Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp146145ybi; Tue, 2 Jul 2019 17:58:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqxrqnFZlfNJJG6N3tCH0LDNWHqY8vhz3E0B5r/OymoiWqgNBFglbJ6E9x1ZELvivpbiwPHe X-Received: by 2002:a17:902:36c:: with SMTP id 99mr11505346pld.200.1562115533650; Tue, 02 Jul 2019 17:58:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562115533; cv=none; d=google.com; s=arc-20160816; b=EbmR0FT1YO8m+tCxJkg2vJRFN6cZTj8k0n+Lt6nuk79nwIF1FQ1vr4IQZUQRVzojiD qtAsWl8R2/a8t42eMf7u7LutPmOSq25LKr09Cepw2Ryzn9t9iHk69QRntByH6wsDkz1C HhN8/AWxrZlhZScKb5ygnABux9SAuC0p1CBWb8BDNwc5RfsUAmZrFsveHaH/enkhefDN cbRl84c88j/IXn9qiIVsq1d/79zjyDzPL9ZtLFCToauDnr4moiSbkEA/67R6ws2DCmOa 5fN5acDpgjbvfKYkQCrlH8HyokwGfwtLWXQiB8yxvS0ZQpwW7FKPX2OBmbssHOSBzGG4 Y73A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=7R7AkopSU9gDk1sAvrFDD0L81KXyLBFTbPMkdb4nJL8=; b=s9tr/VcjmNgK4EO8xYKZsO9YGvKvAav8sRhBzwm5VMHxj7iTHautFN3UGO5n76/7uG pQbyyWPRrzUyfpA0V7aHlQuWl88IxLGMdPJP4tVQ97pDL8h1zVbeN9rQYzMZ2yXRiHkl ApoqVtprQGbPJ9EEb6LgVKe8KYeRj7iycjgGd1UJ/VaesEyUb3Bi2X/QsvH02t8HyhSC Fnjpbi0dbNJLxJw/0iiqQyl/8/MJn0016US7WQmLah/+QSifZ2S7g+AX2Qm5CnjEh4bn ZqpqLx6TkhYPW3SnRREKqC46rZJwObypGSUUvt24JaZsuRvF9rje/0Sfyf2vGsclK3Pk GJMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SB5zOgdM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i198si367911pfe.228.2019.07.02.17.58.38; Tue, 02 Jul 2019 17:58:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SB5zOgdM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727433AbfGCA6J (ORCPT + 99 others); Tue, 2 Jul 2019 20:58:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:49336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727089AbfGCA6F (ORCPT ); Tue, 2 Jul 2019 20:58:05 -0400 Received: from ebiggers-linuxstation.mtv.corp.google.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BC2DD20449; Tue, 2 Jul 2019 21:18:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562102286; bh=ZncPmqJjQ5p8Nzi6KA3tSryklHFPA1+D6VokdeGHa28=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SB5zOgdMv5+0+Y00OB/l2Jsui1egnX0iDRToH0chu73SQDnspeXPnukhhoEmUrnLn 1J+BRo9A3r/sqHCxARyy5JjA32jtlBzB0ijOU2DU7SGrhcMqqdeMDKnGYa4XxgYNle NM7aJFyBE6dbHGDyiqMab5d1sEPNEWHorvFmP4uM= From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: chetjain@in.ibm.com, "David S . Miller" , linux-kernel@vger.kernel.org, Michal Suchanek , stable@vger.kernel.org, Steffen Klassert Subject: [PATCH] crypto: user - prevent operating on larval algorithms Date: Tue, 2 Jul 2019 14:17:00 -0700 Message-Id: <20190702211700.16526-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog In-Reply-To: <20190701153154.1569c2dc@kitsune.suse.cz> References: <20190701153154.1569c2dc@kitsune.suse.cz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers Michal Suchanek reported [1] that running the pcrypt_aead01 test from LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to unregister isn't a real registered algorithm, but rather is a "test larval", which is a special "algorithm" added to the algorithms list while the real algorithm is still being tested. Larvals don't have initialized cra_users, so that causes the crash. Normally pcrypt_aead01 doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. Everything else in the "crypto user configuration" API has this same bug too, i.e. it inappropriately allows operating on larval algorithms (though it doesn't look like the other cases can cause a crash). Fix this by making crypto_alg_match() exclude larval algorithms. [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c Reported-by: Michal Suchanek Fixes: a38f7907b926 ("crypto: Add userspace configuration API") Cc: # v3.2+ Cc: Steffen Klassert Signed-off-by: Eric Biggers --- crypto/crypto_user_base.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/crypto_user_base.c b/crypto/crypto_user_base.c index e48da3b75c71d4..a89fcc530092a8 100644 --- a/crypto/crypto_user_base.c +++ b/crypto/crypto_user_base.c @@ -56,6 +56,9 @@ struct crypto_alg *crypto_alg_match(struct crypto_user_alg *p, int exact) list_for_each_entry(q, &crypto_alg_list, cra_list) { int match = 0; + if (crypto_is_larval(q)) + continue; + if ((q->cra_flags ^ p->cru_type) & p->cru_mask) continue; -- 2.22.0.410.gd8fdbe21b5-goog