diff options
author | Stephan Mueller <smueller@chronox.de> | 2018-01-02 08:55:25 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2018-06-16 22:21:51 +0100 |
commit | cd3e607bb8cee3c34258a728fc6b0b5d7c7be608 (patch) | |
tree | 84f8c901ba4fdc52be49c01c49ad5717a53c1671 /crypto | |
parent | fae04c265403021f0cfed1c2e2c1aa99efaeff9a (diff) | |
download | linux-stable-cd3e607bb8cee3c34258a728fc6b0b5d7c7be608.tar.gz linux-stable-cd3e607bb8cee3c34258a728fc6b0b5d7c7be608.tar.bz2 linux-stable-cd3e607bb8cee3c34258a728fc6b0b5d7c7be608.zip |
crypto: af_alg - whitelist mask and type
commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream.
The user space interface allows specifying the type and mask field used
to allocate the cipher. Only a subset of the possible flags are intended
for user space. Therefore, white-list the allowed flags.
In case the user space caller uses at least one non-allowed flag, EINVAL
is returned.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: We don't have a CRYPTO_ALG_INTENRAL flag and
didn't blacklist it here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/af_alg.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 30c1ae491fd4..9821a116047e 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -149,6 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent); static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) { + const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY; struct sock *sk = sock->sk; struct alg_sock *ask = alg_sk(sk); struct sockaddr_alg *sa = (void *)uaddr; @@ -156,6 +157,10 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) void *private; int err; + /* If caller uses non-allowed flag, return error. */ + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) + return -EINVAL; + if (sock->state == SS_CONNECTED) return -EINVAL; |