diff options
| author | Stephan Mueller <smueller@chronox.de> | 2017-11-29 12:02:23 +0100 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2017-12-11 22:29:54 +1100 |
| commit | 46b8c1b6b10d1eeb0373df4aca32e631e13d2473 (patch) | |
| tree | 88b11a30d2618c203acc42724167d2e4d82c0054 /crypto/algif_skcipher.c | |
| parent | bb3b8b211f88eb46571b8b705bb9a6290ef54b25 (diff) | |
| download | linux-crypto-46b8c1b6b10d1eeb0373df4aca32e631e13d2473.tar.gz linux-crypto-46b8c1b6b10d1eeb0373df4aca32e631e13d2473.zip | |
crypto: af_alg - wait for data at beginning of recvmsg
The wait for data is a non-atomic operation that can sleep and therefore
potentially release the socket lock. The release of the socket lock
allows another thread to modify the context data structure. The waiting
operation for new data therefore must be called at the beginning of
recvmsg. This prevents a race condition where checks of the members of
the context data structure are performed by recvmsg while there is a
potential for modification of these values.
Fixes: 8a15a4bf1947 ("crypto: algif_skcipher - overhaul memory management")
Fixes: 0c2a2d0aa6e4 ("crypto: algif_aead - overhaul memory management")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/algif_skcipher.c')
| -rw-r--r-- | crypto/algif_skcipher.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 30cff827..6fb595cd 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -72,6 +72,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, int err = 0; size_t len = 0; + if (!ctx->used) { + err = af_alg_wait_for_data(sk, flags); + if (err) + return err; + } + /* Allocate cipher request for current operation. */ areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm)); |