From patchwork Thu Nov 17 14:07:58 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 9434741
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E88F760756 for <patchwork-linux-crypto@patchwork.kernel.org>;
	Thu, 17 Nov 2016 17:19:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D928429640
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Thu, 17 Nov 2016 17:19:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CE46A29683; Thu, 17 Nov 2016 17:19:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41CC629681
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Thu, 17 Nov 2016 17:19:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934414AbcKQRTi (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Thu, 17 Nov 2016 12:19:38 -0500
Received: from helcar.hengli.com.au ([209.40.204.226]:58359 "EHLO
	helcar.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S941275AbcKQRTf (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Thu, 17 Nov 2016 12:19:35 -0500
Received: from [192.168.128.4] (helo=gondobar)
	by fornost.hengli.com.au with esmtp (Exim 4.80 #3 (Debian))
	id 1c7NMD-0002tm-9P; Fri, 18 Nov 2016 01:08:05 +1100
Received: from herbert by gondobar with local (Exim 4.84_2)
	(envelope-from <herbert@gondor.apana.org.au>)
	id 1c7NM6-0000QI-99; Thu, 17 Nov 2016 22:07:58 +0800
Date: Thu, 17 Nov 2016 22:07:58 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: Mat Martineau <mathew.j.martineau@linux.intel.com>
Cc: linux-crypto@vger.kernel.org, Laura Abbott <labbott@redhat.com>,
	Russell King - ARM Linux <linux@armlinux.org.uk>
Subject: Re: BUG: algif_hash crash with extra recv() in 4.9-rc5
Message-ID: <20161117140757.GA1149@gondor.apana.org.au>
References: <alpine.OSX.2.20.1611161027010.67352@mjmartin-mac01.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.20.1611161027010.67352@mjmartin-mac01.local>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Wed, Nov 16, 2016 at 11:17:33AM -0800, Mat Martineau wrote:
> 
> Herbert -
> 
> Following commit 493b2ed3f7603a15ff738553384d5a4510ffeb95, there is a NULL
> dereference crash in algif_hash when recv() is called twice like this:
> 
> send(sk, data, len, MSG_MORE);
> recv(sk, hash1, len, 0);
> recv(sk, hash2, len, 0);
> 
> In 4.8 and earlier, the two recvs return identical data. In 4.9-rc5, the
> second recv triggers this:
> 
> [   53.041287] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> [   53.042048] IP: [<ffffffffa73fdfb3>] shash_ahash_digest+0x23/0x130

Ugh.  It looks like the shash wrapper is incorrectly dereferencing
the SG list even when the length is zero.  Rather than fixing it
I'm just going to make algif_hash do the safe thing of doing an
init followed by a final.

Thanks,

---8<---
Subject: crypto: algif_hash - Fix NULL hash crash with shash

Recently algif_hash has been changed to allow null hashes.  This
triggers a bug when used with an shash algorithm whereby it will
cause a crash during the digest operation.

This patch fixes it by avoiding the digest operation and instead
doing an init followed by a final which avoids the buggy code in
shash.

This patch also ensures that the result buffer is freed after an
error so that it is not returned as a genuine hash result on the
next recv call.

The shash/ahash wrapper code will be fixed later to handle this
case correctly.

Fixes: 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 2d8466f..05e21b4 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -214,23 +214,26 @@ static int hash_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
 	ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0);
 
-	if (ctx->more) {
+	if (!result) {
+		err = af_alg_wait_for_completion(
+				crypto_ahash_init(&ctx->req),
+				&ctx->completion);
+		if (err)
+			goto unlock;
+	}
+
+	if (!result || ctx->more) {
 		ctx->more = 0;
 		err = af_alg_wait_for_completion(crypto_ahash_final(&ctx->req),
 						 &ctx->completion);
 		if (err)
 			goto unlock;
-	} else if (!result) {
-		err = af_alg_wait_for_completion(
-				crypto_ahash_digest(&ctx->req),
-				&ctx->completion);
 	}
 
 	err = memcpy_to_msg(msg, ctx->result, len);
 
-	hash_free_result(sk, ctx);
-
 unlock:
+	hash_free_result(sk, ctx);
 	release_sock(sk);
 
 	return err ?: len;