diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2020-06-08 16:48:43 +1000 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2020-06-18 17:09:54 +1000 |
commit | 34c86f4c4a7be3b3e35aa48bd18299d4c756064d (patch) | |
tree | f228827d837f16799bbab27d118d1f1fd373c799 /crypto/algif_hash.c | |
parent | 819966c06b759022e9932f328284314d9272b9f3 (diff) | |
download | lwn-34c86f4c4a7be3b3e35aa48bd18299d4c756064d.tar.gz lwn-34c86f4c4a7be3b3e35aa48bd18299d4c756064d.zip |
crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()
The locking in af_alg_release_parent is broken as the BH socket
lock can only be taken if there is a code-path to handle the case
where the lock is owned by process-context. Instead of adding
such handling, we can fix this by changing the ref counts to
atomic_t.
This patch also modifies the main refcnt to include both normal
and nokey sockets. This way we don't have to fudge the nokey
ref count when a socket changes from nokey to normal.
Credits go to Mauricio Faria de Oliveira who diagnosed this bug
and sent a patch for it:
https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/
Reported-by: Brian Moyles <bmoyles@netflix.com>
Reported-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Fixes: 37f96694cf73 ("crypto: af_alg - Use bh_lock_sock in...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/algif_hash.c')
-rw-r--r-- | crypto/algif_hash.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index da1ffa4f7f8d..e71727c25a7d 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -301,7 +301,7 @@ static int hash_check_key(struct socket *sock) struct alg_sock *ask = alg_sk(sk); lock_sock(sk); - if (ask->refcnt) + if (!atomic_read(&ask->nokey_refcnt)) goto unlock_child; psk = ask->parent; @@ -313,11 +313,8 @@ static int hash_check_key(struct socket *sock) if (crypto_ahash_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) goto unlock; - if (!pask->refcnt++) - sock_hold(psk); - - ask->refcnt = 1; - sock_put(psk); + atomic_dec(&pask->nokey_refcnt); + atomic_set(&ask->nokey_refcnt, 0); err = 0; |