Commit d326f904 authored by Gwendal Grignou's avatar Gwendal Grignou
Browse files

ANDROID: dm-default-key: Prevent kernel crash on invalid table



When trying to create a device with an invalid table configuration,
kernel would panic:

For instance, table (note the number of argument 2, should be 1):
"0 <size> default-key aes-xts-plain64 <secret> 0 <dev> 0 2 allow_discards"

Instead of an expected error message in kmsg:
device-mapper: table: 254:24: default-key: Invalid number of feature args (-EINVAL)
the kernel crashes:

[   48.701559] BUG: kernel NULL pointer dereference, address: 0000000000000040
...
[   48.701702]  ? exc_page_fault+0x4f/0xa0
[   48.701709]  ? asm_exc_page_fault+0x22/0x30
[   48.701717]  ? __blk_crypto_evict_key+0x18/0x190
[   48.701722]  blk_crypto_evict_key+0x41/0x90
[   48.701731]  default_key_ctr+0x22a/0x670 [dm_default_key 3355aa60cc2e380cc7745b7937dd463f0a9bc032]
[   48.701745]  dm_table_add_target+0x1de/0x380
[   48.701754]  table_load+0x13b/0x3e0
[   48.701763]  ? __pfx_table_load+0x10/0x10
[   48.701769]  ctl_ioctl+0x180/0x240
[   48.701777]  dm_ctl_ioctl+0xe/0x20

The problem is the key is not initialized yet when the optional
arguments are parsed. __blk_crypto_cfg_supported() expects the
blk_crypto_config to be valid, but since it is not, return true and
__blk_crypto_evict_key() gets called with a NULL profile argument.

Prevent calling blk_crypto_evict_key() when the key size is not yet set.

Bug: 160885805

Change-Id: Ife6f42bb0e32dff5173e77fadda1ed23bac7c8a9
Signed-off-by: default avatarGwendal Grignou <gwendal@google.com>
parent badfc4d0
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment