Skip to content

Commit d53c513

Browse files
smuellerDDherbertx
smuellerDD
authored and
herbertx
committed
crypto: af_alg - fix race accessing cipher request
When invoking an asynchronous cipher operation, the invocation of the callback may be performed before the subsequent operations in the initial code path are invoked. The callback deletes the cipher request data structure which implies that after the invocation of the asynchronous cipher operation, this data structure must not be accessed any more. The setting of the return code size with the request data structure must therefore be moved before the invocation of the asynchronous cipher operation. Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management") Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Reported-by: syzbot <syzkaller@googlegroups.com> Cc: <stable@vger.kernel.org> # v4.14+ Signed-off-by: Stephan Mueller <smueller@chronox.de> Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 9abffc6 commit d53c513

File tree

2 files changed

+10
-10
lines changed

2 files changed

+10
-10
lines changed

crypto/algif_aead.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -291,19 +291,19 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
291291
/* AIO operation */
292292
sock_hold(sk);
293293
areq->iocb = msg->msg_iocb;
294+
295+
/* Remember output size that will be generated. */
296+
areq->outlen = outlen;
297+
294298
aead_request_set_callback(&areq->cra_u.aead_req,
295299
CRYPTO_TFM_REQ_MAY_BACKLOG,
296300
af_alg_async_cb, areq);
297301
err = ctx->enc ? crypto_aead_encrypt(&areq->cra_u.aead_req) :
298302
crypto_aead_decrypt(&areq->cra_u.aead_req);
299303

300304
/* AIO operation in progress */
301-
if (err == -EINPROGRESS || err == -EBUSY) {
302-
/* Remember output size that will be generated. */
303-
areq->outlen = outlen;
304-
305+
if (err == -EINPROGRESS || err == -EBUSY)
305306
return -EIOCBQUEUED;
306-
}
307307

308308
sock_put(sk);
309309
} else {

crypto/algif_skcipher.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
125125
/* AIO operation */
126126
sock_hold(sk);
127127
areq->iocb = msg->msg_iocb;
128+
129+
/* Remember output size that will be generated. */
130+
areq->outlen = len;
131+
128132
skcipher_request_set_callback(&areq->cra_u.skcipher_req,
129133
CRYPTO_TFM_REQ_MAY_SLEEP,
130134
af_alg_async_cb, areq);
@@ -133,12 +137,8 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
133137
crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
134138

135139
/* AIO operation in progress */
136-
if (err == -EINPROGRESS || err == -EBUSY) {
137-
/* Remember output size that will be generated. */
138-
areq->outlen = len;
139-
140+
if (err == -EINPROGRESS || err == -EBUSY)
140141
return -EIOCBQUEUED;
141-
}
142142

143143
sock_put(sk);
144144
} else {

0 commit comments

Comments
 (0)