On Tue, Jul 02, 2019 at 02:17:00PM -0700, Eric Biggers wrote: > From: Eric Biggers <ebigg...@google.com> > > Michal Suchanek reported [1] that running the pcrypt_aead01 test from > LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of > alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). > The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. > > The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to > unregister isn't a real registered algorithm, but rather is a "test > larval", which is a special "algorithm" added to the algorithms list > while the real algorithm is still being tested. Larvals don't have > initialized cra_users, so that causes the crash. Normally pcrypt_aead01 > doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm > to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. > > Everything else in the "crypto user configuration" API has this same bug > too, i.e. it inappropriately allows operating on larval algorithms > (though it doesn't look like the other cases can cause a crash). > > Fix this by making crypto_alg_match() exclude larval algorithms. > > [1] https://lkml.kernel.org/r/20190625071624.27039-1-msucha...@suse.de > [2] > https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c > > Reported-by: Michal Suchanek <msucha...@suse.de> > Fixes: a38f7907b926 ("crypto: Add userspace configuration API") > Cc: <sta...@vger.kernel.org> # v3.2+ > Cc: Steffen Klassert <steffen.klass...@secunet.com> > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/crypto_user_base.c | 3 +++ > 1 file changed, 3 insertions(+)
Patch applied. Thanks. -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
