From: Herbert Xu <herbert@gondor.apana.org.au>
To: "Stephan Müller" <smueller@chronox.de>
Cc: Eric Biggers <ebiggers3@gmail.com>,
syzbot
<bot+3401d9494b9380f7244bcc7fec49680878fccba6@syzkaller.appspotmail.com>,
davem@davemloft.net, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH v2] crypto: AF_ALG - race-free access of encryption flag
Date: Wed, 29 Nov 2017 10:02:40 +1100 [thread overview]
Message-ID: <20171128230240.GA17611@gondor.apana.org.au> (raw)
In-Reply-To: <1943686.EAKghbSqDq@positron.chronox.de>
On Tue, Nov 28, 2017 at 10:33:09PM +0100, Stephan Müller wrote:
> Hi Herbert,
>
> I verified the correctnes of the patch with Eric's test program.
> Without the patch, the issue is present. With the patch, the kernel
> happily lives ever after.
>
> Changes v2: change the submission into a proper patch
>
> Ciao
> Stephan
>
> ---8<---
>
> The function af_alg_get_rsgl may sleep to wait for additional data. In
> this case, the socket lock may be dropped. This allows user space to
> change values in the socket data structure. Hence, all variables of the
> context that are needed before and after the af_alg_get_rsgl must be
> copied into a local variable.
>
> This issue applies to the ctx->enc variable only. Therefore, this
> value is copied into a local variable that is used for all operations
> before and after the potential sleep and lock release. This implies that
> any changes on this variable while the kernel waits for data will only
> be picked up in another recvmsg operation.
>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Cc: <stable@vger.kernel.org> # v4.14+
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> ---
> crypto/algif_aead.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
> index 7d2d162666e5..4ba13c0b97ca 100644
> --- a/crypto/algif_aead.c
> +++ b/crypto/algif_aead.c
> @@ -110,6 +110,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
> size_t outlen = 0; /* [out] RX bufs produced by kernel */
> size_t usedpages = 0; /* [in] RX bufs to be used from user */
> size_t processed = 0; /* [in] TX bufs to be consumed */
> + bool enc = ctx->enc; /* prevent race if sock lock dropped */
This is wrong. You can't fetch ctx->enc before you wait. It has
to be done after the wait as otherwise ctx->enc may not even have
been initialised.
In fact the position of the wait call is just wrong. You should only
ever do at most one wait at the start of the recvmsg call. Once you
have enough data from that wait no further waits should be done for
that recvmsg call. The original commit had it right with just one
wait at the start of recvmsg (400c40cf78da).
Fetching of ctx state should be performed after this wait.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2017-11-28 23:02 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 18:56 general protection fault in blkcipher_walk_done syzbot
2017-11-27 18:56 ` syzbot
2017-11-28 5:37 ` Eric Biggers
2017-11-28 5:37 ` Eric Biggers
2017-11-28 7:53 ` Eric Biggers
2017-11-28 7:53 ` Eric Biggers
2017-11-28 8:31 ` Stephan Mueller
2017-11-28 8:31 ` Stephan Mueller
2017-11-28 9:03 ` Stephan Mueller
2017-11-28 9:03 ` Stephan Mueller
2017-11-28 21:33 ` [PATCH v2] crypto: AF_ALG - race-free access of encryption flag Stephan Müller
2017-11-28 21:33 ` Stephan Müller
2017-11-28 22:40 ` Eric Biggers
2017-11-28 22:40 ` Eric Biggers
2017-11-28 23:02 ` Herbert Xu [this message]
2017-11-28 23:02 ` Herbert Xu
2017-11-29 6:48 ` Stephan Mueller
2017-11-29 6:48 ` Stephan Mueller
2017-11-29 7:10 ` Herbert Xu
2017-11-29 7:10 ` Herbert Xu
2017-11-29 7:17 ` Stephan Mueller
2017-11-29 7:17 ` Stephan Mueller
2017-11-29 10:17 ` [PATCH] crypto: AF_ALG - wait for data at beginning of recvmsg Stephan Müller
2017-11-29 10:17 ` Stephan Müller
2017-11-29 10:22 ` Herbert Xu
2017-11-29 10:22 ` Herbert Xu
2017-11-29 10:28 ` Stephan Mueller
2017-11-29 10:28 ` Stephan Mueller
2017-11-29 10:42 ` Herbert Xu
2017-11-29 10:42 ` Herbert Xu
2017-11-29 11:02 ` [PATCH v2] " Stephan Müller
2017-11-29 11:02 ` Stephan Müller
2017-12-11 11:45 ` Herbert Xu
2017-12-11 11:45 ` Herbert Xu
2017-11-29 11:05 ` [PATCH v2] crypto: AF_ALG - race-free access of encryption flag Stephan Müller
2017-11-29 11:05 ` Stephan Müller
2017-11-29 12:17 ` Herbert Xu
2017-11-29 12:17 ` Herbert Xu
2017-12-11 19:10 ` general protection fault in blkcipher_walk_done Eric Biggers
2017-12-11 19:10 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128230240.GA17611@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=bot+3401d9494b9380f7244bcc7fec49680878fccba6@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.