From patchwork Fri Dec 29 20:30:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10137383 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D3CE060318 for ; Fri, 29 Dec 2017 20:31:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4F742D2A1 for ; Fri, 29 Dec 2017 20:31:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B908A2D2CE; Fri, 29 Dec 2017 20:31:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95DB62D2A1 for ; Fri, 29 Dec 2017 20:31:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751459AbdL2Ubi (ORCPT ); Fri, 29 Dec 2017 15:31:38 -0500 Received: from mail-io0-f195.google.com ([209.85.223.195]:38139 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751443AbdL2Ubh (ORCPT ); Fri, 29 Dec 2017 15:31:37 -0500 Received: by mail-io0-f195.google.com with SMTP id 87so37966822ior.5; Fri, 29 Dec 2017 12:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ir6fbX4kTG5Jdp0tTU+vO3rVLe439LpjEKBY29YJat4=; b=kzCpMJ5P4HEOAyp2fbamTQOwIVIBYTgfiigaB+ZjJRnJvsTHG5BE+X3rOSu1uU1Baj katbcaNCK04MLI7brIiQo4GXlaurjwRzfZ2IJxhYuKaL36TNM+uZ4f+LZfftzQoZAXKm npYRxoBjgzmjIp2faXCZt70cA17WV8pwZwbEeN4ejpikqjpfYQ8I9Mv8cvgjEQ1W3ZSB +kx23IyUEQZMy9Wun5V4aHAA1SzfF//2/Tfq6RyjOYPgui0Hs5tYLpGPraFXBonEPg1h zNR7DKDgJ/jgSUtDZmlOz7tYsl189wLYKzdsOn1gnzxG4Ejh+tLFh6SsCrOqgJmY5Wuh dLvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ir6fbX4kTG5Jdp0tTU+vO3rVLe439LpjEKBY29YJat4=; b=rC1l2p6k5EYqh2Dpq6ZIXYhYg1feoq2diqMTSDwbtCmwlvVKioL/LWDkNg7CJesaib Rxo0Feejczn7Q5g9GqwEcJjWXaqJgifmziRTQVcZldjXdJLJHJM24SF/MHEaviUeeb5j e4eZDPrWpFkJjlgVzjQQtJEGlBPsjSIQE8vjszpg6msOZ5dAMv1NwMcJMcaWm1Nc3DYp qFYhM4r6uFb2TjKj0ajEoiB9u1HeV59xWUV1qYH1Ub38BiAO+iKb/0uLlbFxULmudYT9 8EbH7Cf6s94PpOAnAU+U4HRIJ1TSguBpBuOWQiJIw6HSax+rYOLv8cGf2TYJcASo5kIQ sTog== X-Gm-Message-State: AKGB3mLeTAxaf4mv1Z6IEAI4R1eDyvn4XZbijtt5k/qNQ7P1mHkbDhd5 BWr+D0FBzSMlJPvoTrKdn1XxAEwT X-Google-Smtp-Source: ACJfBovVJ0Q6iUgC1HdwbLBUGwHSG5kazluWh2rtvL4DnkLs9XZvpvpvlnpur7sRVwUjek/fzy6gqQ== X-Received: by 10.107.173.207 with SMTP id m76mr45995726ioo.215.1514579494888; Fri, 29 Dec 2017 12:31:34 -0800 (PST) Received: from zzz.Home (h184-60-19-231.mdsnwi.dsl.dynamic.tds.net. [184.60.19.231]) by smtp.gmail.com with ESMTPSA id 103sm11766669iot.4.2017.12.29.12.31.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Dec 2017 12:31:34 -0800 (PST) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: "David S . Miller" , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Date: Fri, 29 Dec 2017 14:30:19 -0600 Message-Id: <20171229203019.1413-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <001a1141c43ad30ccf055efb76ed@google.com> References: <001a1141c43ad30ccf055efb76ed@google.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers syzkaller triggered a NULL pointer dereference in crypto_remove_spawns() via a program that repeatedly and concurrently requests AEADs "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)" through AF_ALG, where the hashes are requested as "untested" (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this causes the template to be instantiated for every request). Although AF_ALG users really shouldn't be able to request an "untested" algorithm, the NULL pointer dereference is actually caused by a longstanding race condition where crypto_remove_spawns() can encounter an instance which has had spawn(s) "grabbed" but hasn't yet been registered, resulting in ->cra_users still being NULL. We probably should properly initialize ->cra_users earlier, but that would require updating many templates individually. For now just fix the bug in a simple way that can easily be backported: make crypto_remove_spawns() treat a NULL ->cra_users list as empty. Reported-by: syzbot Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- crypto/algapi.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/crypto/algapi.c b/crypto/algapi.c index 9895cafcce7e..395b082d03a9 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -166,6 +166,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, spawn->alg = NULL; spawns = &inst->alg.cra_users; + + /* + * We may encounter an unregistered instance here, since + * an instance's spawns are set up prior to the instance + * being registered. An unregistered instance will have + * NULL ->cra_users.next, since ->cra_users isn't + * properly initialized until registration. But an + * unregistered instance cannot have any users, so treat + * it the same as ->cra_users being empty. + */ + if (spawns->next == NULL) + break; } } while ((spawns = crypto_more_spawns(alg, &stack, &top, &secondary_spawns)));