lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190703143057.miqgc7blhjjxjmee@gondor.apana.org.au>
Date:   Wed, 3 Jul 2019 22:30:57 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     linux-crypto@...r.kernel.org, chetjain@...ibm.com,
        "David S . Miller" <davem@...emloft.net>,
        linux-kernel@...r.kernel.org, Michal Suchanek <msuchanek@...e.de>,
        stable@...r.kernel.org,
        Steffen Klassert <steffen.klassert@...unet.com>
Subject: Re: [PATCH] crypto: user - prevent operating on larval algorithms

On Tue, Jul 02, 2019 at 02:17:00PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> Michal Suchanek reported [1] that running the pcrypt_aead01 test from
> LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
> alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
> The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.
> 
> The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
> unregister isn't a real registered algorithm, but rather is a "test
> larval", which is a special "algorithm" added to the algorithms list
> while the real algorithm is still being tested.  Larvals don't have
> initialized cra_users, so that causes the crash.  Normally pcrypt_aead01
> doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
> to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.
> 
> Everything else in the "crypto user configuration" API has this same bug
> too, i.e. it inappropriately allows operating on larval algorithms
> (though it doesn't look like the other cases can cause a crash).
> 
> Fix this by making crypto_alg_match() exclude larval algorithms.
> 
> [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
> [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c
> 
> Reported-by: Michal Suchanek <msuchanek@...e.de>
> Fixes: a38f7907b926 ("crypto: Add userspace configuration API")
> Cc: <stable@...r.kernel.org> # v3.2+
> Cc: Steffen Klassert <steffen.klassert@...unet.com>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
>  crypto/crypto_user_base.c | 3 +++
>  1 file changed, 3 insertions(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ