mirror of
https://github.com/torvalds/linux.git
synced 2024-11-23 20:51:44 +00:00
939e177996
On Thu, Jun 20, 2013 at 10:00:21AM +0200, Daniel Borkmann wrote:
> After having fixed a NULL pointer dereference in SCTP 1abd165e
("net:
> sctp: fix NULL pointer dereference in socket destruction"), I ran into
> the following NULL pointer dereference in the crypto subsystem with
> the same reproducer, easily hit each time:
>
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [<ffffffff81070321>] __wake_up_common+0x31/0x90
> PGD 0
> Oops: 0000 [#1] SMP
> Modules linked in: padlock_sha(F-) sha256_generic(F) sctp(F) libcrc32c(F) [..]
> CPU: 6 PID: 3326 Comm: cryptomgr_probe Tainted: GF 3.10.0-rc5+ #1
> Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
> task: ffff88007b6cf4e0 ti: ffff88007b7cc000 task.ti: ffff88007b7cc000
> RIP: 0010:[<ffffffff81070321>] [<ffffffff81070321>] __wake_up_common+0x31/0x90
> RSP: 0018:ffff88007b7cde08 EFLAGS: 00010082
> RAX: ffffffffffffffe8 RBX: ffff88003756c130 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88003756c130
> RBP: ffff88007b7cde48 R08: 0000000000000000 R09: ffff88012b173200
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000282
> R13: ffff88003756c138 R14: 0000000000000000 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff88012fc60000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000000000000 CR3: 0000000001a0b000 CR4: 00000000000007e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Stack:
> ffff88007b7cde28 0000000300000000 ffff88007b7cde28 ffff88003756c130
> 0000000000000282 ffff88003756c128 ffffffff81227670 0000000000000000
> ffff88007b7cde78 ffffffff810722b7 ffff88007cdcf000 ffffffff81a90540
> Call Trace:
> [<ffffffff81227670>] ? crypto_alloc_pcomp+0x20/0x20
> [<ffffffff810722b7>] complete_all+0x47/0x60
> [<ffffffff81227708>] cryptomgr_probe+0x98/0xc0
> [<ffffffff81227670>] ? crypto_alloc_pcomp+0x20/0x20
> [<ffffffff8106760e>] kthread+0xce/0xe0
> [<ffffffff81067540>] ? kthread_freezable_should_stop+0x70/0x70
> [<ffffffff815450dc>] ret_from_fork+0x7c/0xb0
> [<ffffffff81067540>] ? kthread_freezable_should_stop+0x70/0x70
> Code: 41 56 41 55 41 54 53 48 83 ec 18 66 66 66 66 90 89 75 cc 89 55 c8
> 4c 8d 6f 08 48 8b 57 08 41 89 cf 4d 89 c6 48 8d 42 e
> RIP [<ffffffff81070321>] __wake_up_common+0x31/0x90
> RSP <ffff88007b7cde08>
> CR2: 0000000000000000
> ---[ end trace b495b19270a4d37e ]---
>
> My assumption is that the following is happening: the minimal SCTP
> tool runs under ``echo 1 > /proc/sys/net/sctp/auth_enable'', hence
> it's making use of crypto_alloc_hash() via sctp_auth_init_hmacs().
> It forks itself, heavily allocates, binds, listens and waits in
> accept on sctp sockets, and then randomly kills some of them (no
> need for an actual client in this case to hit this). Then, again,
> allocating, binding, etc, and then killing child processes.
>
> The problem that might be happening here is that cryptomgr requests
> the module to probe/load through cryptomgr_schedule_probe(), but
> before the thread handler cryptomgr_probe() returns, we return from
> the wait_for_completion_interruptible() function and probably already
> have cleared up larval, thus we run into a NULL pointer dereference
> when in cryptomgr_probe() complete_all() is being called.
>
> If we wait with wait_for_completion() instead, this panic will not
> occur anymore. This is valid, because in case a signal is pending,
> cryptomgr_probe() returns from probing anyway with properly calling
> complete_all().
The use of wait_for_completion_interruptible is intentional so that
we don't lock up the thread if a bug causes us to never wake up.
This bug is caused by the helper thread using the larval without
holding a reference count on it. If the helper thread completes
after the original thread requesting for help has gone away and
destroyed the larval, then we get the crash above.
So the fix is to hold a reference count on the larval.
Cc: <stable@vger.kernel.org> # 3.6+
Reported-by: Daniel Borkmann <dborkman@redhat.com>
Tested-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
309 lines
6.4 KiB
C
309 lines
6.4 KiB
C
/*
|
|
* Create default crypto algorithm instances.
|
|
*
|
|
* Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*
|
|
*/
|
|
|
|
#include <crypto/internal/aead.h>
|
|
#include <linux/completion.h>
|
|
#include <linux/ctype.h>
|
|
#include <linux/err.h>
|
|
#include <linux/init.h>
|
|
#include <linux/kthread.h>
|
|
#include <linux/module.h>
|
|
#include <linux/notifier.h>
|
|
#include <linux/rtnetlink.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/string.h>
|
|
|
|
#include "internal.h"
|
|
|
|
struct cryptomgr_param {
|
|
struct rtattr *tb[CRYPTO_MAX_ATTRS + 2];
|
|
|
|
struct {
|
|
struct rtattr attr;
|
|
struct crypto_attr_type data;
|
|
} type;
|
|
|
|
union {
|
|
struct rtattr attr;
|
|
struct {
|
|
struct rtattr attr;
|
|
struct crypto_attr_alg data;
|
|
} alg;
|
|
struct {
|
|
struct rtattr attr;
|
|
struct crypto_attr_u32 data;
|
|
} nu32;
|
|
} attrs[CRYPTO_MAX_ATTRS];
|
|
|
|
char template[CRYPTO_MAX_ALG_NAME];
|
|
|
|
struct crypto_larval *larval;
|
|
|
|
u32 otype;
|
|
u32 omask;
|
|
};
|
|
|
|
struct crypto_test_param {
|
|
char driver[CRYPTO_MAX_ALG_NAME];
|
|
char alg[CRYPTO_MAX_ALG_NAME];
|
|
u32 type;
|
|
};
|
|
|
|
static int cryptomgr_probe(void *data)
|
|
{
|
|
struct cryptomgr_param *param = data;
|
|
struct crypto_template *tmpl;
|
|
struct crypto_instance *inst;
|
|
int err;
|
|
|
|
tmpl = crypto_lookup_template(param->template);
|
|
if (!tmpl)
|
|
goto out;
|
|
|
|
do {
|
|
if (tmpl->create) {
|
|
err = tmpl->create(tmpl, param->tb);
|
|
continue;
|
|
}
|
|
|
|
inst = tmpl->alloc(param->tb);
|
|
if (IS_ERR(inst))
|
|
err = PTR_ERR(inst);
|
|
else if ((err = crypto_register_instance(tmpl, inst)))
|
|
tmpl->free(inst);
|
|
} while (err == -EAGAIN && !signal_pending(current));
|
|
|
|
crypto_tmpl_put(tmpl);
|
|
|
|
out:
|
|
complete_all(¶m->larval->completion);
|
|
crypto_alg_put(¶m->larval->alg);
|
|
kfree(param);
|
|
module_put_and_exit(0);
|
|
}
|
|
|
|
static int cryptomgr_schedule_probe(struct crypto_larval *larval)
|
|
{
|
|
struct task_struct *thread;
|
|
struct cryptomgr_param *param;
|
|
const char *name = larval->alg.cra_name;
|
|
const char *p;
|
|
unsigned int len;
|
|
int i;
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
goto err;
|
|
|
|
param = kzalloc(sizeof(*param), GFP_KERNEL);
|
|
if (!param)
|
|
goto err_put_module;
|
|
|
|
for (p = name; isalnum(*p) || *p == '-' || *p == '_'; p++)
|
|
;
|
|
|
|
len = p - name;
|
|
if (!len || *p != '(')
|
|
goto err_free_param;
|
|
|
|
memcpy(param->template, name, len);
|
|
|
|
i = 0;
|
|
for (;;) {
|
|
int notnum = 0;
|
|
|
|
name = ++p;
|
|
len = 0;
|
|
|
|
for (; isalnum(*p) || *p == '-' || *p == '_'; p++)
|
|
notnum |= !isdigit(*p);
|
|
|
|
if (*p == '(') {
|
|
int recursion = 0;
|
|
|
|
for (;;) {
|
|
if (!*++p)
|
|
goto err_free_param;
|
|
if (*p == '(')
|
|
recursion++;
|
|
else if (*p == ')' && !recursion--)
|
|
break;
|
|
}
|
|
|
|
notnum = 1;
|
|
p++;
|
|
}
|
|
|
|
len = p - name;
|
|
if (!len)
|
|
goto err_free_param;
|
|
|
|
if (notnum) {
|
|
param->attrs[i].alg.attr.rta_len =
|
|
sizeof(param->attrs[i].alg);
|
|
param->attrs[i].alg.attr.rta_type = CRYPTOA_ALG;
|
|
memcpy(param->attrs[i].alg.data.name, name, len);
|
|
} else {
|
|
param->attrs[i].nu32.attr.rta_len =
|
|
sizeof(param->attrs[i].nu32);
|
|
param->attrs[i].nu32.attr.rta_type = CRYPTOA_U32;
|
|
param->attrs[i].nu32.data.num =
|
|
simple_strtol(name, NULL, 0);
|
|
}
|
|
|
|
param->tb[i + 1] = ¶m->attrs[i].attr;
|
|
i++;
|
|
|
|
if (i >= CRYPTO_MAX_ATTRS)
|
|
goto err_free_param;
|
|
|
|
if (*p == ')')
|
|
break;
|
|
|
|
if (*p != ',')
|
|
goto err_free_param;
|
|
}
|
|
|
|
if (!i)
|
|
goto err_free_param;
|
|
|
|
param->tb[i + 1] = NULL;
|
|
|
|
param->type.attr.rta_len = sizeof(param->type);
|
|
param->type.attr.rta_type = CRYPTOA_TYPE;
|
|
param->type.data.type = larval->alg.cra_flags & ~CRYPTO_ALG_TESTED;
|
|
param->type.data.mask = larval->mask & ~CRYPTO_ALG_TESTED;
|
|
param->tb[0] = ¶m->type.attr;
|
|
|
|
param->otype = larval->alg.cra_flags;
|
|
param->omask = larval->mask;
|
|
|
|
crypto_alg_get(&larval->alg);
|
|
param->larval = larval;
|
|
|
|
thread = kthread_run(cryptomgr_probe, param, "cryptomgr_probe");
|
|
if (IS_ERR(thread))
|
|
goto err_put_larval;
|
|
|
|
wait_for_completion_interruptible(&larval->completion);
|
|
|
|
return NOTIFY_STOP;
|
|
|
|
err_put_larval:
|
|
crypto_alg_put(&larval->alg);
|
|
err_free_param:
|
|
kfree(param);
|
|
err_put_module:
|
|
module_put(THIS_MODULE);
|
|
err:
|
|
return NOTIFY_OK;
|
|
}
|
|
|
|
static int cryptomgr_test(void *data)
|
|
{
|
|
struct crypto_test_param *param = data;
|
|
u32 type = param->type;
|
|
int err = 0;
|
|
|
|
#ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
|
|
goto skiptest;
|
|
#endif
|
|
|
|
if (type & CRYPTO_ALG_TESTED)
|
|
goto skiptest;
|
|
|
|
err = alg_test(param->driver, param->alg, type, CRYPTO_ALG_TESTED);
|
|
|
|
skiptest:
|
|
crypto_alg_tested(param->driver, err);
|
|
|
|
kfree(param);
|
|
module_put_and_exit(0);
|
|
}
|
|
|
|
static int cryptomgr_schedule_test(struct crypto_alg *alg)
|
|
{
|
|
struct task_struct *thread;
|
|
struct crypto_test_param *param;
|
|
u32 type;
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
goto err;
|
|
|
|
param = kzalloc(sizeof(*param), GFP_KERNEL);
|
|
if (!param)
|
|
goto err_put_module;
|
|
|
|
memcpy(param->driver, alg->cra_driver_name, sizeof(param->driver));
|
|
memcpy(param->alg, alg->cra_name, sizeof(param->alg));
|
|
type = alg->cra_flags;
|
|
|
|
/* This piece of crap needs to disappear into per-type test hooks. */
|
|
if ((!((type ^ CRYPTO_ALG_TYPE_BLKCIPHER) &
|
|
CRYPTO_ALG_TYPE_BLKCIPHER_MASK) && !(type & CRYPTO_ALG_GENIV) &&
|
|
((alg->cra_flags & CRYPTO_ALG_TYPE_MASK) ==
|
|
CRYPTO_ALG_TYPE_BLKCIPHER ? alg->cra_blkcipher.ivsize :
|
|
alg->cra_ablkcipher.ivsize)) ||
|
|
(!((type ^ CRYPTO_ALG_TYPE_AEAD) & CRYPTO_ALG_TYPE_MASK) &&
|
|
alg->cra_type == &crypto_nivaead_type && alg->cra_aead.ivsize))
|
|
type |= CRYPTO_ALG_TESTED;
|
|
|
|
param->type = type;
|
|
|
|
thread = kthread_run(cryptomgr_test, param, "cryptomgr_test");
|
|
if (IS_ERR(thread))
|
|
goto err_free_param;
|
|
|
|
return NOTIFY_STOP;
|
|
|
|
err_free_param:
|
|
kfree(param);
|
|
err_put_module:
|
|
module_put(THIS_MODULE);
|
|
err:
|
|
return NOTIFY_OK;
|
|
}
|
|
|
|
static int cryptomgr_notify(struct notifier_block *this, unsigned long msg,
|
|
void *data)
|
|
{
|
|
switch (msg) {
|
|
case CRYPTO_MSG_ALG_REQUEST:
|
|
return cryptomgr_schedule_probe(data);
|
|
case CRYPTO_MSG_ALG_REGISTER:
|
|
return cryptomgr_schedule_test(data);
|
|
}
|
|
|
|
return NOTIFY_DONE;
|
|
}
|
|
|
|
static struct notifier_block cryptomgr_notifier = {
|
|
.notifier_call = cryptomgr_notify,
|
|
};
|
|
|
|
static int __init cryptomgr_init(void)
|
|
{
|
|
return crypto_register_notifier(&cryptomgr_notifier);
|
|
}
|
|
|
|
static void __exit cryptomgr_exit(void)
|
|
{
|
|
int err = crypto_unregister_notifier(&cryptomgr_notifier);
|
|
BUG_ON(err);
|
|
}
|
|
|
|
subsys_initcall(cryptomgr_init);
|
|
module_exit(cryptomgr_exit);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION("Crypto Algorithm Manager");
|