[PATCH] crypto: DRBG - guard uninstantion by lock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Stephan Müller" <smueller@chronox.de>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Matthew Wilcox <willy@infradead.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	David Miller <davem@davemloft.net>,
	linux-crypto@vger.kernel.org, Eric Biggers <ebiggers3@gmail.com>,
	syzbot <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller-bugs@googlegroups.com,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH] crypto: DRBG - guard uninstantion by lock
Date: Sun, 08 Apr 2018 21:07:03 +0200	[thread overview]
Message-ID: <6541596.TtyMCBNA0Q@positron.chronox.de> (raw)
In-Reply-To: <CACT4Y+Y7hdm6LX5-PZu9zXFSmAKMP_jCYY7Z7g6a0xd_XCEYhA@mail.gmail.com>

Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
> 
> Hi,
> 
> Here is config and kernel commit:
> https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
> You can also find compiler and image here if necessary:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
> 
> And note that the program needs to be compiled with -m32. The bugs is
> probably not-compat specific, but the program injects fault into a
> particular malloc invocation and maybe malloc numbering is affected by
> compat path.

I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon.

Can you please check whether the attached patch fixes the issue?

Thanks

---8<---

In the error code path, the uninstantiation must be guarded by a lock to
ensure that the modification of the context is fully atomic.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzkaller
---
 crypto/drbg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
 	return ret;
 
 free_everything:
-	mutex_unlock(&drbg->drbg_mutex);
 	drbg_uninstantiate(drbg);
+	mutex_unlock(&drbg->drbg_mutex);
 	return ret;
 }
 
-- 
2.14.3

next prev parent reply	other threads:[~2018-04-08 19:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-06 13:24 WARNING in kmem_cache_free syzbot
2018-04-06 13:33 ` Dmitry Vyukov
2018-04-08  3:16   ` Use struct page for filename Matthew Wilcox
2018-04-08  4:42     ` Al Viro
2018-04-08  5:59   ` WARNING in kmem_cache_free Al Viro
2018-04-08  6:01   ` Matthew Wilcox
2018-04-08 10:26     ` Dmitry Vyukov
2018-04-08 11:18       ` Dmitry Vyukov
2018-04-08 15:31         ` Stephan Müller
2018-04-08 15:41           ` Dmitry Vyukov
2018-04-08 19:07             ` Stephan Müller [this message]
2018-04-08 22:46               ` [PATCH] crypto: DRBG - guard uninstantion by lock Theodore Y. Ts'o
2018-04-08 22:46                 ` Theodore Y. Ts'o
2018-04-09  5:40                 ` Stephan Mueller
2018-04-09  7:57                   ` Dmitry Vyukov
2018-04-10 15:23                     ` Dmitry Vyukov
2018-04-10 15:35                       ` Stephan Mueller
2018-04-11 12:29                         ` Dmitry Vyukov
2018-04-11 12:59                           ` Stephan Mueller
2018-04-11 14:26                           ` Stephan Müller
2018-04-11 14:31                             ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller
2018-04-11 17:29                               ` Eric Biggers
2018-04-11 17:29                                 ` Eric Biggers
2018-04-12  6:40                               ` Stephan Müller
2018-04-20 16:54                                 ` Herbert Xu
2018-04-20 16:54                                   ` Herbert Xu
2018-04-11 17:09                             ` [PATCH] crypto: DRBG - guard uninstantion by lock Dmitry Vyukov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4faa2781c96 dfblob:68c1949a253 )
 OR (
bs:"[PATCH] crypto: DRBG - guard uninstantion by lock" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6541596.TtyMCBNA0Q@positron.chronox.de \
    --to=smueller@chronox.de \
    --cc=davem@davemloft.net \
    --cc=dvyukov@google.com \
    --cc=ebiggers3@gmail.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.