Re: [PATCH] crypto: user - prevent operating on larval algorithms
From: Herbert Xu
Date: Wed Jul 03 2019 - 10:31:08 EST
On Tue, Jul 02, 2019 at 02:17:00PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Michal Suchanek reported [1] that running the pcrypt_aead01 test from
> LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
> alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
> The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.
>
> The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
> unregister isn't a real registered algorithm, but rather is a "test
> larval", which is a special "algorithm" added to the algorithms list
> while the real algorithm is still being tested. Larvals don't have
> initialized cra_users, so that causes the crash. Normally pcrypt_aead01
> doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
> to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.
>
> Everything else in the "crypto user configuration" API has this same bug
> too, i.e. it inappropriately allows operating on larval algorithms
> (though it doesn't look like the other cases can cause a crash).
>
> Fix this by making crypto_alg_match() exclude larval algorithms.
>
> [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@xxxxxxx
> [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c
>
> Reported-by: Michal Suchanek <msuchanek@xxxxxxx>
> Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
> Cc: <stable@xxxxxxxxxxxxxxx> # v3.2+
> Cc: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> crypto/crypto_user_base.c | 3 +++
> 1 file changed, 3 insertions(+)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt