Skip to content
Commit b32a7dc8 authored by Eric Biggers's avatar Eric Biggers Committed by Herbert Xu
Browse files

crypto: algif_aead - fix reference counting of null skcipher 



In the AEAD interface for AF_ALG, the reference to the "null skcipher"
held by each tfm was being dropped in the wrong place -- when each
af_alg_ctx was freed instead of when the aead_tfm was freed.  As
discovered by syzkaller, a specially crafted program could use this to
cause the null skcipher to be freed while it is still in use.

Fix it by dropping the reference in the right place.

Fixes: 72548b09 ("crypto: algif_aead - copy AAD from src to dst")
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent d2890c37
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment