diff options
| author | Eric Biggers <ebiggers@google.com> | 2017-12-29 14:30:19 -0600 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-03-03 15:52:13 +0000 |
| commit | 1caf418c8437b63c3802ca89b0db6b3a28819c6d (patch) | |
| tree | 4a4dc568f70919e2f5df665e05c2f1f01fbf7a79 /crypto | |
| parent | 8ceeebadb09b04542c99522a694de88838b20fb8 (diff) | |
| download | linux-stable-1caf418c8437b63c3802ca89b0db6b3a28819c6d.tar.gz linux-stable-1caf418c8437b63c3802ca89b0db6b3a28819c6d.tar.bz2 linux-stable-1caf418c8437b63c3802ca89b0db6b3a28819c6d.zip | |
crypto: algapi - fix NULL dereference in crypto_remove_spawns()
commit 9a00674213a3f00394f4e3221b88f2d21fc05789 upstream.
syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
via a program that repeatedly and concurrently requests AEADs
"authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
through AF_ALG, where the hashes are requested as "untested"
(CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
causes the template to be instantiated for every request).
Although AF_ALG users really shouldn't be able to request an "untested"
algorithm, the NULL pointer dereference is actually caused by a
longstanding race condition where crypto_remove_spawns() can encounter
an instance which has had spawn(s) "grabbed" but hasn't yet been
registered, resulting in ->cra_users still being NULL.
We probably should properly initialize ->cra_users earlier, but that
would require updating many templates individually. For now just fix
the bug in a simple way that can easily be backported: make
crypto_remove_spawns() treat a NULL ->cra_users list as empty.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/algapi.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/crypto/algapi.c b/crypto/algapi.c index 8ea7a5dc3839..300cafd2228d 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -147,6 +147,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, spawn->alg = NULL; spawns = &inst->alg.cra_users; + + /* + * We may encounter an unregistered instance here, since + * an instance's spawns are set up prior to the instance + * being registered. An unregistered instance will have + * NULL ->cra_users.next, since ->cra_users isn't + * properly initialized until registration. But an + * unregistered instance cannot have any users, so treat + * it the same as ->cra_users being empty. + */ + if (spawns->next == NULL) + break; } } while ((spawns = crypto_more_spawns(alg, &stack, &top, &secondary_spawns))); |