From: Milan Broz <gmazyland@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
Dmitry Vyukov <dvyukov@google.com>
Cc: syzkaller@googlegroups.com, davem@davemloft.net,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
kcc@google.com, glider@google.com, edumazet@google.com,
sasha.levin@oracle.com, keescook@google.com,
Stephan Mueller <smueller@chronox.de>
Subject: Re: [PATCH v2] crypto: algif_skcipher - Require setkey before accept(2)
Date: Sat, 2 Jan 2016 12:52:47 +0100 [thread overview]
Message-ID: <5687BA0F.3020104@gmail.com> (raw)
In-Reply-To: <20151225074005.GA14690@gondor.apana.org.au>
On 12/25/2015 08:40 AM, Herbert Xu wrote:
> Dmitry Vyukov <dvyukov@google.com> wrote:
>>
>> I am testing with your two patches:
>> crypto: algif_skcipher - Use new skcipher interface
>> crypto: algif_skcipher - Require setkey before accept(2)
>> on top of a88164345b81292b55a8d4829fdd35c8d611cd7d (Dec 23).
>
> You sent the email to everyone on the original CC list except me.
> Please don't do that.
>
>> Now the following program causes a bunch of use-after-frees and them
>> kills kernel:
>
> Yes there is an obvious bug in the patch that Julia Lawall has
> responded to in another thread. Here is a fixed version.
>
> ---8<--
> Some cipher implementations will crash if you try to use them
> without calling setkey first. This patch adds a check so that
> the accept(2) call will fail with -ENOKEY if setkey hasn't been
> done on the socket yet.
Hi Herbert,
this patch breaks userspace in cryptsetup...
We use algif_skcipher in cryptsetup (for years, even before
there was Stephan's library) and with this patch applied
I see fail in ALG_SET_IV call (patch from your git).
I can fix it upstream, but for thousands of installations it will
be broken (for LUKS there is a fallback, cor TrueCrypt compatible devices
it will be unusable. Also people who configured kernel crypto API as default
backend will have non-working cryptsetup).
Is it really thing for stable branch?
Milan
>
> Cc: stable@vger.kernel.org
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index 5c756b3..f4431bc 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -31,6 +31,11 @@ struct skcipher_sg_list {
> struct scatterlist sg[0];
> };
>
> +struct skcipher_tfm {
> + struct crypto_skcipher *skcipher;
> + bool has_key;
> +};
> +
> struct skcipher_ctx {
> struct list_head tsgl;
> struct af_alg_sgl rsgl;
> @@ -750,17 +755,41 @@ static struct proto_ops algif_skcipher_ops = {
>
> static void *skcipher_bind(const char *name, u32 type, u32 mask)
> {
> - return crypto_alloc_skcipher(name, type, mask);
> + struct skcipher_tfm *tfm;
> + struct crypto_skcipher *skcipher;
> +
> + tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
> + if (!tfm)
> + return ERR_PTR(-ENOMEM);
> +
> + skcipher = crypto_alloc_skcipher(name, type, mask);
> + if (IS_ERR(skcipher)) {
> + kfree(tfm);
> + return ERR_CAST(skcipher);
> + }
> +
> + tfm->skcipher = skcipher;
> +
> + return tfm;
> }
>
> static void skcipher_release(void *private)
> {
> - crypto_free_skcipher(private);
> + struct skcipher_tfm *tfm = private;
> +
> + crypto_free_skcipher(tfm->skcipher);
> + kfree(tfm);
> }
>
> static int skcipher_setkey(void *private, const u8 *key, unsigned int keylen)
> {
> - return crypto_skcipher_setkey(private, key, keylen);
> + struct skcipher_tfm *tfm = private;
> + int err;
> +
> + err = crypto_skcipher_setkey(tfm->skcipher, key, keylen);
> + tfm->has_key = !err;
> +
> + return err;
> }
>
> static void skcipher_wait(struct sock *sk)
> @@ -792,20 +821,25 @@ static int skcipher_accept_parent(void *private, struct sock *sk)
> {
> struct skcipher_ctx *ctx;
> struct alg_sock *ask = alg_sk(sk);
> - unsigned int len = sizeof(*ctx) + crypto_skcipher_reqsize(private);
> + struct skcipher_tfm *tfm = private;
> + struct crypto_skcipher *skcipher = tfm->skcipher;
> + unsigned int len = sizeof(*ctx) + crypto_skcipher_reqsize(skcipher);
> +
> + if (!tfm->has_key)
> + return -ENOKEY;
>
> ctx = sock_kmalloc(sk, len, GFP_KERNEL);
> if (!ctx)
> return -ENOMEM;
>
> - ctx->iv = sock_kmalloc(sk, crypto_skcipher_ivsize(private),
> + ctx->iv = sock_kmalloc(sk, crypto_skcipher_ivsize(skcipher),
> GFP_KERNEL);
> if (!ctx->iv) {
> sock_kfree_s(sk, ctx, len);
> return -ENOMEM;
> }
>
> - memset(ctx->iv, 0, crypto_skcipher_ivsize(private));
> + memset(ctx->iv, 0, crypto_skcipher_ivsize(skcipher));
>
> INIT_LIST_HEAD(&ctx->tsgl);
> ctx->len = len;
> @@ -818,7 +852,7 @@ static int skcipher_accept_parent(void *private, struct sock *sk)
>
> ask->private = ctx;
>
> - skcipher_request_set_tfm(&ctx->req, private);
> + skcipher_request_set_tfm(&ctx->req, skcipher);
> skcipher_request_set_callback(&ctx->req, CRYPTO_TFM_REQ_MAY_BACKLOG,
> af_alg_complete, &ctx->completion);
>
>
next prev parent reply other threads:[~2016-01-02 11:52 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-17 12:59 GPF in lrw_crypt Dmitry Vyukov
2015-12-21 22:58 ` Stephan Mueller
2015-12-24 9:39 ` Herbert Xu
2015-12-24 11:03 ` Dmitry Vyukov
2015-12-25 7:40 ` [PATCH v2] crypto: algif_skcipher - Require setkey before accept(2) Herbert Xu
2015-12-28 13:39 ` Dmitry Vyukov
2015-12-29 13:24 ` Herbert Xu
2016-01-02 11:52 ` Milan Broz [this message]
2016-01-02 14:41 ` Milan Broz
2016-01-02 20:03 ` Stephan Mueller
2016-01-02 20:18 ` Milan Broz
2016-01-03 1:31 ` Herbert Xu
2016-01-03 9:42 ` Milan Broz
2016-01-04 4:35 ` [PATCH 1/2] crypto: af_alg - Add nokey compatibility path Herbert Xu
2016-01-04 4:36 ` [PATCH 2/2] crypto: algif_skcipher " Herbert Xu
2016-01-04 12:33 ` [PATCH 1/2] crypto: af_alg " Milan Broz
2016-01-08 12:48 ` Herbert Xu
2016-01-08 18:21 ` Milan Broz
2016-01-09 5:41 ` Herbert Xu
2016-01-09 10:14 ` Milan Broz
2016-01-11 13:26 ` [PATCH 1/2] crypto: skcipher - Add crypto_skcipher_has_setkey Herbert Xu
2016-01-11 13:29 ` [PATCH 2/2] crypto: algif_skcipher - Add key check exception for cipher_null Herbert Xu
2016-01-11 14:59 ` Milan Broz
2016-01-08 13:28 ` [PATCH 1/2] crypto: hash - Add crypto_ahash_has_setkey Herbert Xu
2016-01-08 13:31 ` [PATCH 2/2] crypto: algif_hash - Require setkey before accept(2) Herbert Xu
2016-01-08 13:54 ` kbuild test robot
2016-01-09 10:15 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5687BA0F.3020104@gmail.com \
--to=gmazyland@gmail.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kcc@google.com \
--cc=keescook@google.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=smueller@chronox.de \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).