git.baikalelectronics.ru Git - kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Mon, 7 Oct 2019 09:58:29 +0000 (10:58 +0100)
committer	David Howells <dhowells@redhat.com>
	Mon, 7 Oct 2019 10:05:05 +0000 (11:05 +0100)
commit	cdb226f9d1a9206086d26b35f6c95d14941495b3
tree	b2e93c89b0e500684338283cb37b22bfb4f34d95	tree \| snapshot
parent	c049f2875bcffd18bc91990a390b4db7a86e43c6	commit \| diff

rxrpc: Fix call crypto state cleanup

Fix the cleanup of the crypto state on a call after the call has been
disconnected.  As the call has been disconnected, its connection ref has
been discarded and so we can't go through that to get to the security ops
table.

Fix this by caching the security ops pointer in the rxrpc_call struct and
using that when freeing the call security state.  Also use this in other
places we're dealing with call-specific security.

The symptoms look like:

    BUG: KASAN: use-after-free in rxrpc_release_call+0xb2d/0xb60
    net/rxrpc/call_object.c:481
    Read of size 8 at addr ffff888062ffeb50 by task syz-executor.5/4764

Fixes: 70a8ad8b698d ("rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto")
Reported-by: syzbot+eed305768ece6682bb7f@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>

net/rxrpc/ar-internal.h		diff \| blob \| history
net/rxrpc/call_accept.c		diff \| blob \| history
net/rxrpc/call_object.c		diff \| blob \| history
net/rxrpc/conn_client.c		diff \| blob \| history
net/rxrpc/recvmsg.c		diff \| blob \| history
net/rxrpc/sendmsg.c		diff \| blob \| history