From patchwork Thu Mar 24 16:51:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 601702 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qWCC50TsRz9sDH; Fri, 25 Mar 2016 03:52:01 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aj8UH-000355-Pi; Thu, 24 Mar 2016 16:51:57 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1aj8U1-0002x6-Fk for kernel-team@lists.ubuntu.com; Thu, 24 Mar 2016 16:51:41 +0000 Received: from 1.general.kamal.us.vpn ([10.172.68.52] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1aj8U1-0006KW-1M; Thu, 24 Mar 2016 16:51:41 +0000 Received: from kamal by fourier with local (Exim 4.86) (envelope-from ) id 1aj8Ty-00071K-CU; Thu, 24 Mar 2016 09:51:38 -0700 From: Kamal Mostafa To: Herbert Xu Subject: [4.2.y-ckt stable] Patch "crypto: algif_skcipher - Do not dereference ctx without socket lock" has been added to the 4.2.y-ckt tree Date: Thu, 24 Mar 2016 09:51:37 -0700 Message-Id: <1458838297-26950-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 2.7.0 X-Extended-Stable: 4.2 Cc: Kamal Mostafa , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled crypto: algif_skcipher - Do not dereference ctx without socket lock to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue This patch is scheduled to be released in version 4.2.8-ckt7. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 4.2.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ---8<------------------------------------------------------------ From 63aecbaaaa18f8af62caec8c78bfa0e77803da4f Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 3 Feb 2016 21:39:26 +0800 Subject: crypto: algif_skcipher - Do not dereference ctx without socket lock commit 6454c2b83f719057069777132b13949e4c6b6350 upstream. Any access to non-constant bits of the private context must be done under the socket lock, in particular, this includes ctx->req. This patch moves such accesses under the lock, and fetches the tfm from the parent socket which is guaranteed to be constant, rather than from ctx->req. Signed-off-by: Herbert Xu [ kamal: backport to 4.2-stable: use ablkcipher ] Signed-off-by: Kamal Mostafa --- crypto/algif_skcipher.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) -- 2.7.0 diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 1939e60..42e497d 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -295,8 +295,11 @@ static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg, { struct sock *sk = sock->sk; struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); struct skcipher_ctx *ctx = ask->private; - struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req); + struct skcipher_tfm *skc = pask->private; + struct crypto_ablkcipher *tfm = skc->skcipher; unsigned ivsize = crypto_ablkcipher_ivsize(tfm); struct skcipher_sg_list *sgl; struct af_alg_control con = {}; @@ -508,7 +511,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, struct skcipher_async_req *sreq; struct ablkcipher_request *req; struct skcipher_async_rsgl *last_rsgl = NULL; - unsigned int txbufs = 0, len = 0, tx_nents = skcipher_all_sg_nents(ctx); + unsigned int txbufs = 0, len = 0, tx_nents; unsigned int reqsize = crypto_ablkcipher_reqsize(tfm); unsigned int ivsize = crypto_ablkcipher_ivsize(tfm); int err = -ENOMEM; @@ -526,6 +529,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, sreq->inflight = &ctx->inflight; lock_sock(sk); + tx_nents = skcipher_all_sg_nents(ctx); sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); if (unlikely(!sreq->tsg)) goto unlock; @@ -633,9 +637,12 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg, { struct sock *sk = sock->sk; struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); struct skcipher_ctx *ctx = ask->private; - unsigned bs = crypto_ablkcipher_blocksize(crypto_ablkcipher_reqtfm( - &ctx->req)); + struct skcipher_tfm *skc = pask->private; + struct crypto_ablkcipher *tfm = skc->skcipher; + unsigned bs = crypto_ablkcipher_blocksize(tfm); struct skcipher_sg_list *sgl; struct scatterlist *sg; int err = -EAGAIN;