Re: crypto: use-after-free in alg_bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 30, 2015 at 11:58:58AM +0100, Dmitry Vyukov wrote:
>
> I forgot to diff include/crypto/if_alg.h, but the changes are there
> (otherwise all references to refcnt would not compile). Also I moved
> ask->refcnt checks to alg_setsockopt to fix the deadlock, I believe
> that's the missing chunks you refer to. I can retest if you wish, but
> I don't think that my changes can affect the reported use-after-free.
> Do you?

OK I see the problem now.  When accept fails we free the socket
twice.

---8<---
Subject: crypto: af_alg - Fix socket double-free when accept fails

When we fail an accept(2) call we will end up freeing the socket
twice, once due to the direct sk_free call and once again through
newsock.

This patch fixes this by removing the sk_free call.

Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 7b5b592..eaf98e2 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -285,10 +285,8 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
 	security_sk_clone(sk, sk2);
 
 	err = type->accept(ask->private, sk2);
-	if (err) {
-		sk_free(sk2);
+	if (err)
 		goto unlock;
-	}
 
 	sk2->sk_family = PF_ALG;
 
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux