Commit 29669885 authored Nov 14, 2024 by Vitaliy Shevtsov Committed by Li Huafei Nov 14, 2024

nvmet-auth: assign dh_key to NULL after kfree_sensitive

stable inclusion
from stable-v6.6.60
commit c60af16e1d6cc2237d58336546d6adfc067b6b8f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB37AJ
CVE: CVE-2024-50215

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c60af16e1d6cc2237d58336546d6adfc067b6b8f



--------------------------------

[ Upstream commit d2f551b1f72b4c508ab9298419f6feadc3b5d791 ]

ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup()
for the same controller. So it's better to nullify it after release on
error path in order to avoid double free later in nvmet_destroy_auth().

Found by Linux Verification Center (linuxtesting.org) with Svace.

Fixes: 7a277c37 ("nvmet-auth: Diffie-Hellman key exchange support")
Cc: stable@vger.kernel.org
Signed-off-by: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Li Huafei <lihuafei1@huawei.com>

parent 19640fb0

drivers/nvme/target/auth.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -101,6 +101,7 @@ int nvmet_setup_dhgroup(struct nvmet_ctrl *ctrl, u8 dhgroup_id)
		pr_debug("%s: ctrl %d failed to generate private key, err %d\n",
		__func__, ctrl->cntlid, ret);
		kfree_sensitive(ctrl->dh_key);
		ctrl->dh_key = NULL;
		return ret;
		}
		ctrl->dh_keysize = crypto_kpp_maxsize(ctrl->dh_tfm);