[PATCH 3.2 50/67] crypto: algif_skcipher - Do not dereference ctx without socket lock

From: Ben Hutchings
Date: Tue Feb 23 2016 - 17:02:18 EST


3.2.78-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

commit 6454c2b83f719057069777132b13949e4c6b6350 upstream.

Any access to non-constant bits of the private context must be
done under the socket lock, in particular, this includes ctx->req.

This patch moves such accesses under the lock, and fetches the
tfm from the parent socket which is guaranteed to be constant,
rather than from ctx->req.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 3.2:
- Drop changes to skcipher_recvmsg_async
- s/skcipher/ablkcipher/ in many places
- s/skc->skcipher/skc->base/]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
crypto/algif_skcipher.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -249,8 +249,11 @@ static int skcipher_sendmsg(struct kiocb
{
struct sock *sk = sock->sk;
struct alg_sock *ask = alg_sk(sk);
+ struct sock *psk = ask->parent;
+ struct alg_sock *pask = alg_sk(psk);
struct skcipher_ctx *ctx = ask->private;
- struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req);
+ struct ablkcipher_tfm *skc = pask->private;
+ struct crypto_ablkcipher *tfm = skc->base;
unsigned ivsize = crypto_ablkcipher_ivsize(tfm);
struct skcipher_sg_list *sgl;
struct af_alg_control con = {};