Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/crypto
History
Mathias Krause 471b81310d crypto: user - lock crypto_alg_list on alg dump 
commit 63e41ebc6630f39422d87f8a4bade1e793f37a01 upstream.

We miss to take the crypto_alg_sem semaphore when traversing the
crypto_alg_list for CRYPTO_MSG_GETALG dumps. This allows a race with
crypto_unregister_alg() removing algorithms from the list while we're
still traversing it, thereby leading to a use-after-free as show below:

[ 3482.071639] general protection fault: 0000 [#1] SMP
[ 3482.075639] Modules linked in: aes_x86_64 glue_helper lrw ablk_helper cryptd gf128mul ipv6 pcspkr serio_raw virtio_net microcode virtio_pci virtio_ring virtio sr_mod cdrom [last unloaded: aesni_intel]
[ 3482.075639] CPU: 1 PID: 11065 Comm: crconf Not tainted 4.3.4-grsec+ #126
[ 3482.075639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 3482.075639] task: ffff88001cd41a40 ti: ffff88001cd422c8 task.ti: ffff88001cd422c8
[ 3482.075639] RIP: 0010:[<ffffffff93722bd3>]  [<ffffffff93722bd3>] strncpy+0x13/0x30
[ 3482.075639] RSP: 0018:ffff88001f713b60  EFLAGS: 00010202
[ 3482.075639] RAX: ffff88001f6c4430 RBX: ffff88001f6c43a0 RCX: ffff88001f6c4430
[ 3482.075639] RDX: 0000000000000040 RSI: fefefefefefeff16 RDI: ffff88001f6c4430
[ 3482.075639] RBP: ffff88001f713b60 R08: ffff88001f6c4470 R09: ffff88001f6c4480
[ 3482.075639] R10: 0000000000000002 R11: 0000000000000246 R12: ffff88001ce2aa28
[ 3482.075639] R13: ffff880000093700 R14: ffff88001f5e4bf8 R15: 0000000000003b20
[ 3482.075639] FS:  0000033826fa2700(0000) GS:ffff88001e900000(0000) knlGS:0000000000000000
[ 3482.075639] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3482.075639] CR2: ffffffffff600400 CR3: 00000000139ec000 CR4: 00000000001606f0
[ 3482.075639] Stack:
[ 3482.075639]  ffff88001f713bd8 ffffffff936ccd00 ffff88001e5c4200 ffff880000093700
[ 3482.075639]  ffff88001f713bd0 ffffffff938ef4bf 0000000000000000 0000000000003b20
[ 3482.075639]  ffff88001f5e4bf8 ffff88001f5e4848 0000000000000000 0000000000003b20
[ 3482.075639] Call Trace:
[ 3482.075639]  [<ffffffff936ccd00>] crypto_report_alg+0xc0/0x3e0
[ 3482.075639]  [<ffffffff938ef4bf>] ? __alloc_skb+0x16f/0x300
[ 3482.075639]  [<ffffffff936cd08a>] crypto_dump_report+0x6a/0x90
[ 3482.075639]  [<ffffffff93935707>] netlink_dump+0x147/0x2e0
[ 3482.075639]  [<ffffffff93935f99>] __netlink_dump_start+0x159/0x190
[ 3482.075639]  [<ffffffff936ccb13>] crypto_user_rcv_msg+0xc3/0x130
[ 3482.075639]  [<ffffffff936cd020>] ? crypto_report_alg+0x3e0/0x3e0
[ 3482.075639]  [<ffffffff936cc4b0>] ? alg_test_crc32c+0x120/0x120
[ 3482.075639]  [<ffffffff93933145>] ? __netlink_lookup+0xd5/0x120
[ 3482.075639]  [<ffffffff936cca50>] ? crypto_add_alg+0x1d0/0x1d0
[ 3482.075639]  [<ffffffff93938141>] netlink_rcv_skb+0xe1/0x130
[ 3482.075639]  [<ffffffff936cc4f8>] crypto_netlink_rcv+0x28/0x40
[ 3482.075639]  [<ffffffff939375a8>] netlink_unicast+0x108/0x180
[ 3482.075639]  [<ffffffff93937c21>] netlink_sendmsg+0x541/0x770
[ 3482.075639]  [<ffffffff938e31e1>] sock_sendmsg+0x21/0x40
[ 3482.075639]  [<ffffffff938e4763>] SyS_sendto+0xf3/0x130
[ 3482.075639]  [<ffffffff93444203>] ? bad_area_nosemaphore+0x13/0x20
[ 3482.075639]  [<ffffffff93444470>] ? __do_page_fault+0x80/0x3a0
[ 3482.075639]  [<ffffffff939d80cb>] entry_SYSCALL_64_fastpath+0x12/0x6e
[ 3482.075639] Code: 88 4a ff 75 ed 5d 48 0f ba 2c 24 3f c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 85 d2 48 89 f8 48 89 f9 4c 8d 04 17 48 89 e5 74 15 <0f> b6 16 80 fa 01 88 11 48 83 de ff 48 83 c1 01 4c 39 c1 75 eb
[ 3482.075639] RIP  [<ffffffff93722bd3>] strncpy+0x13/0x30

To trigger the race run the following loops simultaneously for a while:
  $ while : ; do modprobe aesni-intel; rmmod aesni-intel; done
  $ while : ; do crconf show all > /dev/null; done

Fix the race by taking the crypto_alg_sem read lock, thereby preventing
crypto_unregister_alg() from modifying the algorithm list during the
dump.

This bug has been detected by the PaX memory sanitize feature.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2016-02-19 14:22:41 -08:00
..
asymmetric_keys X.509: Remove certificate date checks 2013-12-04 10:57:33 -08:00
async_tx raid6test: use prandom_bytes() 2013-04-29 18:28:42 -07:00
842.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
Kconfig crypto: blowfish - disable AVX2 implementation 2013-06-05 16:33:23 +08:00
Makefile crypto: add CMAC support to CryptoAPI 2013-04-25 21:01:47 +08:00
ablkcipher.c crypto: api - Only abort operations on fatal signal 2015-11-09 10:12:59 -08:00
aead.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
aes_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
af_alg.c crypto: af_alg - Fix socket double-free when accept fails 2016-02-19 14:22:41 -08:00
ahash.c crypto: ahash - ensure statesize is non-zero 2015-10-27 09:44:50 +09:00
algapi.c crypto: api - Only abort operations on fatal signal 2015-11-09 10:12:59 -08:00
algboss.c crypto: algboss - Hold ref count on larval 2013-06-25 19:15:17 +08:00
algif_hash.c crypto: algif_hash - wait for crypto_ahash_init() to complete 2016-02-19 14:22:41 -08:00
algif_skcipher.c crypto: algif - avoid excessive use of socket buffer in skcipher 2014-11-14 08:48:00 -08:00
ansi_cprng.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
anubis.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
api.c crypto: api - Only abort operations on fatal signal 2015-11-09 10:12:59 -08:00
arc4.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
authenc.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
authencesn.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
blkcipher.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
blowfish_common.c
blowfish_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
camellia_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
cast5_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
cast6_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
cast_common.c crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cbc.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
ccm.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
chainiv.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
cipher.c
cmac.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
compress.c
crc32.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
crc32c.c crypto: crc32c - add missing crypto module alias 2015-02-11 14:48:18 +08:00
cryptd.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
crypto_null.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
crypto_user.c crypto: user - lock crypto_alg_list on alg dump 2016-02-19 14:22:41 -08:00
crypto_wq.c crypto: crypto_wq - Fix late crypto work queue initialization 2014-06-07 13:25:35 -07:00
ctr.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
cts.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
deflate.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
des_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
ecb.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
eseqiv.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
fcrypt.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
fips.c
gcm.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
gf128mul.c
ghash-generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
hmac.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
internal.h crypto: algboss - Hold ref count on larval 2013-06-25 19:15:17 +08:00
khazad.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
krng.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
lrw.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
lzo.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
md4.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
md5.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
michael_mic.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
pcbc.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
pcompress.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
pcrypt.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
proc.c
ripemd.h
rmd128.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
rmd160.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
rmd256.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
rmd320.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
rng.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
salsa20_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
scatterwalk.c crypto: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:16 +08:00
seed.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00
seqiv.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
serpent_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
sha1_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
sha256_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
sha512_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
shash.c crypto: user - fix info leaks in report API 2013-02-19 20:27:03 +08:00
tcrypt.c crypto: tcrypt - add async cipher speed tests for blowfish 2013-04-25 21:09:03 +08:00
tcrypt.h crypto: ctr - make rfc3686 asynchronous block cipher 2013-01-08 07:03:04 +01:00
tea.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
testmgr.c crypto: camellia - add AVX2/AES-NI/x86_64 assembler implementation of camellia cipher 2013-04-25 21:09:07 +08:00
testmgr.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2013-05-02 14:53:12 -07:00
tgr192.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
twofish_common.c
twofish_generic.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
vmac.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
wp512.c crypto: add missing crypto module aliases 2015-01-29 17:40:57 -08:00
xcbc.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
xor.c add further __init annotations to crypto/xor.c 2012-10-11 13:42:32 +11:00
xts.c crypto: include crypto- module prefix in template 2015-01-29 17:40:57 -08:00
zlib.c crypto: prefix module autoloading with "crypto-" 2015-01-29 17:40:57 -08:00