Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg

From: Eric Biggers
Date: Wed Apr 15 2020 - 22:30:06 EST

Next message: Ming Lei: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Previous message: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
In reply to: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
Next in thread: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 16, 2020 at 12:25:02PM +1000, Herbert Xu wrote:
> On Wed, Apr 15, 2020 at 07:17:03PM -0700, Eric Biggers wrote:
> >
> > Wouldn't it be a bit simpler to set 'target = NULL', remove 'shoot',
> > and use 'if (target)' instead of 'if (shoot)'?
>
> Yes it is simpler but it's actually semantically different because
> the compiler doesn't know that spawn->alg cannot be NULL in this
> case.
>

I'm not sure what you mean here. crypto_alg_get() is:

static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
{
refcount_inc(&alg->cra_refcnt);
return alg;
}

So given:

target = crypto_alg_get(alg);

Both alg and target have to be non-NULL.

- Eric

Next message: Ming Lei: "Re: [PATCH 3/5] blktrace: refcount the request_queue during ioctl"
Previous message: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
In reply to: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
Next in thread: Herbert Xu: "Re: crypto: api - Fix use-after-free and race in crypto_spawn_alg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]