Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1187920ybn;
        Wed, 2 Oct 2019 12:09:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzc4yOXxDOZsUM+QrYTkGURkNq1vR/M/Pv4MrgoWgbn9SHcLamHmpSTBu6odCX0/usoHrMV
X-Received: by 2002:a17:906:fc20:: with SMTP id ov32mr4529148ejb.22.1570043365930;
        Wed, 02 Oct 2019 12:09:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570043365; cv=none;
        d=google.com; s=arc-20160816;
        b=jR77xO8lvtYtIYKUYf/OPokCY/J5j9KYOYtYHHVUzIYoeOYxo/ioawDQDXuQiccwXy
         L4TxB/6yQM7bayIHMmHChaI9YsOePy0PJwzG21+7l0ka7gJQIM0jxWb6kUIidi9aEH6U
         ma//7mPfn9aQLp0N8ujX2Mt3DowNGx1cTuLNvfGL2cMwE8xMDWLr4e5ItvJ6QtWBQ+qE
         Nn14NIpOzhjyePlSrGwjlGjjDZUg4Xw5uSYD8PYD3wCgZ9wAl+cS7HOy+Jnc/M7aRygj
         +Pc2ysTOtqDuOjCQrduNUnTK7o2sUsambhCUmBs4AdFZ1M43HNa4BzhSqyaH+Slpny7j
         NBDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=kYeFLziU/wsvMbMC0YsUpAfsVtJrbcECi/YZkLSp1fs=;
        b=P22zWfiXD7UgFzSXzweOfTfn928cMaQgVvD6Pc1b5BDhIII7wAggo8ypuBwVY/ueOH
         oAydrpa2pqxCghF0bwgwnW0vwERYZQBxORetyhzwWpt0k9KtP0xTIAk8aZMNNbx/NC5+
         /Cs2Og/VEeIDT6o+46Rm3AvGngxpoZ1fmPI3fr9qj2B3/fV/AMivCv4TXWEOAgwJdoIb
         vdzPt0rcf0Z5C7VyZWzhIpxk4brp173WA5WlpPModBlnqU37hjZAVHHOix8sV8QdBt+M
         WnEf7gbVkk/ctcVXRrWvHwoncg9b9NCfc4t0jXQIW1xS4Cc5QZ8/T8tdKqQCpsb7A/mj
         dc8w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h17si10606ejt.173.2019.10.02.12.09.01;
        Wed, 02 Oct 2019 12:09:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729475AbfJBTIb (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Wed, 2 Oct 2019 15:08:31 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35840 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729309AbfJBTIQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Oct 2019 15:08:16 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjyt-00035t-SP; Wed, 02 Oct 2019 20:08:12 +0100
Received: from ben by deadeye with local (Exim 4.92.1)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjyq-0003hN-UQ; Wed, 02 Oct 2019 20:08:08 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "Michal Suchanek" <msuchanek@suse.de>,
        "Herbert Xu" <herbert@gondor.apana.org.au>,
        "Eric Biggers" <ebiggers@google.com>,
        "Steffen Klassert" <steffen.klassert@secunet.com>
Date:   Wed, 02 Oct 2019 20:06:51 +0100
Message-ID: <lsq.1570043211.444788492@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 87/87] crypto: user - prevent operating on larval
 algorithms
In-Reply-To: <lsq.1570043210.379046399@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.75-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream.

Michal Suchanek reported [1] that running the pcrypt_aead01 test from
LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.

The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
unregister isn't a real registered algorithm, but rather is a "test
larval", which is a special "algorithm" added to the algorithms list
while the real algorithm is still being tested.  Larvals don't have
initialized cra_users, so that causes the crash.  Normally pcrypt_aead01
doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.

Everything else in the "crypto user configuration" API has this same bug
too, i.e. it inappropriately allows operating on larval algorithms
(though it doesn't look like the other cases can cause a crash).

Fix this by making crypto_alg_match() exclude larval algorithms.

[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c

Reported-by: Michal Suchanek <msuchanek@suse.de>
Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/crypto_user.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -53,6 +53,9 @@ static struct crypto_alg *crypto_alg_mat
 	list_for_each_entry(q, &crypto_alg_list, cra_list) {
 		int match = 0;
 
+		if (crypto_is_larval(q))
+			continue;
+
 		if ((q->cra_flags ^ p->cru_type) & p->cru_mask)
 			continue;