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ecryptfs_exorcise_daemon - Destroy the daemon struct
|
* ecryptfs_exorcise_daemon - Destroy the daemon struct
|
||||||
*
|
*
|
||||||
|
|
|
@ -193,26 +193,20 @@ int ecryptfs_send_miscdev(char *data, size_t data_size,
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
mutex_lock(&msg_ctx->mux);
|
mutex_lock(&msg_ctx->mux);
|
||||||
if (data) {
|
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
|
||||||
msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),
|
GFP_KERNEL);
|
||||||
GFP_KERNEL);
|
if (!msg_ctx->msg) {
|
||||||
if (!msg_ctx->msg) {
|
rc = -ENOMEM;
|
||||||
rc = -ENOMEM;
|
printk(KERN_ERR "%s: Out of memory whilst attempting "
|
||||||
printk(KERN_ERR "%s: Out of memory whilst attempting "
|
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
|
||||||
"to kmalloc(%zd, GFP_KERNEL)\n", __func__,
|
(sizeof(*msg_ctx->msg) + data_size));
|
||||||
(sizeof(*msg_ctx->msg) + data_size));
|
goto out_unlock;
|
||||||
goto out_unlock;
|
}
|
||||||
}
|
|
||||||
} else
|
|
||||||
msg_ctx->msg = NULL;
|
|
||||||
msg_ctx->msg->index = msg_ctx->index;
|
msg_ctx->msg->index = msg_ctx->index;
|
||||||
msg_ctx->msg->data_len = data_size;
|
msg_ctx->msg->data_len = data_size;
|
||||||
msg_ctx->type = msg_type;
|
msg_ctx->type = msg_type;
|
||||||
if (data) {
|
memcpy(msg_ctx->msg->data, data, data_size);
|
||||||
memcpy(msg_ctx->msg->data, data, data_size);
|
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
|
||||||
msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);
|
|
||||||
} else
|
|
||||||
msg_ctx->msg_size = 0;
|
|
||||||
mutex_lock(&daemon->mux);
|
mutex_lock(&daemon->mux);
|
||||||
list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
|
list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);
|
||||||
daemon->num_queued_msg_ctx++;
|
daemon->num_queued_msg_ctx++;
|
||||||
|
|
Loading…
Reference in a new issue