Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2272989imm;
        Thu, 7 Jun 2018 08:02:39 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJHV53043x3yyGqv3BPqEuGFqwoAOUNRFM0f2x+eUU3us3nX/KA+yLoZrkV69pYOBBdo83C
X-Received: by 2002:a17:902:9689:: with SMTP id n9-v6mr2338200plp.363.1528383759066;
        Thu, 07 Jun 2018 08:02:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528383759; cv=none;
        d=google.com; s=arc-20160816;
        b=ouiGusNgD+KF9ovJXwzB42r62Bt3UDl+EVq5ymP1ysqbFTRo8ooRCkn1QkYjtrm6dT
         nFsavcYd3v5V/bwpwQWj6So5E8GTs/Llu0zpgKBEj3MRzc58oDOGncTC4CO5PpgYJk1B
         fkeGf2D99gIUXnAgXge/ZybXzZAIv1wz9GwHaNtyqK94M6vCQwXCMgX7Jn9Sukr5jJ4A
         N0FM1kXGXJ5SOHOJjd599JJY0DjvuefsMxQ09/8NLGbWbMpBcUHG7+wcWGv0Ph3TND/w
         stovIKCRGOAdDOAkb3nePwG+Ni0xu8sw1Jcr9lI+HQwpja/S2MSPbAj6LlnmrlsryAX+
         isHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=So9OurlyQcQKHRPI0kjcqgaL7e0ikEG1DzDMe25CPMM=;
        b=LlGdhdHZmqr9s3aC2cYgOrZ12sCPbnCUWxqhhJ2J6kpjl8NN8V58kEM8GRaWnOCUhU
         ldRkiAYdNGPed9lOQ5OQyJ8yRwIcQEi9KkC3O/z2vazM/LB216hZBWdUu+9OBPJ/duGy
         +tHEPRWQU92oUvSt3nRnhBuP+BF5z3zwfHalqS70WkZ9TIzR/bq1Oofyk6Je2l1o8l/x
         L9D1jyj0rqoa0FOhrBmvhzqzH1/aXG1vZlLrLrP1IM7fIlLG/LVkPL05/oMsklKtckg+
         AIcEU3Q/u5aLuoIm+3TllPE/27eyofM91NeTsKFjRDPFRFhSR+MQ0Dd9hsI529AX6fyf
         d/OQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 5-v6si54796753plx.517.2018.06.07.08.02.24;
        Thu, 07 Jun 2018 08:02:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935852AbeFGPBR (ORCPT <rfc822;chenhe.dev@gmail.com> + 99 others);
        Thu, 7 Jun 2018 11:01:17 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41375 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S934578AbeFGPBP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 11:01:15 -0400
Received: from [148.252.241.226] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvbp-0005hO-Nj; Thu, 07 Jun 2018 15:09:49 +0100
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvb2-0002qv-84; Thu, 07 Jun 2018 15:09:00 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Herbert Xu" <herbert@gondor.apana.org.au>,
        "syzbot" <syzkaller@googlegroups.com>,
        "Stephan Mueller" <smueller@chronox.de>
Date:   Thu, 07 Jun 2018 15:05:21 +0100
Message-ID: <lsq.1528380321.231153676@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 120/410] crypto: af_alg - whitelist mask and type
In-Reply-To: <lsq.1528380320.647747352@decadent.org.uk>
X-SA-Exim-Connect-IP: 148.252.241.226
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.57-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream.

The user space interface allows specifying the type and mask field used
to allocate the cipher. Only a subset of the possible flags are intended
for user space. Therefore, white-list the allowed flags.

In case the user space caller uses at least one non-allowed flag, EINVAL
is returned.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: We don't have a CRYPTO_ALG_INTENRAL flag and
 didn't blacklist it here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -149,6 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent)
 
 static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
+	const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
 	struct sock *sk = sock->sk;
 	struct alg_sock *ask = alg_sk(sk);
 	struct sockaddr_alg *sa = (void *)uaddr;
@@ -156,6 +157,10 @@ static int alg_bind(struct socket *sock,
 	void *private;
 	int err;
 
+	/* If caller uses non-allowed flag, return error. */
+	if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed))
+		return -EINVAL;
+
 	if (sock->state == SS_CONNECTED)
 		return -EINVAL;