diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2020-04-10 16:09:42 +1000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-06-07 13:16:49 +0200 |
| commit | 1b6cffbf78e56d165d5b0c46c364ba77e416978b (patch) | |
| tree | 060a03374f9f1cf7319d0a98d5a481b277c70d00 /crypto/authencesn.c | |
| parent | 9a9a8a25f2071f8abe7f94842dd754f27a74953d (diff) | |
crypto: api - Fix use-after-free and race in crypto_spawn_alg
commit 6603523bf5e432c7c8490fb500793bb15d4e5f61 upstream.
There are two problems in crypto_spawn_alg. First of all it may
return spawn->alg even if spawn->dead is set. This results in a
double-free as detected by syzbot.
Secondly the setting of the DYING flag is racy because we hold
the read-lock instead of the write-lock. We should instead call
crypto_shoot_alg in a safe manner by gaining a refcount, dropping
the lock, and then releasing the refcount.
This patch fixes both problems.
Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com
Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg")
Fixes: 73669cc55646 ("crypto: api - Fix race condition in...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/authencesn.c')
0 files changed, 0 insertions, 0 deletions