Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2010812ybz; Sat, 18 Apr 2020 13:19:50 -0700 (PDT) X-Google-Smtp-Source: APiQypKqIC8xtIouQsjnF6fdKR8E2IyJOS0ic2T6wVg5xUTbR+61Nmcw9n2SreyeSzIZJL+P81Ad X-Received: by 2002:a17:906:4317:: with SMTP id j23mr8773504ejm.377.1587241189903; Sat, 18 Apr 2020 13:19:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587241189; cv=none; d=google.com; s=arc-20160816; b=JYaynHYNC/4Mt42WdXq8MgGPFztQjffQmAidvANRGMpKVkQjmiaOTb+Ogc4KjTwrUJ OXjHmmewZXpAfDqWtSjRDVmQtUMIoYZQwNuhxUgPhJWNmQ4PCyTWCaa3j+kRHJcfqHng 784VB5Z8+0Lb+9wgdd4NsDyw7BqeJ3/69qwHumST9zEujHplsrKzz047HI9Q1s6B9zar 9RiOsG8pYP2YxORd5KVEVhJoqugN8kuDIWlxAczm2dt5Gmz+iV5AJn6vK3PzEsZPwO/9 cILuxc3pmTKj9OaN6koIAHyrqdxq259IPn+jicEWf1iOeDXsKvobpfNuVseoSdrAsTiC rhag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=fs+ZzeSWau1yVFYJ7L4kDEY8MWSV1zsetF20JfjL8X0=; b=qjZ2UdvLDTMeSWYN7mRQX4Agj5dZCfl/Nsd+rf4yL3OfCb9P3jG3CdovaUza70AkQU AztrFt74iiN6ZFotqrwBogyNTGRFRtP0NagpNkM9H3p4RJa2OaaYZ0WOoyR0D5Y5mBS7 Zr+Utq9yxJ2zSl+R1O6F4RJ2HxUhDHLDIF2uRciI6j6tXqll9VbbxsKDlQUbMReMjWc9 5zPo5t5KCXXwJpyyCqoYi3OkjaFWGLOW0uZdpj3XdC5134k3jSGerbsU9ieqASMHYCkP 7RyMjyvjdhllKbKxpuJcwAP0sG1wo0g4Pw+WdfQw9FaNcF9CORrGByzv7qV2nBS/36/r 9VqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rv10si6667872ejb.519.2020.04.18.13.19.27; Sat, 18 Apr 2020 13:19:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728213AbgDRUSd (ORCPT + 99 others); Sat, 18 Apr 2020 16:18:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1727927AbgDRUSc (ORCPT ); Sat, 18 Apr 2020 16:18:32 -0400 Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B6085C061A0C; Sat, 18 Apr 2020 13:18:32 -0700 (PDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id B70D71273DF21; Sat, 18 Apr 2020 13:18:31 -0700 (PDT) Date: Sat, 18 Apr 2020 13:18:30 -0700 (PDT) Message-Id: <20200418.131830.1251168077969815139.davem@davemloft.net> To: xiyuyang19@fudan.edu.cn Cc: jmaloy@redhat.com, ying.xue@windriver.com, kuba@kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, tanxin.ctf@gmail.com Subject: Re: [PATCH] tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv From: David Miller In-Reply-To: <1586939996-69937-1-git-send-email-xiyuyang19@fudan.edu.cn> References: <1586939996-69937-1-git-send-email-xiyuyang19@fudan.edu.cn> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sat, 18 Apr 2020 13:18:32 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiyu Yang Date: Wed, 15 Apr 2020 16:39:56 +0800 > tipc_crypto_rcv() invokes tipc_aead_get(), which returns a reference of > the tipc_aead object to "aead" with increased refcnt. > > When tipc_crypto_rcv() returns, the original local reference of "aead" > becomes invalid, so the refcount should be decreased to keep refcount > balanced. > > The issue happens in one error path of tipc_crypto_rcv(). When TIPC > message decryption status is EINPROGRESS or EBUSY, the function forgets > to decrease the refcnt increased by tipc_aead_get() and causes a refcnt > leak. > > Fix this issue by calling tipc_aead_put() on the error path when TIPC > message decryption status is EINPROGRESS or EBUSY. > > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan Applied and queued up for -stable. This code is harder to audit than it needs to be due to the special casing of things like -ENOKEY etc. It should rather explicitly handle the NULL test on aead in this top-level piece of code, which would make the validation of aead reference counting much more explicit and clear.