[PATCH v2] crypto: AF_ALG - limit mask and type

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Stephan Müller" <smueller@chronox.de>
To: "Stephan Müller" <smueller@chronox.de>
Cc: syzbot
	<bot+b6e703f648ebbbf57a4528d4314e0c2a5c893dc2@syzkaller.appspotmail.com>,
	davem@davemloft.net, herbert@gondor.apana.org.au,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, ebiggers3@gmail.com
Subject: [PATCH v2] crypto: AF_ALG - limit mask and type
Date: Tue, 19 Dec 2017 07:25:04 +0100	[thread overview]
Message-ID: <3658547.Hu7AXH7hma@positron.chronox.de> (raw)
In-Reply-To: <4450500.tGvsruIfR8@positron.chronox.de>

The user space interface allows specifying the type and the mask field
used to allocate the cipher. As user space can precisely select the
desired cipher by using either the name or the driver name, additional
selection options for cipher are not considered necessary and relevant
for user space.

This fixes a bug where user space is able to cause one cipher to be
registered multiple times potentially exhausting kernel memory.

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 crypto/af_alg.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 1e5353f62067..4f4cfc5a7ef3 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -150,7 +150,6 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent);
 
 static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
-	const u32 forbidden = CRYPTO_ALG_INTERNAL;
 	struct sock *sk = sock->sk;
 	struct alg_sock *ask = alg_sk(sk);
 	struct sockaddr_alg *sa = (void *)uaddr;
@@ -176,9 +175,12 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 	if (IS_ERR(type))
 		return PTR_ERR(type);
 
-	private = type->bind(sa->salg_name,
-			     sa->salg_feat & ~forbidden,
-			     sa->salg_mask & ~forbidden);
+	/*
+	 * The use of the salg_feat and salg_mask are forbidden as they expose
+	 * too much of the low-level handling which is not suitable for
+	 * hostile code.
+	 */
+	private = type->bind(sa->salg_name, 0, 0);
 	if (IS_ERR(private)) {
 		module_put(type->owner);
 		return PTR_ERR(private);
-- 
2.14.3

next prev parent reply	other threads:[~2017-12-19  6:25 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-27 18:56 general protection fault in crypto_remove_spawns syzbot
2017-11-28 22:06 ` Stephan Müller
2017-12-12  6:09 ` [PATCH] crypto: AF_ALG - limit mask and type Stephan Müller
2017-12-12  8:57   ` Eric Biggers
2017-12-12  9:22     ` Stephan Mueller
2017-12-19  6:25   ` Stephan Müller [this message]
2017-12-22  7:36     ` [PATCH v2] " Herbert Xu
2017-12-22  7:41       ` Stephan Mueller
2017-12-22  7:58         ` Herbert Xu
2018-01-02  7:53           ` [PATCH v3] crypto: AF_ALG - whitelist " Stephan Müller
2018-01-02  7:55             ` [PATCH v4] " Stephan Müller
2018-01-12 12:23               ` Herbert Xu
2017-12-29 20:30 ` [PATCH] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Eric Biggers
2018-01-05 11:18   ` Herbert Xu
2018-01-17  6:34 ` general protection fault in crypto_remove_spawns Eric Biggers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1e5353f6206 dfblob:4f4cfc5a7ef )
 OR (
bs:"[PATCH v2] crypto: AF_ALG - limit mask and type" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3658547.Hu7AXH7hma@positron.chronox.de \
    --to=smueller@chronox.de \
    --cc=bot+b6e703f648ebbbf57a4528d4314e0c2a5c893dc2@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=ebiggers3@gmail.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.