WARNING: refcount bug in crypto_destroy_tfm

WARNING: refcount bug in crypto_destroy_tfm

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    468c2a10 mlxsw: spectrum_trap: fix unintention integer ove..
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=11089cb3e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8c1e98458335a7d1
dashboard link: https://syzkaller.appspot.com/bug?extid=fc0674cde00b66844470
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=115f2a43e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=141ea0ede00000

The bug was bisected to:

commit 4f87ee118d16b4b2116a477229573ed5003b0d78
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sat Dec 7 14:15:17 2019 +0000

    crypto: api - Do not zap spawn->alg

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10ffbc2be00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=12ffbc2be00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14ffbc2be00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com
Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg")

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 7174 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7174 Comm: syz-executor413 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:221
 __warn.cold+0x2f/0x35 kernel/panic.c:582
 report_bug+0x27b/0x2f0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:175 [inline]
 fixup_bug arch/x86/kernel/traps.c:170 [inline]
 do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Code: e9 db fe ff ff 48 89 df e8 2c 95 1e fe e9 8a fe ff ff e8 c2 81 e1 fd 48 c7 c7 40 c6 71 88 c6 05 82 bd f1 06 01 e8 17 f6 b2 fd <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
RSP: 0018:ffffc90001a17b18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815ca861 RDI: fffff52000342f55
RBP: 0000000000000003 R08: ffff8880949fe300 R09: ffffed1015cc66a1
R10: ffffed1015cc66a0 R11: ffff8880ae633507 R12: ffff88809a6d187c
R13: ffff8880a40eb000 R14: 0000000000000000 R15: ffff8880a40eb010
 refcount_sub_and_test include/linux/refcount.h:261 [inline]
 refcount_dec_and_test include/linux/refcount.h:281 [inline]
 crypto_alg_put crypto/internal.h:93 [inline]
 crypto_mod_put crypto/api.c:45 [inline]
 crypto_destroy_tfm+0x2a1/0x310 crypto/api.c:566
 crypto_exit_ops crypto/api.c:308 [inline]
 crypto_destroy_tfm+0xb1/0x310 crypto/api.c:565
 crypto_free_aead include/crypto/aead.h:185 [inline]
 aead_release+0x2d/0x50 crypto/algif_aead.c:506
 alg_do_release crypto/af_alg.c:114 [inline]
 alg_sock_destruct+0x85/0xe0 crypto/af_alg.c:358
 __sk_destruct+0x4b/0x7c0 net/core/sock.c:1696
 sk_destruct+0xc6/0x100 net/core/sock.c:1740
 __sk_free+0xef/0x3d0 net/core/sock.c:1751
 sk_free+0x78/0xa0 net/core/sock.c:1762
 sock_put include/net/sock.h:1778 [inline]
 af_alg_release+0xdb/0x110 crypto/af_alg.c:121
 __sock_release+0xcd/0x280 net/socket.c:605
 sock_close+0x18/0x20 net/socket.c:1283
 __fput+0x2e9/0x860 fs/file_table.c:280
 task_work_run+0xf4/0x1b0 kernel/task_work.c:123
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xb34/0x2dd0 kernel/exit.c:793
 do_group_exit+0x125/0x340 kernel/exit.c:891
 __do_sys_exit_group kernel/exit.c:902 [inline]
 __se_sys_exit_group kernel/exit.c:900 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:900
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x43ff78
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffe423e1db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff78
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf850 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Herbert Xu]

There are two problems in crypto_spawn_alg.  First of all it may
return spawn->alg even if spawn->dead is set.  This results in a
double-free as detected by syzbot.

Secondly the setting of the DYING flag is racy because we hold
the read-lock instead of the write-lock.  We should instead call
crypto_shoot_alg in a safe manner by gaining a refcount, dropping
the lock, and then releasing the refcount.

This patch fixes both problems.

Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com
Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg")
Fixes: 73669cc55646 ("crypto: api - Fix race condition in...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/algapi.c b/crypto/algapi.c
index 69605e21af92..f8b4dc161c02 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -716,17 +716,27 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
 
 static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
 {
-	struct crypto_alg *alg;
+	struct crypto_alg *alg = ERR_PTR(-EAGAIN);
+	struct crypto_alg *target;
+	bool shoot = false;
 
 	down_read(&crypto_alg_sem);
-	alg = spawn->alg;
-	if (!spawn->dead && !crypto_mod_get(alg)) {
-		alg->cra_flags |= CRYPTO_ALG_DYING;
-		alg = NULL;
+	if (!spawn->dead) {
+		alg = spawn->alg;
+		if (!crypto_mod_get(alg)) {
+			target = crypto_alg_get(alg);
+			shoot = true;
+			alg = ERR_PTR(-EAGAIN);
+		}
 	}
 	up_read(&crypto_alg_sem);
 
-	return alg ?: ERR_PTR(-EAGAIN);
+	if (shoot) {
+		crypto_shoot_alg(target);
+		crypto_alg_put(target);
+	}
+
+	return alg;
 }
 
 struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type,
diff --git a/crypto/api.c b/crypto/api.c
index 7d71a9b10e5f..edcf690800d4 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -333,12 +333,13 @@ static unsigned int crypto_ctxsize(struct crypto_alg *alg, u32 type, u32 mask)
 	return len;
 }
 
-static void crypto_shoot_alg(struct crypto_alg *alg)
+void crypto_shoot_alg(struct crypto_alg *alg)
 {
 	down_write(&crypto_alg_sem);
 	alg->cra_flags |= CRYPTO_ALG_DYING;
 	up_write(&crypto_alg_sem);
 }
+EXPORT_SYMBOL_GPL(crypto_shoot_alg);
 
 struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
 				      u32 mask)
diff --git a/crypto/internal.h b/crypto/internal.h
index d5ebc60c5143..ff06a3bd1ca1 100644
--- a/crypto/internal.h
+++ b/crypto/internal.h
@@ -65,6 +65,7 @@ void crypto_alg_tested(const char *name, int err);
 void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
 			  struct crypto_alg *nalg);
 void crypto_remove_final(struct list_head *list);
+void crypto_shoot_alg(struct crypto_alg *alg);
 struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
 				      u32 mask);
 void *crypto_create_tfm(struct crypto_alg *alg,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Eric Biggers]

On Fri, Apr 10, 2020 at 04:09:42PM +1000, Herbert Xu wrote:
> There are two problems in crypto_spawn_alg.  First of all it may
> return spawn->alg even if spawn->dead is set.  This results in a
> double-free as detected by syzbot.
> 
> Secondly the setting of the DYING flag is racy because we hold
> the read-lock instead of the write-lock.  We should instead call
> crypto_shoot_alg in a safe manner by gaining a refcount, dropping
> the lock, and then releasing the refcount.
> 
> This patch fixes both problems.
> 
> Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com
> Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg")
> Fixes: 73669cc55646 ("crypto: api - Fix race condition in...")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> diff --git a/crypto/algapi.c b/crypto/algapi.c
> index 69605e21af92..f8b4dc161c02 100644
> --- a/crypto/algapi.c
> +++ b/crypto/algapi.c
> @@ -716,17 +716,27 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
>  
>  static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
>  {
> -	struct crypto_alg *alg;
> +	struct crypto_alg *alg = ERR_PTR(-EAGAIN);
> +	struct crypto_alg *target;
> +	bool shoot = false;
>  
>  	down_read(&crypto_alg_sem);
> -	alg = spawn->alg;
> -	if (!spawn->dead && !crypto_mod_get(alg)) {
> -		alg->cra_flags |= CRYPTO_ALG_DYING;
> -		alg = NULL;
> +	if (!spawn->dead) {
> +		alg = spawn->alg;
> +		if (!crypto_mod_get(alg)) {
> +			target = crypto_alg_get(alg);
> +			shoot = true;
> +			alg = ERR_PTR(-EAGAIN);
> +		}
>  	}
>  	up_read(&crypto_alg_sem);
>  
> -	return alg ?: ERR_PTR(-EAGAIN);
> +	if (shoot) {
> +		crypto_shoot_alg(target);
> +		crypto_alg_put(target);
> +	}
> +
> +	return alg;
>  }

Wouldn't it be a bit simpler to set 'target = NULL', remove 'shoot',
and use 'if (target)' instead of 'if (shoot)'?

- Eric

Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Herbert Xu]

On Wed, Apr 15, 2020 at 07:17:03PM -0700, Eric Biggers wrote:
> 
> Wouldn't it be a bit simpler to set 'target = NULL', remove 'shoot',
> and use 'if (target)' instead of 'if (shoot)'?

Yes it is simpler but it's actually semantically different because
the compiler doesn't know that spawn->alg cannot be NULL in this
case.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Eric Biggers]

On Thu, Apr 16, 2020 at 12:25:02PM +1000, Herbert Xu wrote:
> On Wed, Apr 15, 2020 at 07:17:03PM -0700, Eric Biggers wrote:
> > 
> > Wouldn't it be a bit simpler to set 'target = NULL', remove 'shoot',
> > and use 'if (target)' instead of 'if (shoot)'?
> 
> Yes it is simpler but it's actually semantically different because
> the compiler doesn't know that spawn->alg cannot be NULL in this
> case.
> 

I'm not sure what you mean here.  crypto_alg_get() is:

static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
{
        refcount_inc(&alg->cra_refcnt);
        return alg;
}

So given:

	target = crypto_alg_get(alg);

Both alg and target have to be non-NULL.

- Eric

Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Herbert Xu]

On Wed, Apr 15, 2020 at 07:30:01PM -0700, Eric Biggers wrote:
> 
> I'm not sure what you mean here.  crypto_alg_get() is:
> 
> static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
> {
>         refcount_inc(&alg->cra_refcnt);
>         return alg;
> }
> 
> So given:
> 
> 	target = crypto_alg_get(alg);
> 
> Both alg and target have to be non-NULL.

Yes I know that we know that it can't be NULL, but gcc 8.3 doesn't.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

[Markus Elfring]

> Secondly the setting of the DYING flag is racy because we hold
> the read-lock instead of the write-lock.  We should instead call

Would an imperative wording be preferred for this change description?


> This patch fixes both problems.

Will another wording alternative become relevant?

Are the provided tags sufficient for such information?

Regards,
Markus