Skip to content

Commit

Permalink
crypto: af_alg - fix backlog handling
Browse files Browse the repository at this point in the history
If a request is backlogged, it's complete() handler will get called
twice: once with -EINPROGRESS, and once with the final error code.

af_alg's complete handler, unlike other users, does not handle the
-EINPROGRESS but instead always completes the completion that recvmsg()
is waiting on.  This can lead to a return to user space while the
request is still pending in the driver.  If userspace closes the sockets
before the requests are handled by the driver, this will lead to
use-after-frees (and potential crashes) in the kernel due to the tfm
having been freed.

The crashes can be easily reproduced (for example) by reducing the max
queue length in cryptod.c and running the following (from
http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:

 $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
    -k 00000000000000000000000000000000 \
    -p 00000000000000000000000000000000 >/dev/null & done

Cc: [email protected]
Signed-off-by: Rabin Vincent <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
  • Loading branch information
vwax authored and herbertx committed Dec 22, 2014
1 parent 97bf6af commit 7e77bde
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions crypto/af_alg.c
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,9 @@ void af_alg_complete(struct crypto_async_request *req, int err)
{
struct af_alg_completion *completion = req->data;

if (err == -EINPROGRESS)
return;

completion->err = err;
complete(&completion->completion);
}
Expand Down

0 comments on commit 7e77bde

Please sign in to comment.