lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 Jan 2018 22:18:07 +1100
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Eric Biggers <ebiggers3@...il.com>
Cc:     linux-crypto@...r.kernel.org,
        "David S . Miller" <davem@...emloft.net>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        Eric Biggers <ebiggers@...gle.com>, stable@...r.kernel.org
Subject: Re: [PATCH] crypto: algapi - fix NULL dereference in
 crypto_remove_spawns()

On Fri, Dec 29, 2017 at 02:30:19PM -0600, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
> via a program that repeatedly and concurrently requests AEADs
> "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
> through AF_ALG, where the hashes are requested as "untested"
> (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
> causes the template to be instantiated for every request).
> 
> Although AF_ALG users really shouldn't be able to request an "untested"
> algorithm, the NULL pointer dereference is actually caused by a
> longstanding race condition where crypto_remove_spawns() can encounter
> an instance which has had spawn(s) "grabbed" but hasn't yet been
> registered, resulting in ->cra_users still being NULL.
> 
> We probably should properly initialize ->cra_users earlier, but that
> would require updating many templates individually.  For now just fix
> the bug in a simple way that can easily be backported: make
> crypto_remove_spawns() treat a NULL ->cra_users list as empty.
> 
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Cc: stable@...r.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ