Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7151070ybi; Mon, 8 Jul 2019 15:40:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqzASmshvjCkOVZNhllzR6CCfEbsLCPtX92zKK6GT+EyMx9VqC1gR5DIz0x3wM//uR6zYrzm X-Received: by 2002:a17:90a:db44:: with SMTP id u4mr28519780pjx.52.1562625630017; Mon, 08 Jul 2019 15:40:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625630; cv=none; d=google.com; s=arc-20160816; b=H2d6M7wvNZ83gKv5cYVu/8vF+pGPk1ClG+TKKIzs1ZGjpMXVHBib3c9xIkYXa6OTl4 Z2ly5TKiLkRC6Tks1lZCuWqrWHKMGewTXkt1QrLmVKC89qpSOh9fb2p5AjBUvY0LYghk NvdWy5TMSJl9s4yt9BG4i0/Hdad/yhnkBV5WPUCOhmhsbQHCYUhIfIZXXUnuru98tWTs PywhCoYclzeIxWsSYVweJJlEGv0hg8u0LBsSTKFqKFUVbf4cUIWBEtPoyb7i8GvKHoG1 RcXYSaQIhIUEhR9aCmrs4p7BUEq5KPt5qlDnQTnqJfMPDL9p+vOeCqNaHSwT3nujvLFH TqDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KzAkEKG6eC0DMrmQ4xttpk2GlqextUx5Je6D7jrMDzo=; b=lBeKeFzDuB49jJT6SYd57DGdw/yWB8bWGbtB5U09r2ombs/tammY6vT+UxReaEKnLp k2Yj1SdK9Aj75+eztEQNGQ/CqN+1XD4nsRS3YFUlowsZIvQeg3OUTaOICGEzImZhyAx4 amRrCUiITgY14t4+gg9JNPsY7qNHmQDbyf+2XqtHduteZISI6wRDpDhcP48gTjDAOJJO 6CrK7uxMIcHl8Ep6m2lvcrZL3KFxHvJhfTp+ki+nOaXLvIsD+IAPvkaXhGQivOdkeFnl MF4JWarKQgCip0i8NkpCvh9TiT0Zh5jSydGTixMlNo48uuqnYlio3i6St9EHzYHh+iGu cxZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rSPc8bIj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j17si21706288pfn.278.2019.07.08.15.40.15; Mon, 08 Jul 2019 15:40:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rSPc8bIj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730511AbfGHPdI (ORCPT + 99 others); Mon, 8 Jul 2019 11:33:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:35090 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390272AbfGHPdG (ORCPT ); Mon, 8 Jul 2019 11:33:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A9D2A216E3; Mon, 8 Jul 2019 15:33:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599985; bh=Zy8rMbVQrBut5VWLrJuHIoFyz0xTb3JpXPcIv8nzvKE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rSPc8bIjd2SBOVbaOTlVz1YovOyCLn+gsmF3IJba/GUTT9aVD1Othp4LV2LmZSqP6 ZeS3GeqL2ZFLjhD3171Mk3AyrA9MSP4YvoJe+HQE0nLSECY5TUUcg0dz0T/7byzp1x 5ItsTUxSRRcT9kz+D/3RXqXeNKhmemSkemSaLALc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michal Suchanek , Steffen Klassert , Eric Biggers , Herbert Xu Subject: [PATCH 5.1 57/96] crypto: user - prevent operating on larval algorithms Date: Mon, 8 Jul 2019 17:13:29 +0200 Message-Id: <20190708150529.593072087@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150526.234572443@linuxfoundation.org> References: <20190708150526.234572443@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream. Michal Suchanek reported [1] that running the pcrypt_aead01 test from LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to unregister isn't a real registered algorithm, but rather is a "test larval", which is a special "algorithm" added to the algorithms list while the real algorithm is still being tested. Larvals don't have initialized cra_users, so that causes the crash. Normally pcrypt_aead01 doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. Everything else in the "crypto user configuration" API has this same bug too, i.e. it inappropriately allows operating on larval algorithms (though it doesn't look like the other cases can cause a crash). Fix this by making crypto_alg_match() exclude larval algorithms. [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c Reported-by: Michal Suchanek Fixes: a38f7907b926 ("crypto: Add userspace configuration API") Cc: # v3.2+ Cc: Steffen Klassert Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/crypto_user_base.c | 3 +++ 1 file changed, 3 insertions(+) --- a/crypto/crypto_user_base.c +++ b/crypto/crypto_user_base.c @@ -56,6 +56,9 @@ struct crypto_alg *crypto_alg_match(stru list_for_each_entry(q, &crypto_alg_list, cra_list) { int match = 0; + if (crypto_is_larval(q)) + continue; + if ((q->cra_flags ^ p->cru_type) & p->cru_mask) continue;