diff options
| author | Eric Biggers <[email protected]> | 2017-12-29 14:30:19 -0600 |
|---|---|---|
| committer | Herbert Xu <[email protected]> | 2018-01-05 18:41:52 +1100 |
| commit | 9a00674213a3f00394f4e3221b88f2d21fc05789 (patch) | |
| tree | 3376c611066a95dbbb9762fe358db012ac39c6fc /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | 2973633e9f09311e849f975d969737af81a521ff (diff) | |
crypto: algapi - fix NULL dereference in crypto_remove_spawns()
syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
via a program that repeatedly and concurrently requests AEADs
"authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
through AF_ALG, where the hashes are requested as "untested"
(CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
causes the template to be instantiated for every request).
Although AF_ALG users really shouldn't be able to request an "untested"
algorithm, the NULL pointer dereference is actually caused by a
longstanding race condition where crypto_remove_spawns() can encounter
an instance which has had spawn(s) "grabbed" but hasn't yet been
registered, resulting in ->cra_users still being NULL.
We probably should properly initialize ->cra_users earlier, but that
would require updating many templates individually. For now just fix
the bug in a simple way that can easily be backported: make
crypto_remove_spawns() treat a NULL ->cra_users list as empty.
Reported-by: syzbot <[email protected]>
Cc: [email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')
0 files changed, 0 insertions, 0 deletions