diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2020-06-08 16:48:43 +1000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-07-09 09:37:52 +0200 |
commit | de09f0f762f50cb3b0c73b87c303f327aea0aab7 (patch) | |
tree | 6a3557f7919e5a2f24a5606580d116d614a8f2bd /crypto/proc.c | |
parent | 83d90567ed59d5d79222e7418187d7ddb0b5fc0d (diff) | |
download | linux-crypto-de09f0f762f50cb3b0c73b87c303f327aea0aab7.tar.gz linux-crypto-de09f0f762f50cb3b0c73b87c303f327aea0aab7.zip |
crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()
commit 01a078cc522b6e76f451f600260dfcd45b52c0ae upstream.
The locking in af_alg_release_parent is broken as the BH socket
lock can only be taken if there is a code-path to handle the case
where the lock is owned by process-context. Instead of adding
such handling, we can fix this by changing the ref counts to
atomic_t.
This patch also modifies the main refcnt to include both normal
and nokey sockets. This way we don't have to fudge the nokey
ref count when a socket changes from nokey to normal.
Credits go to Mauricio Faria de Oliveira who diagnosed this bug
and sent a patch for it:
https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/
Reported-by: Brian Moyles <bmoyles@netflix.com>
Reported-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Fixes: a2ce15b668c6 ("crypto: af_alg - Use bh_lock_sock in...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/proc.c')
0 files changed, 0 insertions, 0 deletions