crypto: af_alg - Disallow bind/setkey/... after accept(2)

Each af_alg parent socket obtained by socket(2) corresponds to a tfm object once bind(2) has succeeded. An accept(2) call on that parent socket creates a context which then uses the tfm object. Therefore as long as any child sockets created by accept(2) exist the parent socket must not be modified or freed. This patch guarantees this by using locks and a reference count on the parent socket. Any attempt to modify the parent socket will fail with EBUSY. Cc: stable@vger.kernel.org Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Herbert Xu <herbert@gondor.apana.org.au> 2015-12-29 22:47:53 -0500
committer: Herbert Xu <herbert@gondor.apana.org.au> 2016-01-18 05:16:09 -0500
commit: c840ac6af3f8713a71b4d2363419145760bd6044 (patch)
tree: c2b3d5d10f5c7eccaec249337e6c3b8821567662 /crypto/af_alg.c
parent: dd504589577d8e8e70f51f997ad487a4cb6c026f (diff)
1 files changed, 32 insertions, 3 deletions
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index a8e7aa3e257b..7b5b5926c767 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -125,6 +125,23 @@ int af_alg_release(struct socket *sock)
 }
 EXPORT_SYMBOL_GPL(af_alg_release);
+void af_alg_release_parent(struct sock *sk)
+{
+        struct alg_sock *ask = alg_sk(sk);
+        bool last;
+        sk = ask->parent;
+        ask = alg_sk(sk);
+        lock_sock(sk);
+        last = !--ask->refcnt;
+        release_sock(sk);
+        if (last)
+                sock_put(sk);
+}
+EXPORT_SYMBOL_GPL(af_alg_release_parent);
 static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
        const u32 forbidden = CRYPTO_ALG_INTERNAL;
@@ -133,6 +150,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        struct sockaddr_alg *sa = (void *)uaddr;
        const struct af_alg_type *type;
        void *private;
+        int err;
        if (sock->state == SS_CONNECTED)
                return -EINVAL;
@@ -160,16 +178,22 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                return PTR_ERR(private);
        }
+        err = -EBUSY;
        lock_sock(sk);
+        if (ask->refcnt)
+                goto unlock;
        swap(ask->type, type);
        swap(ask->private, private);
+        err = 0;
+unlock:
        release_sock(sk);
        alg_do_release(type, private);
-        return 0;
+        return err;
 }
 static int alg_setkey(struct sock *sk, char __user *ukey,
@@ -202,11 +226,15 @@ static int alg_setsockopt(struct socket *sock, int level, int optname,
        struct sock *sk = sock->sk;
        struct alg_sock *ask = alg_sk(sk);
        const struct af_alg_type *type;
-        int err = -ENOPROTOOPT;
+        int err = -EBUSY;
        lock_sock(sk);
+        if (ask->refcnt)
+                goto unlock;
        type = ask->type;
+        err = -ENOPROTOOPT;
        if (level != SOL_ALG || !type)
                goto unlock;
@@ -264,7 +292,8 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
        sk2->sk_family = PF_ALG;
-        sock_hold(sk);
+        if (!ask->refcnt++)
+                sock_hold(sk);
        alg_sk(sk2)->parent = sk;
        alg_sk(sk2)->type = type;
author	Herbert Xu <herbert@gondor.apana.org.au>	2015-12-29 22:47:53 -0500
committer	Herbert Xu <herbert@gondor.apana.org.au>	2016-01-18 05:16:09 -0500
commit	c840ac6af3f8713a71b4d2363419145760bd6044 (patch)
tree	c2b3d5d10f5c7eccaec249337e6c3b8821567662 /crypto/af_alg.c
parent	dd504589577d8e8e70f51f997ad487a4cb6c026f (diff)