linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: chetjain@in.ibm.com, "David S . Miller" <davem@davemloft.net>,
	linux-kernel@vger.kernel.org, Michal Suchanek <msuchanek@suse.de>,
	stable@vger.kernel.org,
	Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH] crypto: user - prevent operating on larval algorithms
Date: Tue,  2 Jul 2019 14:17:00 -0700	[thread overview]
Message-ID: <20190702211700.16526-1-ebiggers@kernel.org> (raw)
In-Reply-To: <20190701153154.1569c2dc@kitsune.suse.cz>

From: Eric Biggers <ebiggers@google.com>

Michal Suchanek reported [1] that running the pcrypt_aead01 test from
LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.

The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
unregister isn't a real registered algorithm, but rather is a "test
larval", which is a special "algorithm" added to the algorithms list
while the real algorithm is still being tested.  Larvals don't have
initialized cra_users, so that causes the crash.  Normally pcrypt_aead01
doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.

Everything else in the "crypto user configuration" API has this same bug
too, i.e. it inappropriately allows operating on larval algorithms
(though it doesn't look like the other cases can cause a crash).

Fix this by making crypto_alg_match() exclude larval algorithms.

[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c

Reported-by: Michal Suchanek <msuchanek@suse.de>
Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
Cc: <stable@vger.kernel.org> # v3.2+
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/crypto_user_base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/crypto_user_base.c b/crypto/crypto_user_base.c
index e48da3b75c71d4..a89fcc530092a8 100644
--- a/crypto/crypto_user_base.c
+++ b/crypto/crypto_user_base.c
@@ -56,6 +56,9 @@ struct crypto_alg *crypto_alg_match(struct crypto_user_alg *p, int exact)
 	list_for_each_entry(q, &crypto_alg_list, cra_list) {
 		int match = 0;
 
+		if (crypto_is_larval(q))
+			continue;
+
 		if ((q->cra_flags ^ p->cru_type) & p->cru_mask)
 			continue;
 
-- 
2.22.0.410.gd8fdbe21b5-goog


  reply	other threads:[~2019-07-03  0:58 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-25  7:16 [PATCH] crypto: algapi - guard against uninitialized spawn list in crypto_remove_spawns Michal Suchanek
2019-06-25 16:40 ` Eric Biggers
2019-06-25 16:48   ` Michal Suchánek
2019-07-01 13:31   ` Michal Suchánek
2019-07-02 21:17     ` Eric Biggers [this message]
2019-07-03 14:30       ` [PATCH] crypto: user - prevent operating on larval algorithms Herbert Xu
2019-07-03 20:21         ` Michal Suchánek
2019-07-03 20:31           ` Eric Biggers
2019-07-03 21:10             ` Michal Suchánek
2019-07-02 22:11     ` [PATCH] crypto: algapi - guard against uninitialized spawn list in crypto_remove_spawns Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190702211700.16526-1-ebiggers@kernel.org \
    --to=ebiggers@kernel.org \
    --cc=chetjain@in.ibm.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=msuchanek@suse.de \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).