Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7151425ybi; Mon, 8 Jul 2019 15:40:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqxDN/mHxRIFJm2j+1LSwumxKDEqk6EeY94sn7IlvI646x/70wUW9jdMDyAnd66q87sd+ugH X-Received: by 2002:a17:902:8490:: with SMTP id c16mr28397725plo.1.1562625656595; Mon, 08 Jul 2019 15:40:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625656; cv=none; d=google.com; s=arc-20160816; b=kZvp35HtUik09s5L4OPGGUbPikTv2SU1Zf8zayj5dFAi065kcLrNZlkUle0gwRiOib 1TxawAdi6uwuiNEScX3+VdijiD2HKHG8enuM250MOI/WL6WXt+8b+rVkQ4/iJERBRVjT DGk5G9Smy8txUZCtzpepAJBeAiJa66arErVywz03GK0JKX38iTTe/eNNcOmFG5lPaacU 49jiJmeCZGGDFH9PW79m6C77nYdnDZjz4jLOfgfXcPij/5ZQynuEVQFDfQX9q6I8D6ZO qj/jcUPBltCNqhcy5+fJJGYeaw2wmKF13mTbaeT4OZM7Zp7I9zHGalQk68UsupJbEoLM hd9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gG4gEbg+NfJpPblE8Xr7sI5ZyKtDtZ3lWbmCTO7X2Iw=; b=WQoo0jtTVcNAvAA35zl5o194euiWZ5qbN43Tjh0SvlFLcITgtxCDTR14116gAkX6E2 bMvGEDaxJnGtOxXgSaZ0N5KXoIMoA70OMJhW2Ya+d12Y2tK1XDkUmJXZF8lCkuIanD+M imSNs/Ipa7cgJ5IO1hQYgrEDf2I8YH3Mx8dQvfajYVZ2K9xIZwBJptXd4wcTJ8QnrAp9 v1Eb13BgvabV1ttq2ADyfg47lJXzIRwHdKUa0biFQJXj0m6gEoSMmn0t4lfjB1+6qkWZ j1UrBVsivtQ63uz8DdxN5rTMDv3Uz4l7dN5R62gIdtVjzgCJIOZ6CP5MFCNzfqVIvGe1 T2vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zbJ6+HI8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p93si709593pjp.66.2019.07.08.15.40.41; Mon, 08 Jul 2019 15:40:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zbJ6+HI8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391161AbfGHPn1 (ORCPT + 99 others); Mon, 8 Jul 2019 11:43:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:51634 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388344AbfGHPYX (ORCPT ); Mon, 8 Jul 2019 11:24:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5314221743; Mon, 8 Jul 2019 15:24:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599462; bh=XQyksg6BQprAUNPQBRwXdMzPOwjy+Jls0OH6AIq2J9M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zbJ6+HI8mtVam6hkveGTsj0eg24KyQ7n7y5oVdwjpRjzP/VLrbodw2OHHJ9meT6IQ VjhideNPWKJRWpfkQus8NWmlURjdAQTx0jd69167ci9M3U0U7cTtqLBnaTt2wIurdX fOIyyYu/xcLFxNGRgVmpMmX4Ls+zClvsCvFdOj8U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michal Suchanek , Steffen Klassert , Eric Biggers , Herbert Xu Subject: [PATCH 4.14 24/56] crypto: user - prevent operating on larval algorithms Date: Mon, 8 Jul 2019 17:13:16 +0200 Message-Id: <20190708150521.596980733@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150514.376317156@linuxfoundation.org> References: <20190708150514.376317156@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream. Michal Suchanek reported [1] that running the pcrypt_aead01 test from LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to unregister isn't a real registered algorithm, but rather is a "test larval", which is a special "algorithm" added to the algorithms list while the real algorithm is still being tested. Larvals don't have initialized cra_users, so that causes the crash. Normally pcrypt_aead01 doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. Everything else in the "crypto user configuration" API has this same bug too, i.e. it inappropriately allows operating on larval algorithms (though it doesn't look like the other cases can cause a crash). Fix this by making crypto_alg_match() exclude larval algorithms. [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c Reported-by: Michal Suchanek Fixes: a38f7907b926 ("crypto: Add userspace configuration API") Cc: # v3.2+ Cc: Steffen Klassert Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/crypto_user.c | 3 +++ 1 file changed, 3 insertions(+) --- a/crypto/crypto_user.c +++ b/crypto/crypto_user.c @@ -55,6 +55,9 @@ static struct crypto_alg *crypto_alg_mat list_for_each_entry(q, &crypto_alg_list, cra_list) { int match = 0; + if (crypto_is_larval(q)) + continue; + if ((q->cra_flags ^ p->cru_type) & p->cru_mask) continue;