[Help] Null pointer exception in scatterwalk_start() in kernel-4.9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dear Herbert,

            Sorry to bother you , but we’ve met a problem in crypto module, would you please kindly help us look into it ? Thank you very much.

             In the below function chain, scatterwalk_start() doesn't check the result of sg_next(), so the kernel will crash if sg_next() returns a null pointer, which is our case. (The full stack is at the end of letter)
             blkcipher_walk_done()->scatterwalk_done()->scatterwalk_pagedone()->scatterwalk_start(walk, sg_next(walk->sg));
            
            Should we add a null-pointer-check in scatterwalk_start()? Or is there any process can ensure that there should be a valid sg pointer if the condition (walk->offset >= walk->sg->offset + walk->sg->length) is true?
                      
            We are really looking forward to your reply, any information will be appreciated , thanks again.
                                      
                                                                                                                                                                                                          Best regards
                                                                                                                                                                                                           Chen Gong
                                                                                                                                                                                                            2018.11.20

-------------------------------------------------------------------------------------------------------------------
Full Stack:
<1>[395491.178009s][pid:29501,cpu4,Binder:708_A]Unable to handle kernel NULL pointer dereference at virtual address 00000008
<1>[395491.178039s][pid:29501,cpu4,Binder:708_A]pgd = ffffffc112c27000
<1>[395491.178039s][pid:29501,cpu4,Binder:708_A][00000008] *pgd=0000000000000000, *pud=0000000000000000
<0>[395491.178070s][pid:29501,cpu4,Binder:708_A]Internal error: Oops: 96000005 [#1] PREEMPT SMP
<4>[395491.178070s][pid:29501,cpu4,Binder:708_A]Modules linked in: hisi_dummy_ko
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]CPU: 4 PID: 29501 Comm: Binder:708_A VIP: 00 Tainted: G        W       4.9.111 #1
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]TGID: 708 Comm: Binder:708_2
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]Hardware name: hi3660 (DT)
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]task: ffffffc1d43ec880 task.stack: ffffffc3007e0000
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]PC is at blkcipher_walk_done+0x210/0x354
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]LR is at blkcipher_walk_done+0x20c/0x354
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]pc : [<ffffff9c1b23abfc>] lr : [<ffffff9c1b23abf8>] pstate: 60000145
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]sp : ffffffc3007e3950
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]x29: ffffffc3007e3950 x28: 0000000000000000 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x27: ffffffc1c6ef501e x26: 0000000000000100 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x25: ffffffc3007e3b40 x24: ffffffc3007e3be8 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x23: 0000000000000001 x22: 0000000000000500 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x21: ffffffc3007e3a90 x20: ffffffc3007e3a10 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x19: ffffffc3007e39d8 x18: 0000000000000001 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x17: 00000075aca06934 x16: ffffff9c1b032d10 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x15: 00000075aaffe5b8 x14: 0000000000000000 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x13: 00000075ac08642d x12: 0000000000000001 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x11: 0000000000000000 x10: ffffffc3175e1680 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x9 : ffffff9c1d408000 x8 : 0000000000000000 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x7 : ffffff9c1c280000 x6 : 0000000000000001 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x5 : ffffffc3007e3be8 x4 : 0000000000000000 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x3 : 0000000000000100 x2 : 0000000000000500 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x1 : ffffffc31aa934c2 x0 : 0000000000000000 
<4>[395491.180725s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b23abfc>] blkcipher_walk_done+0x210/0x354
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][<ffffff9c1ae9fcb0>] cbc_decrypt+0xa0/0xe8
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b263a60>] ablk_decrypt+0x78/0xf4
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b23b5e0>] skcipher_decrypt_ablkcipher+0x70/0x80
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b24a698>] crypto_cts_decrypt+0xf0/0x184
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b0740f0>] fname_decrypt.isra.1+0x110/0x1d8
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b074428>] fscrypt_fname_disk_to_usr+0x1d8/0x264
<4>[395491.180816s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b198f24>] f2fs_fill_dentries+0x13c/0x1d4
<4>[395491.180816s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b199190>] f2fs_readdir+0x1d4/0x684
<4>[395491.180816s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b0327c8>] iterate_dir+0x84/0x1c4
<4>[395491.180816s][pid:29501,cpu4,Binder:708_A][<ffffff9c1b032d94>] SyS_getdents64+0x84/0x120
<4>[395491.180847s][pid:29501,cpu4,Binder:708_A][<ffffff9c1ae83900>] el0_svc_naked+0x34/0x38
<0>[395491.180847s][pid:29501,cpu4,Binder:708_A]Code: 6b01005f 54fffce3 9402004b f9001e60 (b9400800)
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux