• Eric Biggers's avatar
    crypto: algapi - fix NULL dereference in crypto_remove_spawns() · 9a006742
    Eric Biggers authored
    syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
    via a program that repeatedly and concurrently requests AEADs
    "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
    through AF_ALG, where the hashes are requested as "untested"
    (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
    causes the template to be instantiated for every request).
    
    Although AF_ALG users really shouldn't be able to request an "untested"
    algorithm, the NULL pointer dereference is actually caused by a
    longstanding race condition where crypto_remove_spawns() can encounter
    an instance which has had spawn(s) "grabbed" but hasn't yet been
    registered, resulting in ->cra_users still being NULL.
    
    We probably should properly initialize ->cra_users earlier, but that
    would require updating many templates individually.  For now just fix
    the bug in a simple way that can easily be backported: make
    crypto_remove_spawns() treat a NULL ->cra_users list as empty.
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    9a006742
algapi.c 22.6 KB