From: James Yonan <james@openvpn.net>
To: unlisted-recipients:; (no To-header on input)
Cc: linux-crypto@vger.kernel.org
Subject: Re: race condition in crypto larval handling
Date: Sun, 08 Sep 2013 19:41:23 -0600 [thread overview]
Message-ID: <522D2743.9060802@openvpn.net> (raw)
In-Reply-To: <20130908013210.GA30627@gondor.apana.org.au>
On 07/09/2013 19:32, Herbert Xu wrote:
> On Fri, Sep 06, 2013 at 04:20:50PM -0700, Kees Cook wrote:
>>
>> In the two-thread situation, the first thread gets a larval with
>> refcnt 2 via crypto_larval_add. (Why 2?) The next thread finds the
>> larval via crypto_larval_add's call to __crypto_alg_lookup() and sees
>> the ref bump to 3. While exiting crypto_alg_mod_lookup, each thread
>> decrements the ref count twice.
>>
>> It seems to me like either each call to crypto_larval_lookup() should
>> result in a refcount bumped by two, or crypto_alg_mod_lookup() should
>> decrement only once, and the initial refcount should be 1 not 2 from
>> crypto_larval_add. But it's not clear to me which is sensible here.
>>
>> What's the right solution here?
>
> First of all thanks a lot for tracking this problem down! It's
> been bothering me for months but I was unable to find a good
> reproducer.
>
> So now that you've identified the problem, the solution is easy.
> crypto_larval_lookup should only ever return a larval if it created
> one. Any larval created earlier must be waited on first before we
> return.
>
> So does this patch fix the crash for you?
>
> diff --git a/crypto/api.c b/crypto/api.c
> index 320ea4d..a2b39c5 100644
> --- a/crypto/api.c
> +++ b/crypto/api.c
> @@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
> BLOCKING_NOTIFIER_HEAD(crypto_chain);
> EXPORT_SYMBOL_GPL(crypto_chain);
>
> +static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
> +
> struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
> {
> return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
> @@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
> }
> up_write(&crypto_alg_sem);
>
> - if (alg != &larval->alg)
> + if (alg != &larval->alg) {
> kfree(larval);
> + if (crypto_is_larval(alg))
> + alg = crypto_larval_wait(alg);
> + }
>
> return alg;
> }
I tried this patch, but I still see an apparent module lookup/load race
if code on several CPUs calls crypto_alloc_aead at the same time, and an
external module such as aes needs to be loaded.
Seeing this in the log: "request_module: runaway loop modprobe gcm(aes)"
Shouldn't module lookup/load be bracketed by some sort of lock to
prevent this?
James
next prev parent reply other threads:[~2013-09-09 1:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 23:20 race condition in crypto larval handling Kees Cook
2013-09-06 23:20 ` Kees Cook
2013-09-07 14:39 ` Neil Horman
2013-09-07 14:39 ` Neil Horman
2013-09-07 17:10 ` Kees Cook
2013-09-07 17:10 ` Kees Cook
2013-09-08 1:32 ` Herbert Xu
2013-09-08 1:32 ` Herbert Xu
2013-09-08 3:34 ` Kees Cook
2013-09-08 3:34 ` Kees Cook
2013-09-08 4:37 ` Herbert Xu
2013-09-08 4:37 ` Herbert Xu
2013-09-08 4:54 ` Herbert Xu
2013-09-08 4:54 ` Herbert Xu
2013-09-08 6:01 ` Kees Cook
2013-09-08 6:01 ` Kees Cook
2013-09-08 15:52 ` Kees Cook
2013-09-08 15:52 ` Kees Cook
2013-09-09 1:41 ` James Yonan [this message]
2013-09-10 23:13 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522D2743.9060802@openvpn.net \
--to=james@openvpn.net \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.