1. Patchew
  2. linux
  3. View series

[PATCH] crypto: fix null-ptr-dereference in rng_setentropy

Dave Sun posted 1 patch 4 months, 1 week ago 
crypto/algif_rng.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] crypto: fix null-ptr-dereference in rng_setentropy
Posted by Dave Sun 4 months, 1 week ago 
When CONFIG_CRYPTO_USER_API_RNG_CAVP is enable,
algif_type_rng->setentropy = rng_setentropy.
If we setsockopt on a af_alg socket binding a rng
algorithm with ALG_SET_DRBG_ENTROPY opt, kernel will
run to ->set_ent in rng_setentropy.

Since struct rng_alg like jent_alg dose not set set_ent
which default value is 0, null-ptr-dereference will happen.

Check ->set_ent before call it.

Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
---
 crypto/algif_rng.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c
index 10c41adac3b1..26a75c54192b 100644
--- a/crypto/algif_rng.c
+++ b/crypto/algif_rng.c
@@ -303,6 +303,9 @@ static int __maybe_unused rng_setentropy(void *private, sockptr_t entropy,
 			return PTR_ERR(kentropy);
 	}
 
+	if (!crypto_rng_alg(pctx->drng)->set_ent)
+		return -EOPNOTSUPP;
+
 	crypto_rng_alg(pctx->drng)->set_ent(pctx->drng, kentropy, len);
 	/*
 	 * Since rng doesn't perform any memory management for the entropy
-- 
2.34.1
[PATCH] crypto: rng - Ensure set_ent is always present
Posted by Herbert Xu 4 months, 1 week ago 
On Tue, Sep 30, 2025 at 11:28:24AM +0800, Dave Sun wrote:
> When CONFIG_CRYPTO_USER_API_RNG_CAVP is enable,
> algif_type_rng->setentropy = rng_setentropy.
> If we setsockopt on a af_alg socket binding a rng
> algorithm with ALG_SET_DRBG_ENTROPY opt, kernel will
> run to ->set_ent in rng_setentropy.
> 
> Since struct rng_alg like jent_alg dose not set set_ent
> which default value is 0, null-ptr-dereference will happen.
> 
> Check ->set_ent before call it.
> 
> Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
> ---
>  crypto/algif_rng.c | 3 +++
>  1 file changed, 3 insertions(+)

Thanks for the report.  I'd prefer to make set_ent always present:

---8<---
Ensure that set_ent is always set since only drbg provides it.

Fixes: 77ebdabe8de7 ("crypto: af_alg - add extra parameters for DRBG interface")
Reported-by: Yiqi Sun <sunyiqixm@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/rng.c b/crypto/rng.c
index b8ae6ebc091d..ee1768c5a400 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -168,6 +168,11 @@ int crypto_del_default_rng(void)
 EXPORT_SYMBOL_GPL(crypto_del_default_rng);
 #endif
 
+static void rng_default_set_ent(struct crypto_rng *tfm, const u8 *data,
+				unsigned int len)
+{
+}
+
 int crypto_register_rng(struct rng_alg *alg)
 {
 	struct crypto_alg *base = &alg->base;
@@ -179,6 +184,9 @@ int crypto_register_rng(struct rng_alg *alg)
 	base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK;
 	base->cra_flags |= CRYPTO_ALG_TYPE_RNG;
 
+	if (!alg->set_ent)
+		alg->set_ent = rng_default_set_ent;
+
 	return crypto_register_alg(base);
 }
 EXPORT_SYMBOL_GPL(crypto_register_rng);
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.