From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
Eric Biggers <ebiggers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 3.18 33/46] crypto: algapi - fix NULL dereference in crypto_remove_spawns()
Date: Mon, 15 Jan 2018 13:33:41 +0100 [thread overview]
Message-ID: <20180115123331.276496779@linuxfoundation.org> (raw)
In-Reply-To: <20180115123327.303455538@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 9a00674213a3f00394f4e3221b88f2d21fc05789 upstream.
syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
via a program that repeatedly and concurrently requests AEADs
"authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
through AF_ALG, where the hashes are requested as "untested"
(CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
causes the template to be instantiated for every request).
Although AF_ALG users really shouldn't be able to request an "untested"
algorithm, the NULL pointer dereference is actually caused by a
longstanding race condition where crypto_remove_spawns() can encounter
an instance which has had spawn(s) "grabbed" but hasn't yet been
registered, resulting in ->cra_users still being NULL.
We probably should properly initialize ->cra_users earlier, but that
would require updating many templates individually. For now just fix
the bug in a simple way that can easily be backported: make
crypto_remove_spawns() treat a NULL ->cra_users list as empty.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/algapi.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -159,6 +159,18 @@ void crypto_remove_spawns(struct crypto_
spawn->alg = NULL;
spawns = &inst->alg.cra_users;
+
+ /*
+ * We may encounter an unregistered instance here, since
+ * an instance's spawns are set up prior to the instance
+ * being registered. An unregistered instance will have
+ * NULL ->cra_users.next, since ->cra_users isn't
+ * properly initialized until registration. But an
+ * unregistered instance cannot have any users, so treat
+ * it the same as ->cra_users being empty.
+ */
+ if (spawns->next == NULL)
+ break;
}
} while ((spawns = crypto_more_spawns(alg, &stack, &top,
&secondary_spawns)));
next prev parent reply other threads:[~2018-01-15 12:37 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-15 12:33 [PATCH 3.18 00/46] 3.18.92-stable review Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 01/46] kernel/acct.c: fix the acct->needcheck check in check_free_space() Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 02/46] crypto: n2 - cure use after free Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 03/46] fscache: Fix the default for fscache_maybe_release_page() Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 04/46] kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 05/46] kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 06/46] kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 07/46] Input: elantech - add new icbody type 15 Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 08/46] can: gs_usb: fix return value of the "set_bittiming" callback Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 09/46] IB/srpt: Disable RDMA access by the initiator Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 10/46] MIPS: Factor out NT_PRFPREG regset access helpers Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 11/46] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 12/46] MIPS: Consistently handle buffer counter " Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 13/46] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 14/46] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 15/46] MIPS: Also verify sizeof `elf_fpreg_t with PTRACE_SETREGSET Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 16/46] perf/core: Fix concurrent sys_perf_event_open() vs. move_group race Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 17/46] kvm: vmx: Scrub hardware GPRs at VM-exit Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 18/46] x86/acpi: Handle SCI interrupts above legacy space gracefully Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 19/46] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 20/46] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 21/46] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 22/46] ALSA: pcm: Allow aborting mutex lock at " Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 23/46] ALSA: aloop: Release cable upon open error path Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 24/46] ALSA: aloop: Fix inconsistent format due to incomplete rule Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 25/46] ALSA: aloop: Fix racy hw constraints adjustment Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 26/46] x86/acpi: Reduce code duplication in mp_override_legacy_irq() Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 27/46] 8021q: fix a memory leak for VLAN 0 device Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 28/46] RDS: Heap OOB write in rds_message_alloc_sgs() Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 29/46] RDS: null pointer dereference in rds_atomic_free_op Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 30/46] sh_eth: fix TSU resource handling Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 31/46] sh_eth: fix SH7757 GEther initialization Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 32/46] net: stmmac: enable EEE in MII, GMII or RGMII only Greg Kroah-Hartman
2018-01-15 12:33 ` Greg Kroah-Hartman [this message]
2018-01-15 12:33 ` [PATCH 3.18 34/46] x86/microcode/intel: Extend BDW late-loading with a revision check Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 35/46] iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 36/46] target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 37/46] [PATCH] Revert "can: kvaser_usb: free buf in error paths" Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 38/46] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 39/46] USB: serial: cp210x: add new device ID ELV ALC 8xxx Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 40/46] usb: misc: usb3503: make sure reset is low for at least 100us Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 41/46] USB: fix usbmon BUG trigger Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 42/46] usbip: remove kernel addresses from usb device and urb debug msgs Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 43/46] staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 44/46] Bluetooth: Prevent stack info leak from the EFS element Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 45/46] uas: ignore UAS for Norelsys NS1068(X) chips Greg Kroah-Hartman
2018-01-15 12:33 ` [PATCH 3.18 46/46] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Greg Kroah-Hartman
2018-01-15 16:28 ` [PATCH 3.18 00/46] 3.18.92-stable review kernelci.org bot
2018-01-16 14:28 ` Guenter Roeck
2018-01-16 20:31 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180115123331.276496779@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.