ICP: Fix null pointer dereference and use after free

[AttilaFueloep]

Motivation and Context

Bugfix.

Description

In gcm_mode_decrypt_contiguous_blocks(), if vmem_alloc() fails, bcopy() is called with a null pointer destination and a length > 0. This results in undefined behavior. Further ctx->gcm_pt_buf is freed but not set to NULL, leading to a potential write after free and a double free due to missing return value handling in crypto_update_uio(). The code as is may write to ctx->gcm_pt_buf in gcm_decrypt_final() and may free ctx->gcm_pt_buf again in aes_decrypt_atomic().

The fix is to slightly rework error handling in gcm_mode_decrypt_contiguous_blocks() and check the return value in crypto_update_uio().

How Has This Been Tested?

As part of another branch this survived 6 hours of zloop. Currently zloop fails with unmodified master within one hour, so can't use zloop to test this PR, sorry.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[behlendorf]

Thanks for running down this failure. The fix here makes good sense, my only question is do you know the size and flags passed to the failed vmem_alloc()? I ask because normallly these allocations are not allowed to fail. Did this issue manifest itself as a hang?

[AttilaFueloep]

Well, I found this bug while reading the code, never managed to trigger it. And I agree that it is mostly academic for in-kernel use, but user space consumers of libicp may be able to hit this. This, btw also applies to #9660.

[codecov]

Codecov Report

Merging #9659 into master will increase coverage by 0.05%.
The diff coverage is 50%.

@@            Coverage Diff             @@
##           master    #9659      +/-   ##
==========================================
+ Coverage   79.32%   79.38%   +0.05%     
==========================================
  Files         418      418              
  Lines      123544   123548       +4     
==========================================
+ Hits        98003    98078      +75     
+ Misses      25541    25470      -71

Flag	Coverage Δ
#kernel	79.93% <50%> (-0.02%)	⬇️
#user	67.15% <50%> (+0.26%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5142032...3a834d5. Read the comment docs.

[AttilaFueloep]

The failing resilver test is most likely not related to this change and code coverage can't be increased without making vmem_alloc() fail.

[tcaputi]

LGTM. good catch.

[AttilaFueloep]

Illumos issue 12047