crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() - linux-crypto.git

diff options

author	Herbert Xu <herbert@gondor.apana.org.au>	2020-06-08 16:48:43 +1000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-07-09 09:37:52 +0200
commit	de09f0f762f50cb3b0c73b87c303f327aea0aab7 (patch)
tree	6a3557f7919e5a2f24a5606580d116d614a8f2bd /crypto/asymmetric_keys
parent	83d90567ed59d5d79222e7418187d7ddb0b5fc0d (diff)
download	linux-crypto-de09f0f762f50cb3b0c73b87c303f327aea0aab7.tar.gz linux-crypto-de09f0f762f50cb3b0c73b87c303f327aea0aab7.zip

crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()

commit 01a078cc522b6e76f451f600260dfcd45b52c0ae upstream. The locking in af_alg_release_parent is broken as the BH socket lock can only be taken if there is a code-path to handle the case where the lock is owned by process-context. Instead of adding such handling, we can fix this by changing the ref counts to atomic_t. This patch also modifies the main refcnt to include both normal and nokey sockets. This way we don't have to fudge the nokey ref count when a socket changes from nokey to normal. Credits go to Mauricio Faria de Oliveira who diagnosed this bug and sent a patch for it: https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/ Reported-by: Brian Moyles <bmoyles@netflix.com> Reported-by: Mauricio Faria de Oliveira <mfo@canonical.com> Fixes: a2ce15b668c6 ("crypto: af_alg - Use bh_lock_sock in...") Cc: <stable@vger.kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'crypto/asymmetric_keys')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: