[5.4,013/111] evm: Fix a small race in init_desc()

Message ID	20200526183933.818958199@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=+fRt=7I=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>, Dan Carpenter <dan.carpenter@oracle.com>, Krzysztof Struczynski <krzysztof.struczynski@huawei.com>, Mimi Zohar <zohar@linux.ibm.com>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.4 013/111] evm: Fix a small race in init_desc() Date: Tue, 26 May 2020 20:52:31 +0200 Message-Id: <20200526183933.818958199@linuxfoundation.org> In-Reply-To: <20200526183932.245016380@linuxfoundation.org> References: <20200526183932.245016380@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [5.4,002/111] KVM: SVM: Fix potential memory leak in svm_cpu_init() [5.4,003/111] ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() [5.4,004/111] evm: Check also if *tfm is an error pointer in init_desc() [5.4,007/111] ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive [5.4,008/111] mtd: spinand: Propagate ECC information to the MTD structure [5.4,010/111] ubifs: remove broken lazytime support [5.4,011/111] i2c: fix missing pm_runtime_put_sync in i2c_device_probe [5.4,013/111] evm: Fix a small race in init_desc() [5.4,016/111] afs: Dont unlock fetched data pages until the op completes successfully [5.4,018/111] kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check [5.4,020/111] gcc-common.h: Update for GCC 10 [5.4,022/111] HID: alps: Add AUI1657 device ID [5.4,024/111] scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV [5.4,025/111] scsi: qla2xxx: Delete all sessions before unregister local nvme port [5.4,028/111] aquantia: Fix the media type of AQC100 ethernet controller in the driver [5.4,032/111] HID: i2c-hid: reset Synaptics SYNA2393 on resume [5.4,033/111] x86/mm/cpa: Flush direct map alias during cpa [5.4,035/111] ftrace/selftest: make unresolved cases cause failure if --fail-unresolved set [5.4,038/111] HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock [5.4,041/111] USB: core: Fix misleading driver bug report [5.4,043/111] iommu/amd: Call domain_flush_complete() in update_domain() [5.4,044/111] drm/amd/display: Prevent dpcd reads with passive dongles [5.4,047/111] scripts/gdb: repair rb_first() and rb_last() [5.4,049/111] ALSA: hda: patch_realtek: fix empty macro usage in if block [5.4,050/111] ALSA: hda: Manage concurrent reg access more properly [5.4,052/111] ALSA: hda/realtek - Add HP new mute led supported for ALC236 [5.4,053/111] ALSA: hda/realtek: Add quirk for Samsung Notebook [5.4,055/111] ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 [5.4,057/111] KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c [5.4,059/111] ALSA: pcm: fix incorrect hw_base increase [5.4,061/111] ALSA: hda/realtek - Add more fixup entries for Clevo machines [5.4,062/111] scsi: qla2xxx: Do not log message when reading port speed via sysfs [5.4,064/111] arm64: Fix PTRACE_SYSEMU semantics [5.4,065/111] drm/etnaviv: fix perfmon domain interation [5.4,068/111] apparmor: Fix aa_label refcnt leak in policy_update [5.4,070/111] drm/etnaviv: Fix a leak in submit_pin_objects() [5.4,073/111] vsprintf: dont obfuscate NULL and error pointers [5.4,075/111] drm/i915: Propagate error from completed fences [5.4,078/111] bpf: Avoid setting bpf insns pages read-only when prog is jited [5.4,081/111] media: fdp1: Fix R-Car M3-N naming in debug message [5.4,083/111] staging: kpc2000: fix error return code in kp2000_pcie_probe() [5.4,084/111] staging: greybus: Fix uninitialized scalar variable [5.4,086/111] iio: dac: vf610: Fix an error handling path in vf610_dac_probe() [5.4,087/111] iio: adc: ti-ads8344: Fix channel selection [5.4,092/111] s390/pci: Fix s390_mmio_read/write with MIO [5.4,094/111] device-dax: dont leak kernel memory to user space after unloading kmem [5.4,096/111] kasan: disable branch tracing for core runtime [5.4,098/111] rxrpc: Fix a memory leak in rxkad_verify_response() [5.4,099/111] s390/kexec_file: fix initrd location for kdump kernel [5.4,100/111] flow_dissector: Drop BPF flow dissector prog ref on netns cleanup [5.4,103/111] iio: adc: stm32-adc: fix device used to request dma [5.4,104/111] iio: adc: stm32-dfsdm: Use dma_request_chan() instead dma_request_slave_channel() [5.4,105/111] iio: adc: stm32-dfsdm: fix device used to request dma [5.4,109/111] sched/fair: Reorder enqueue/dequeue_task_fair path [5.4,111/111] sched/fair: Fix enqueue_task_fair() warning some more

Message ID

20200526183933.818958199@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Roberto Sassu <roberto.sassu@huawei.com>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Krzysztof Struczynski <krzysztof.struczynski@huawei.com>,
	Mimi Zohar <zohar@linux.ibm.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 013/111] evm: Fix a small race in init_desc()
Date: Tue, 26 May 2020 20:52:31 +0200
Message-Id: <20200526183933.818958199@linuxfoundation.org>
In-Reply-To: <20200526183932.245016380@linuxfoundation.org>
References: <20200526183932.245016380@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman May 26, 2020, 6:52 p.m. UTC

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 8433856947217ebb5697a8ff9c4c9cad4639a2cf ]

The IS_ERR_OR_NULL() function has two conditions and if we got really
unlucky we could hit a race where "ptr" started as an error pointer and
then was set to NULL.  Both conditions would be false even though the
pointer at the end was NULL.

This patch fixes the problem by ensuring that "*tfm" can only be NULL
or valid.  I have introduced a "tmp_tfm" variable to make that work.  I
also reversed a condition and pulled the code in one tab.

Reported-by: Roberto Sassu <roberto.sassu@huawei.com>
Fixes: 53de3b080d5e ("evm: Check also if *tfm is an error pointer in init_desc()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/integrity/evm/evm_crypto.c | 44 ++++++++++++++---------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 302adeb2d37b..cc826c2767a3 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -75,7 +75,7 @@  static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 {
 	long rc;
 	const char *algo;
-	struct crypto_shash **tfm;
+	struct crypto_shash **tfm, *tmp_tfm;
 	struct shash_desc *desc;
 
 	if (type == EVM_XATTR_HMAC) {
@@ -93,31 +93,31 @@  static struct shash_desc *init_desc(char type, uint8_t hash_algo)
 		algo = hash_algo_name[hash_algo];
 	}
 
-	if (IS_ERR_OR_NULL(*tfm)) {
-		mutex_lock(&mutex);
-		if (*tfm)
-			goto out;
-		*tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD);
-		if (IS_ERR(*tfm)) {
-			rc = PTR_ERR(*tfm);
-			pr_err("Can not allocate %s (reason: %ld)\n", algo, rc);
-			*tfm = NULL;
+	if (*tfm)
+		goto alloc;
+	mutex_lock(&mutex);
+	if (*tfm)
+		goto unlock;
+
+	tmp_tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD);
+	if (IS_ERR(tmp_tfm)) {
+		pr_err("Can not allocate %s (reason: %ld)\n", algo,
+		       PTR_ERR(tmp_tfm));
+		mutex_unlock(&mutex);
+		return ERR_CAST(tmp_tfm);
+	}
+	if (type == EVM_XATTR_HMAC) {
+		rc = crypto_shash_setkey(tmp_tfm, evmkey, evmkey_len);
+		if (rc) {
+			crypto_free_shash(tmp_tfm);
 			mutex_unlock(&mutex);
 			return ERR_PTR(rc);
 		}
-		if (type == EVM_XATTR_HMAC) {
-			rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len);
-			if (rc) {
-				crypto_free_shash(*tfm);
-				*tfm = NULL;
-				mutex_unlock(&mutex);
-				return ERR_PTR(rc);
-			}
-		}
-out:
-		mutex_unlock(&mutex);
 	}
-
+	*tfm = tmp_tfm;
+unlock:
+	mutex_unlock(&mutex);
+alloc:
 	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
 			GFP_KERNEL);
 	if (!desc)

[5.4,013/111] evm: Fix a small race in init_desc()

Commit Message

Patch