From: Herbert Xu <herbert@gondor.apana.org.au>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Eric Dumazet <edumazet@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: [PATCH 0/2] crypto: Fix race condition in *_check_key
Date: Thu, 14 Jan 2016 22:13:41 +0800 [thread overview]
Message-ID: <20160114141341.GA21300@gondor.apana.org.au> (raw)
In-Reply-To: <CACT4Y+ap-GiGRjwWr9kDwMNwQOg5TbJfi8kGD2H2Qv5SBrQK4Q@mail.gmail.com>
On Wed, Jan 13, 2016 at 12:58:34PM +0100, Dmitry Vyukov wrote:
>
> The following program triggers use-after-free in skcipher_sock_destruct.
> This is on upstream commit 03891f9c853d5c4473224478a1e03ea00d70ff8d +
> all pending patches from
> git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git +
> 4 latest Herbert patches.
OK, the check_key function is buggy in that it doesn't lock the
child socket so if you make two syscalls on the child socket at
the same time you can end up freeing the parent socket.
Please try these two patches.
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2016-01-14 14:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-13 11:58 crypto: use-after-free in skcipher_sock_destruct Dmitry Vyukov
2016-01-14 14:13 ` Herbert Xu [this message]
2016-01-14 14:15 ` [PATCH 1/2] crypto: algif_hash - Fix race condition in hash_check_key Herbert Xu
2016-01-14 14:16 ` [PATCH 2/2] crypto: algif_skcipher - Fix race condition in skcipher_check_key Herbert Xu
2016-01-15 9:06 ` [PATCH 0/2] crypto: Fix race condition in *_check_key Dmitry Vyukov
2016-01-15 13:59 ` [v2 PATCH " Herbert Xu
2016-01-15 14:01 ` [v2 PATCH 1/2] crypto: algif_hash - Fix race condition in hash_check_key Herbert Xu
2016-01-15 14:02 ` [v2 PATCH 2/2] crypto: algif_skcipher - Fix race condition in skcipher_check_key Herbert Xu
2016-01-15 17:30 ` [v2 PATCH 0/2] crypto: Fix race condition in *_check_key Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160114141341.GA21300@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).