• Rabin Vincent's avatar
    crypto: af_alg - fix backlog handling · b6f7daea
    Rabin Vincent authored
    commit 7e77bdeb upstream.
    
    If a request is backlogged, it's complete() handler will get called
    twice: once with -EINPROGRESS, and once with the final error code.
    
    af_alg's complete handler, unlike other users, does not handle the
    -EINPROGRESS but instead always completes the completion that recvmsg()
    is waiting on.  This can lead to a return to user space while the
    request is still pending in the driver.  If userspace closes the sockets
    before the requests are handled by the driver, this will lead to
    use-after-frees (and potential crashes) in the kernel due to the tfm
    having been freed.
    
    The crashes can be easily reproduced (for example) by reducing the max
    queue length in cryptod.c and running the following (from
    http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:
    
     $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
        -k 00000000000000000000000000000000 \
        -p 00000000000000000000000000000000 >/dev/null & done
    Signed-off-by: default avatarRabin Vincent <rabin.vincent@axis.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    b6f7daea
af_alg.c 9.36 KB