From: PanBian <bianpan2016@163.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] crypto: do not free algorithm before using
Date: Fri, 23 Nov 2018 09:05:55 +0800 [thread overview]
Message-ID: <20181123010555.GA83154@bp> (raw)
In-Reply-To: <20181122144441.tkfmrq3lzibq2g3y@gondor.apana.org.au>
On Thu, Nov 22, 2018 at 10:44:41PM +0800, Herbert Xu wrote:
> On Thu, Nov 22, 2018 at 06:00:16PM +0800, Pan Bian wrote:
> > In multiple functions, the algorithm fields are read after its reference
> > is dropped through crypto_mod_put. In this case, the algorithm memory
> > may be freed, resulting in use-after-free bugs. This patch delays the
> > put operation until the algorithm is never used.
> >
> > Signed-off-by: Pan Bian <bianpan2016@163.com>
>
> I don't think this patch is needed.
>
> > ---
> > crypto/cbc.c | 6 ++++--
> > crypto/cfb.c | 6 ++++--
> > crypto/pcbc.c | 6 ++++--
> > 3 files changed, 12 insertions(+), 6 deletions(-)
> >
> > diff --git a/crypto/cbc.c b/crypto/cbc.c
> > index b761b1f..dd5f332 100644
> > --- a/crypto/cbc.c
> > +++ b/crypto/cbc.c
> > @@ -140,9 +140,8 @@ static int crypto_cbc_create(struct crypto_template *tmpl, struct rtattr **tb)
> > spawn = skcipher_instance_ctx(inst);
> > err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst),
> > CRYPTO_ALG_TYPE_MASK);
> > - crypto_mod_put(alg);
> > if (err)
> > - goto err_free_inst;
> > + goto err_put_alg;
>
> We can safely drop the reference to the algorithm because the spawn
> is now meant to hold a reference to it. As long as the spawn is
> alive so will the algorithm.
Thanks for your explanation! But I find that the function
crypto_init_spawn just lets spawn->alg point to the algorithm without
increasing the reference count, i.e., alg->cra_refcnt. So I am confused
about how this can protect the algorithm from being freed. Maybe I
missed some key points. Could you please explain it in more details?
Thank you!
Best regards,
Pan Bian
>
> Cheers,
> --
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2018-11-23 11:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-22 10:00 [PATCH] crypto: do not free algorithm before using Pan Bian
2018-11-22 14:44 ` Herbert Xu
2018-11-23 1:05 ` PanBian [this message]
2018-11-23 2:36 ` Herbert Xu
2018-11-29 6:57 ` Herbert Xu
2018-11-29 7:47 ` PanBian
2018-11-29 8:29 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181123010555.GA83154@bp \
--to=bianpan2016@163.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.