[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6541596.TtyMCBNA0Q@positron.chronox.de>
Date: Sun, 08 Apr 2018 21:07:03 +0200
From: Stephan Müller <smueller@...onox.de>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Matthew Wilcox <willy@...radead.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
David Miller <davem@...emloft.net>,
linux-crypto@...r.kernel.org, Eric Biggers <ebiggers3@...il.com>,
syzbot <syzbot+75397ee3df5c70164154@...kaller.appspotmail.com>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller-bugs@...glegroups.com, Al Viro <viro@...iv.linux.org.uk>
Subject: [PATCH] crypto: DRBG - guard uninstantion by lock
Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov:
Hi Dmitry,
>
> Hi,
>
> Here is config and kernel commit:
> https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
> You can also find compiler and image here if necessary:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
>
> And note that the program needs to be compiled with -m32. The bugs is
> probably not-compat specific, but the program injects fault into a
> particular malloc invocation and maybe malloc numbering is affected by
> compat path.
I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon.
Can you please check whether the attached patch fixes the issue?
Thanks
---8<---
In the error code path, the uninstantiation must be guarded by a lock to
ensure that the modification of the context is fully atomic.
Signed-off-by: Stephan Mueller <smueller@...onox.de>
Reported-by: syzkaller
---
crypto/drbg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
return ret;
free_everything:
- mutex_unlock(&drbg->drbg_mutex);
drbg_uninstantiate(drbg);
+ mutex_unlock(&drbg->drbg_mutex);
return ret;
}
--
2.14.3
Powered by blists - more mailing lists