From patchwork Wed Dec 30 10:58:58 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Vyukov X-Patchwork-Id: 7932501 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 5E4399F32E for ; Wed, 30 Dec 2015 10:59:35 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8E534201FE for ; Wed, 30 Dec 2015 10:59:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A23372010E for ; Wed, 30 Dec 2015 10:59:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754454AbbL3K7U (ORCPT ); Wed, 30 Dec 2015 05:59:20 -0500 Received: from mail-wm0-f49.google.com ([74.125.82.49]:35961 "EHLO mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754309AbbL3K7T (ORCPT ); Wed, 30 Dec 2015 05:59:19 -0500 Received: by mail-wm0-f49.google.com with SMTP id l65so56475537wmf.1 for ; Wed, 30 Dec 2015 02:59:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Yh5/Zgep01hNuCtUy+7+Mo/yX5ajFlPB1dl+T0FUyzc=; b=X1M+PRoii5sR/Oe41MDCYicblkxb7PdE5JmgSJCwD/rU+hvGsPNgXNAM+8XNi5YGTU 44AWfq5uI57VOv8X/UZt19akrg7ZSieo1C+FqAdceSkz8VFWHXvjgJF+85NEcZ5uiZ4z QkkxaVTQ0pukLKmHmS3vuqK2aYJyiNUGxQAw6l2U1pFqWCf5HFBw/RN6u5GUpgTxZmdE LKqF+XtX/Hap92BpcelqZpfWNG2ohpUdS43/Idimv7w76QYjm0CmgT7XW/4OUdlYDRo5 MKxT6xX8B01XRQpnuyWKzF1ScAvxhYAV61WX55sETxP7wKycnxaLSiEsvmHf0oZcUqbs xVFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Yh5/Zgep01hNuCtUy+7+Mo/yX5ajFlPB1dl+T0FUyzc=; b=LdLtJgpEOvis4ANEgd84lWnyYB9V1xMkxU7hgOxCZLwE8WckAUV/dJ0EGACeWedXph SZheexH4QmyDlUxE+68sbXwhgasHKCoQdnXa8lnPfrfX4Roa2ynMPVurerbLLsGYuolZ RIpPdbHEtIx0k6XIFkMJuIzG/oJScCiFu8xWdfc/hQ0jKULh7Uvo3GGO5ortdw3tAKYw Bg80ZW+qDEWXLbvCVXNKBqf2QaPJJ4IUyZsewCL+yQQWgKjgKkCqrcOUTVyZOpjPdImM Z0SOPQW0RByJ7VLnsubiIsVt97h9eYAzvcbm80Fnt3Hh1+FyuT857j4pKPu0xkUJyrOd ayCQ== X-Gm-Message-State: ALoCoQlL0MBzFkjEtU94SafieAB7ctuq05tq9jErDaPi7f6uih603Wt4fQ3XUxzKNrrrpPqRP0c59519ED3TkRmDkv12gT69lIvLthMSWGEoUgvbXCE4cnI= X-Received: by 10.28.55.209 with SMTP id e200mr15969315wma.2.1451473158252; Wed, 30 Dec 2015 02:59:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.172.130 with HTTP; Wed, 30 Dec 2015 02:58:58 -0800 (PST) In-Reply-To: <20151230105300.GA10383@gondor.apana.org.au> References: <20151230012436.GA8173@gondor.apana.org.au> <20151230105300.GA10383@gondor.apana.org.au> From: Dmitry Vyukov Date: Wed, 30 Dec 2015 11:58:58 +0100 Message-ID: Subject: Re: crypto: use-after-free in alg_bind To: Herbert Xu Cc: "David S. Miller" , linux-crypto@vger.kernel.org, LKML , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet , syzkaller Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Wed, Dec 30, 2015 at 11:53 AM, Herbert Xu wrote: > On Wed, Dec 30, 2015 at 11:19:45AM +0100, Dmitry Vyukov wrote: >> >> This use-after-free does not reproduce on every run. It seems to be >> triggered by some race. Try to run the program in a parallel loop. >> I use stress tool for this: >> https://github.com/golang/tools/blob/master/cmd/stress/stress.go >> If you have Go toolchain installed, then then following will do: >> $ go get golang.org/x/tools/cmd/stress >> $ stress -p 16 ./a.out > > I've tried a few thousand instances of it but still no luck. >> >> >> diff --git a/crypto/af_alg.c b/crypto/af_alg.c >> index a8e7aa3..82a7dcd 100644 > > There are a few missing hunks in your patch and the patch to > if_alg.h is missing. > > So please start with the current crypto tree and then apply the > latest version (v2) of "crypto: af_alg - Disallow bind/setkey/... > after accept(2)" and try again. I forgot to diff include/crypto/if_alg.h, but the changes are there (otherwise all references to refcnt would not compile). Also I moved ask->refcnt checks to alg_setsockopt to fix the deadlock, I believe that's the missing chunks you refer to. I can retest if you wish, but I don't think that my changes can affect the reported use-after-free. Do you? --- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 018afb2..589716f 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -30,6 +30,8 @@ struct alg_sock { struct sock *parent; + unsigned int refcnt; + const struct af_alg_type *type; void *private; }; @@ -67,6 +69,7 @@ int af_alg_register_type(const struct af_alg_type *type); int af_alg_unregister_type(const struct af_alg_type *type); int af_alg_release(struct socket *sock); +void af_alg_release_parent(struct sock *sk); int af_alg_accept(struct sock *sk, struct socket *newsock); int af_alg_make_sg(struct af_alg_sgl *sgl, struct iov_iter *iter, int len); @@ -83,11 +86,6 @@ static inline struct alg_sock *alg_sk(struct sock *sk) return (struct alg_sock *)sk; } -static inline void af_alg_release_parent(struct sock *sk) -{ - sock_put(alg_sk(sk)->parent); -} - static inline void af_alg_init_completion(struct af_alg_completion *completion) { init_completion(&completion->completion);