在 2017/12/18 20:00, Greg KH 写道:
On Mon, Dec 18, 2017 at 11:09:23AM +, Li Kun wrote:
alg_setkey do not check the keylen whether it is zero, so the key
may be ZERO_SIZE_PTR when keylen is 0, which will pass the
copy_from_user's checking and be passed to the lower functions as key.
If the
On Mon, Dec 18, 2017 at 11:09:23AM +, Li Kun wrote:
> alg_setkey do not check the keylen whether it is zero, so the key
> may be ZERO_SIZE_PTR when keylen is 0, which will pass the
> copy_from_user's checking and be passed to the lower functions as key.
>
> If the lower functions only check
alg_setkey do not check the keylen whether it is zero, so the key
may be ZERO_SIZE_PTR when keylen is 0, which will pass the
copy_from_user's checking and be passed to the lower functions as key.
If the lower functions only check the key if it is NULL, ZERO_SIZE_PTR
will pass the checking, and
