If an AF_ALG socket bound to a hashing algorithm is sent a zero-length
message with MSG_MORE set and then recvmsg() is called without first
sending another message without MSG_MORE set to end the operation, an oops
will occur because the crypto context and result doesn't now get set up in
advance because hash_sendmsg() now defers that as long as possible in the
hope that it can use crypto_ahash_digest() - and then because the message
is zero-length, it the data wrangling loop is skipped.
Fix this by handling zero-length sends at the top of the hash_sendmsg()
function. If we're not continuing the previous sendmsg(), then just ignore
the send (hash_recvmsg() will invent something when called); if we are
continuing, then we finalise the request at this point if MSG_MORE is not
set to get any error here, otherwise the send is of no effect and can be
ignored.
Whilst we're at it, remove the code to create a kvmalloc'd scatterlist if
we get more than ALG_MAX_PAGES - this shouldn't happen.
Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Signed-off-by: David Howells <[email protected]>
Reported-and-tested-by: [email protected]
cc: Herbert Xu <[email protected]>
cc: "David S. Miller" <[email protected]>
cc: Eric Dumazet <[email protected]>
cc: Jakub Kicinski <[email protected]>
cc: Paolo Abeni <[email protected]>
cc: Jens Axboe <[email protected]>
cc: Matthew Wilcox <[email protected]>
cc: [email protected]
cc: [email protected]
---
crypto/algif_hash.c | 38 +++++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 13 deletions(-)
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index dfb048cefb60..0ab43e149f0e 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -76,13 +76,30 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
if (!continuing) {
- if ((msg->msg_flags & MSG_MORE))
- hash_free_result(sk, ctx);
+ /* Discard a previous request that wasn't marked MSG_MORE. */
+ hash_free_result(sk, ctx);
+ if (!msg_data_left(msg))
+ goto done; /* Zero-length; don't start new req */
need_init = true;
+ } else if (!msg_data_left(msg)) {
+ /*
+ * No data - finalise the prev req if MSG_MORE so any error
+ * comes out here.
+ */
+ if (!(msg->msg_flags & MSG_MORE)) {
+ err = hash_alloc_result(sk, ctx);
+ if (err)
+ goto unlock_free;
+ ahash_request_set_crypt(&ctx->req, NULL,
+ ctx->result, 0);
+ err = crypto_wait_req(crypto_ahash_final(&ctx->req),
+ &ctx->wait);
+ if (err)
+ goto unlock_free;
+ }
+ goto done_more;
}
- ctx->more = false;
-
while (msg_data_left(msg)) {
ctx->sgl.sgt.sgl = ctx->sgl.sgl;
ctx->sgl.sgt.nents = 0;
@@ -93,15 +110,6 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
if (npages == 0)
goto unlock_free;
- if (npages > ARRAY_SIZE(ctx->sgl.sgl)) {
- err = -ENOMEM;
- ctx->sgl.sgt.sgl =
- kvmalloc(array_size(npages,
- sizeof(*ctx->sgl.sgt.sgl)),
- GFP_KERNEL);
- if (!ctx->sgl.sgt.sgl)
- goto unlock_free;
- }
sg_init_table(ctx->sgl.sgl, npages);
ctx->sgl.need_unpin = iov_iter_extract_will_pin(&msg->msg_iter);
@@ -150,7 +158,9 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
af_alg_free_sg(&ctx->sgl);
}
+done_more:
ctx->more = msg->msg_flags & MSG_MORE;
+done:
err = 0;
unlock:
release_sock(sk);
@@ -158,6 +168,8 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
unlock_free:
af_alg_free_sg(&ctx->sgl);
+ hash_free_result(sk, ctx);
+ ctx->more = false;
goto unlock;
}
On Fri, Jun 16, 2023 at 12:10:32PM +0100, David Howells wrote:
> If an AF_ALG socket bound to a hashing algorithm is sent a zero-length
> message with MSG_MORE set and then recvmsg() is called without first
> sending another message without MSG_MORE set to end the operation, an oops
> will occur because the crypto context and result doesn't now get set up in
> advance because hash_sendmsg() now defers that as long as possible in the
> hope that it can use crypto_ahash_digest() - and then because the message
> is zero-length, it the data wrangling loop is skipped.
>
> Fix this by handling zero-length sends at the top of the hash_sendmsg()
> function. If we're not continuing the previous sendmsg(), then just ignore
> the send (hash_recvmsg() will invent something when called); if we are
> continuing, then we finalise the request at this point if MSG_MORE is not
> set to get any error here, otherwise the send is of no effect and can be
> ignored.
>
> Whilst we're at it, remove the code to create a kvmalloc'd scatterlist if
> we get more than ALG_MAX_PAGES - this shouldn't happen.
>
> Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
> Reported-by: [email protected]
> Link: https://lore.kernel.org/r/[email protected]/
> Reported-by: [email protected]
> Link: https://lore.kernel.org/r/[email protected]/
> Reported-by: [email protected]
> Link: https://lore.kernel.org/r/[email protected]/
> Reported-by: [email protected]
> Link: https://lore.kernel.org/r/[email protected]/
> Signed-off-by: David Howells <[email protected]>
> Reported-and-tested-by: [email protected]
> cc: Herbert Xu <[email protected]>
> cc: "David S. Miller" <[email protected]>
> cc: Eric Dumazet <[email protected]>
> cc: Jakub Kicinski <[email protected]>
> cc: Paolo Abeni <[email protected]>
> cc: Jens Axboe <[email protected]>
> cc: Matthew Wilcox <[email protected]>
> cc: [email protected]
> cc: [email protected]
> ---
> crypto/algif_hash.c | 38 +++++++++++++++++++++++++-------------
> 1 file changed, 25 insertions(+), 13 deletions(-)
>
> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
> index dfb048cefb60..0ab43e149f0e 100644
> --- a/crypto/algif_hash.c
> +++ b/crypto/algif_hash.c
> @@ -76,13 +76,30 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
>
> lock_sock(sk);
> if (!continuing) {
> - if ((msg->msg_flags & MSG_MORE))
> - hash_free_result(sk, ctx);
> + /* Discard a previous request that wasn't marked MSG_MORE. */
> + hash_free_result(sk, ctx);
Please revert this change as I explained in the other message.
> + if (!msg_data_left(msg))
> + goto done; /* Zero-length; don't start new req */
This is still broken in the case of a zero-length message with
MSG_MORE set. Here you will short-circuit out without ever calling
crypto_ahash_init. However, hash_recvmsg will directly call
crypto_ahash_final on this, which is undefined.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Tue, Jun 20, 2023 at 08:42:15AM +0100, David Howells wrote:
>
> Not so. hash_recvmsg() will call crypto_ahash_init() first because ctx->more
> is false (hence why we came down this branch in hash_sendmsg()) and the result
> was released on the previous line (which you're objecting to). If it goes to
> the "done" label, it will skip setting ctx->more to true if MSG_MORE is
> passed.
I see, yes it should work.
> However, given you want sendmsg() to do the init->digest cycle on zero length
> data, I think we should revert to the previous version of the patch that makes
> a pass of the loop even with no data.
Let's get this fixed ASAP and we can refine it later.
Acked-by: Herbert Xu <[email protected]>
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Tue, Jun 20, 2023 at 09:31:56AM +0100, David Howells wrote:
> Herbert Xu <[email protected]> wrote:
>
> > > However, given you want sendmsg() to do the init->digest cycle on zero length
> > > data, I think we should revert to the previous version of the patch that makes
> > > a pass of the loop even with no data.
> >
> > Let's get this fixed ASAP and we can refine it later.
> >
> > Acked-by: Herbert Xu <[email protected]>
>
> Um. Is that against this patch or the old version?
This is against v2 which started this thread.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Herbert Xu <[email protected]> wrote:
> > However, given you want sendmsg() to do the init->digest cycle on zero length
> > data, I think we should revert to the previous version of the patch that makes
> > a pass of the loop even with no data.
>
> Let's get this fixed ASAP and we can refine it later.
>
> Acked-by: Herbert Xu <[email protected]>
Um. Is that against this patch or the old version?
David
Hello:
This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <[email protected]>:
On Fri, 16 Jun 2023 12:10:32 +0100 you wrote:
> If an AF_ALG socket bound to a hashing algorithm is sent a zero-length
> message with MSG_MORE set and then recvmsg() is called without first
> sending another message without MSG_MORE set to end the operation, an oops
> will occur because the crypto context and result doesn't now get set up in
> advance because hash_sendmsg() now defers that as long as possible in the
> hope that it can use crypto_ahash_digest() - and then because the message
> is zero-length, it the data wrangling loop is skipped.
>
> [...]
Here is the summary with links:
- [net-next,v2] crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)
https://git.kernel.org/netdev/net-next/c/b6d972f68983
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html