crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() - linux-crypto.git

diff options

author	Herbert Xu <herbert@gondor.apana.org.au>	2020-06-08 16:48:43 +1000
committer	Herbert Xu <herbert@gondor.apana.org.au>	2020-06-18 17:09:54 +1000
commit	01a078cc522b6e76f451f600260dfcd45b52c0ae (patch)
tree	3f8aa31fb6ff236a472cc16fb901770571c0da85 /crypto/hmac.c
parent	f4d7cabd9661612f3019866664addbc463854102 (diff)
download	linux-crypto-01a078cc522b6e76f451f600260dfcd45b52c0ae.tar.gz linux-crypto-01a078cc522b6e76f451f600260dfcd45b52c0ae.zip

crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()

The locking in af_alg_release_parent is broken as the BH socket lock can only be taken if there is a code-path to handle the case where the lock is owned by process-context. Instead of adding such handling, we can fix this by changing the ref counts to atomic_t. This patch also modifies the main refcnt to include both normal and nokey sockets. This way we don't have to fudge the nokey ref count when a socket changes from nokey to normal. Credits go to Mauricio Faria de Oliveira who diagnosed this bug and sent a patch for it: https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/ Reported-by: Brian Moyles <bmoyles@netflix.com> Reported-by: Mauricio Faria de Oliveira <mfo@canonical.com> Fixes: a2ce15b668c6 ("crypto: af_alg - Use bh_lock_sock in...") Cc: <stable@vger.kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Diffstat (limited to 'crypto/hmac.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: