diff options
| author |   Herbert Xu <herbert@gondor.apana.org.au> | 2020-06-08 16:48:43 +1000 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2020-06-18 17:09:54 +1000 |
| commit | 34c86f4c4a7be3b3e35aa48bd18299d4c756064d (patch) | |
| tree | f228827d837f16799bbab27d118d1f1fd373c799 /include/crypto | |
| parent | crypto: drbg - always try to free Jitter RNG instance (diff) | |
| download | wireguard-linux-34c86f4c4a7be3b3e35aa48bd18299d4c756064d.tar.xz wireguard-linux-34c86f4c4a7be3b3e35aa48bd18299d4c756064d.zip | |
crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock()
The locking in af_alg_release_parent is broken as the BH socket
lock can only be taken if there is a code-path to handle the case
where the lock is owned by process-context. Instead of adding
such handling, we can fix this by changing the ref counts to
atomic_t.
This patch also modifies the main refcnt to include both normal
and nokey sockets. This way we don't have to fudge the nokey
ref count when a socket changes from nokey to normal.
Credits go to Mauricio Faria de Oliveira who diagnosed this bug
and sent a patch for it:
https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/
Reported-by: Brian Moyles <bmoyles@netflix.com>
Reported-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Fixes: 37f96694cf73 ("crypto: af_alg - Use bh_lock_sock in...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'include/crypto')
| -rw-r--r-- | include/crypto/if_alg.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 56527c85d122..088c1ded2714 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -29,8 +29,8 @@ struct alg_sock { struct sock *parent; - unsigned int refcnt; - unsigned int nokey_refcnt; + atomic_t refcnt; + atomic_t nokey_refcnt; const struct af_alg_type *type; void *private; |