linux/crypto
Herbert Xu 939e177996 crypto: algboss - Hold ref count on larval
On Thu, Jun 20, 2013 at 10:00:21AM +0200, Daniel Borkmann wrote:
> After having fixed a NULL pointer dereference in SCTP 1abd165e ("net:
> sctp: fix NULL pointer dereference in socket destruction"), I ran into
> the following NULL pointer dereference in the crypto subsystem with
> the same reproducer, easily hit each time:
> 
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [<ffffffff81070321>] __wake_up_common+0x31/0x90
> PGD 0
> Oops: 0000 [#1] SMP
> Modules linked in: padlock_sha(F-) sha256_generic(F) sctp(F) libcrc32c(F) [..]
> CPU: 6 PID: 3326 Comm: cryptomgr_probe Tainted: GF            3.10.0-rc5+ #1
> Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
> task: ffff88007b6cf4e0 ti: ffff88007b7cc000 task.ti: ffff88007b7cc000
> RIP: 0010:[<ffffffff81070321>]  [<ffffffff81070321>] __wake_up_common+0x31/0x90
> RSP: 0018:ffff88007b7cde08  EFLAGS: 00010082
> RAX: ffffffffffffffe8 RBX: ffff88003756c130 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88003756c130
> RBP: ffff88007b7cde48 R08: 0000000000000000 R09: ffff88012b173200
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000282
> R13: ffff88003756c138 R14: 0000000000000000 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff88012fc60000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000000000000 CR3: 0000000001a0b000 CR4: 00000000000007e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Stack:
>  ffff88007b7cde28 0000000300000000 ffff88007b7cde28 ffff88003756c130
>  0000000000000282 ffff88003756c128 ffffffff81227670 0000000000000000
>  ffff88007b7cde78 ffffffff810722b7 ffff88007cdcf000 ffffffff81a90540
> Call Trace:
>  [<ffffffff81227670>] ? crypto_alloc_pcomp+0x20/0x20
>  [<ffffffff810722b7>] complete_all+0x47/0x60
>  [<ffffffff81227708>] cryptomgr_probe+0x98/0xc0
>  [<ffffffff81227670>] ? crypto_alloc_pcomp+0x20/0x20
>  [<ffffffff8106760e>] kthread+0xce/0xe0
>  [<ffffffff81067540>] ? kthread_freezable_should_stop+0x70/0x70
>  [<ffffffff815450dc>] ret_from_fork+0x7c/0xb0
>  [<ffffffff81067540>] ? kthread_freezable_should_stop+0x70/0x70
> Code: 41 56 41 55 41 54 53 48 83 ec 18 66 66 66 66 90 89 75 cc 89 55 c8
>       4c 8d 6f 08 48 8b 57 08 41 89 cf 4d 89 c6 48 8d 42 e
> RIP  [<ffffffff81070321>] __wake_up_common+0x31/0x90
>  RSP <ffff88007b7cde08>
> CR2: 0000000000000000
> ---[ end trace b495b19270a4d37e ]---
> 
> My assumption is that the following is happening: the minimal SCTP
> tool runs under ``echo 1 > /proc/sys/net/sctp/auth_enable'', hence
> it's making use of crypto_alloc_hash() via sctp_auth_init_hmacs().
> It forks itself, heavily allocates, binds, listens and waits in
> accept on sctp sockets, and then randomly kills some of them (no
> need for an actual client in this case to hit this). Then, again,
> allocating, binding, etc, and then killing child processes.
> 
> The problem that might be happening here is that cryptomgr requests
> the module to probe/load through cryptomgr_schedule_probe(), but
> before the thread handler cryptomgr_probe() returns, we return from
> the wait_for_completion_interruptible() function and probably already
> have cleared up larval, thus we run into a NULL pointer dereference
> when in cryptomgr_probe() complete_all() is being called.
> 
> If we wait with wait_for_completion() instead, this panic will not
> occur anymore. This is valid, because in case a signal is pending,
> cryptomgr_probe() returns from probing anyway with properly calling
> complete_all().

The use of wait_for_completion_interruptible is intentional so that
we don't lock up the thread if a bug causes us to never wake up.

This bug is caused by the helper thread using the larval without
holding a reference count on it.  If the helper thread completes
after the original thread requesting for help has gone away and
destroyed the larval, then we get the crash above.

So the fix is to hold a reference count on the larval.

Cc: <stable@vger.kernel.org> # 3.6+
Reported-by: Daniel Borkmann <dborkman@redhat.com>
Tested-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2013-06-25 19:15:17 +08:00
..
asymmetric_keys X.509: Support parse long form of length octets in Authority Key Identifier 2013-04-22 11:32:19 +09:30
async_tx raid6test: use prandom_bytes() 2013-04-29 18:28:42 -07:00
842.c crypto: 842 - remove .cra_list initialization 2012-09-07 04:17:06 +08:00
ablkcipher.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
aead.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
aes_generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
af_alg.c atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
ahash.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
algapi.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
algboss.c crypto: algboss - Hold ref count on larval 2013-06-25 19:15:17 +08:00
algif_hash.c crypto: algif - suppress sending source address information in recvmsg 2013-04-10 14:26:06 +08:00
algif_skcipher.c crypto: algif - suppress sending source address information in recvmsg 2013-04-10 14:26:06 +08:00
ansi_cprng.c crypto: ansi_cprng - use crypto_[un]register_algs 2012-08-01 17:47:25 +08:00
anubis.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
api.c crypto: algboss - Hold ref count on larval 2013-06-25 19:15:17 +08:00
arc4.c crypto: arc4 - improve performance by using u32 for ctx and variables 2012-06-14 10:07:23 +08:00
authenc.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
authencesn.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
blkcipher.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
blowfish_common.c crypto: blowfish - split generic and common c code 2011-09-22 21:25:25 +10:00
blowfish_generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
camellia_generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
cast5_generic.c crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cast6_generic.c crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cast_common.c crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cbc.c
ccm.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
chainiv.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
cipher.c crypto: cipher - Fix checkpatch errors 2010-02-16 20:31:37 +08:00
cmac.c crypto: add CMAC support to CryptoAPI 2013-04-25 21:01:47 +08:00
compress.c crypto: compress - Fix checkpatch errors 2010-02-16 20:31:04 +08:00
crc32.c crypto: crc32 - add crc32 pclmulqdq implementation and wrappers for table implementation 2013-01-20 10:16:45 +11:00
crc32c.c crypto: crc32c should use library implementation 2012-03-23 16:58:38 -07:00
cryptd.c crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption 2012-10-24 21:21:18 +08:00
crypto_null.c crypto: crypto_null - use crypto_[un]register_algs 2012-08-01 17:47:24 +08:00
crypto_user.c crypto: user - constify netlink dispatch table 2013-03-10 16:46:43 +08:00
crypto_wq.c crypto: add module.h to those files that are explicitly using it 2011-10-31 19:31:11 -04:00
ctr.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2013-02-25 15:56:15 -08:00
cts.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
deflate.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
des_generic.c crypto: des - use crypto_[un]register_algs 2012-08-01 17:47:24 +08:00
ecb.c crypto: ecb - Fix checkpatch errors 2010-02-16 20:33:49 +08:00
eseqiv.c crypto: Use scatterwalk_crypto_chain 2010-12-02 14:47:16 +08:00
fcrypt.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
fips.c
gcm.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2013-05-02 14:53:12 -07:00
gf128mul.c crypto: gf128mul - fix call to memset() 2011-07-08 17:21:21 +08:00
ghash-generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
hmac.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
internal.h crypto: algboss - Hold ref count on larval 2013-06-25 19:15:17 +08:00
Kconfig crypto: blowfish - disable AVX2 implementation 2013-06-05 16:33:23 +08:00
khazad.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
krng.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
lrw.c crypto: lrw - add interface for parallelized cipher implementions 2011-11-09 11:50:31 +08:00
lzo.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
Makefile crypto: add CMAC support to CryptoAPI 2013-04-25 21:01:47 +08:00
md4.c crypto: add module.h to those files that are explicitly using it 2011-10-31 19:31:11 -04:00
md5.c crypto: Move md5_transform to lib/md5.c 2011-08-06 18:32:45 -07:00
michael_mic.c
pcbc.c
pcompress.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
pcrypt.c crypto: pcrypt - Use the online cpumask as the default 2012-03-29 19:52:47 +08:00
proc.c crypto: add module.h to those files that are explicitly using it 2011-10-31 19:31:11 -04:00
ripemd.h
rmd128.c crypto: ripemd - Set module author and update email address 2011-01-04 23:34:03 +11:00
rmd160.c crypto: ripemd - Set module author and update email address 2011-01-04 23:34:03 +11:00
rmd256.c crypto: ripemd - Set module author and update email address 2011-01-04 23:34:03 +11:00
rmd320.c crypto: ripemd - Set module author and update email address 2011-01-04 23:34:03 +11:00
rng.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
salsa20_generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
scatterwalk.c crypto: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:16 +08:00
seed.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
seqiv.c crypto: use ERR_CAST 2013-02-04 21:16:53 +08:00
serpent_generic.c crypto: serpent - use crypto_[un]register_algs 2012-08-01 17:47:25 +08:00
sha1_generic.c crypto: sha1 - export sha1_update for reuse 2011-08-10 19:00:28 +08:00
sha256_generic.c crypto: sha256 - Expose SHA256 generic routine to be callable externally. 2013-04-03 09:06:31 +08:00
sha512_generic.c crypto: sha512 - Expose generic sha512 routine to be callable from other modules 2013-04-25 21:00:57 +08:00
shash.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
tcrypt.c crypto: tcrypt - add async cipher speed tests for blowfish 2013-04-25 21:09:03 +08:00
tcrypt.h crypto: ctr - make rfc3686 asynchronous block cipher 2013-01-08 07:03:04 +01:00
tea.c crypto: tea - use crypto_[un]register_algs 2012-08-01 17:47:24 +08:00
testmgr.c crypto: camellia - add AVX2/AES-NI/x86_64 assembler implementation of camellia cipher 2013-04-25 21:09:07 +08:00
testmgr.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2013-05-02 14:53:12 -07:00
tgr192.c crypto: tiger - use crypto_[un]register_shashes 2012-08-01 17:47:26 +08:00
twofish_common.c crypto: twofish-x86_64-3way - add lrw support 2011-11-09 11:53:32 +08:00
twofish_generic.c crypto: cleanup - remove unneeded crypto_alg.cra_list initializations 2012-08-01 17:47:27 +08:00
vmac.c crypto: vmac - Make VMAC work when blocks aren't aligned 2012-10-15 22:33:20 +08:00
wp512.c crypto: whirlpool - use crypto_[un]register_shashes 2012-08-01 17:47:27 +08:00
xcbc.c crypto: add module.h to those files that are explicitly using it 2011-10-31 19:31:11 -04:00
xor.c add further __init annotations to crypto/xor.c 2012-10-11 13:42:32 +11:00
xts.c crypto: xts: add interface for parallelized cipher implementations 2011-11-09 11:56:06 +08:00
zlib.c net+crypto: Use vmalloc for zlib inflate buffers. 2011-06-29 05:48:41 -07:00