* Re: [syzbot] [crypto?] KMSAN: uninit-value in af_alg_free_sg (2)
@ 2024-01-26 13:11 xingwei lee
2024-02-01 5:49 ` [PATCH] crypto: algif_hash - Remove bogus SGL free on zero-length error path Herbert Xu
0 siblings, 1 reply; 4+ messages in thread
From: xingwei lee @ 2024-01-26 13:11 UTC (permalink / raw)
To: syzbot+3266db0c26d1fbbe3abb
Cc: davem, herbert, linux-crypto, linux-kernel, syzkaller-bugs
Hello.
This bug is the same bug that is mentioned in
https://lore.kernel.org/all/20231211135949.689204-1-syoshida@redhat.com/.
And I also reproduced it with repro.c in
https://lore.kernel.org/all/CABOYnLxaHBEaSRaEU+kDsHF8a=9AokO1ZUEVtpeT9ddL8giw3A@mail.gmail.com/
also see in https://gist.github.com/xrivendell7/b10745f297bd2d12a2e48155920996d2
and also a simple root cause analysis.
The incorrect logic of unlock_free label can really cause security issue like
KASAN: double-free in af_alg_free_sg
KASAN: slab-use-after-free in af_alg_free_sg
KASAN: slab-use-after-free Read in hash_sock_destruct
and it needs a quick fix.
I hope it helps.
Best regards.
xingwei Lee
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] crypto: algif_hash - Remove bogus SGL free on zero-length error path
2024-01-26 13:11 [syzbot] [crypto?] KMSAN: uninit-value in af_alg_free_sg (2) xingwei lee
@ 2024-02-01 5:49 ` Herbert Xu
2024-02-01 5:53 ` Herbert Xu
0 siblings, 1 reply; 4+ messages in thread
From: Herbert Xu @ 2024-02-01 5:49 UTC (permalink / raw)
To: xingwei lee
Cc: syzbot+3266db0c26d1fbbe3abb, davem, linux-crypto, linux-kernel,
syzkaller-bugs
On Fri, Jan 26, 2024 at 09:11:39PM +0800, xingwei lee wrote:
> This bug is the same bug that is mentioned in
> https://lore.kernel.org/all/20231211135949.689204-1-syoshida@redhat.com/.
> And I also reproduced it with repro.c in
> https://lore.kernel.org/all/CABOYnLxaHBEaSRaEU+kDsHF8a=9AokO1ZUEVtpeT9ddL8giw3A@mail.gmail.com/
> also see in https://gist.github.com/xrivendell7/b10745f297bd2d12a2e48155920996d2
> and also a simple root cause analysis.
Thanks for the reminder. I was waiting for an updated patch but
I'll apply the following instead:
---8<---
When a zero-length message is hashed by algif_hash, and an error
is triggered, it tries to free an SG list that was never allocated
in the first place. Fix this by not freeing the SG list on the
zero-length error path.
Reported-by: Shigeru Yoshida <syoshida@redhat.com>
Reported-by: xingwei lee <xrivendell7@gmail.com>
Fixes: b6d972f68983 ("crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 82c44d4899b9..e24c829d7a01 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -91,13 +91,13 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
if (!(msg->msg_flags & MSG_MORE)) {
err = hash_alloc_result(sk, ctx);
if (err)
- goto unlock_free;
+ goto unlock_free_result;
ahash_request_set_crypt(&ctx->req, NULL,
ctx->result, 0);
err = crypto_wait_req(crypto_ahash_final(&ctx->req),
&ctx->wait);
if (err)
- goto unlock_free;
+ goto unlock_free_result;
}
goto done_more;
}
@@ -170,6 +170,7 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg,
unlock_free:
af_alg_free_sg(&ctx->sgl);
+unlock_free_result:
hash_free_result(sk, ctx);
ctx->more = false;
goto unlock;
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] crypto: algif_hash - Remove bogus SGL free on zero-length error path
2024-02-01 5:49 ` [PATCH] crypto: algif_hash - Remove bogus SGL free on zero-length error path Herbert Xu
@ 2024-02-01 5:53 ` Herbert Xu
0 siblings, 0 replies; 4+ messages in thread
From: Herbert Xu @ 2024-02-01 5:53 UTC (permalink / raw)
To: xingwei lee
Cc: syzbot+3266db0c26d1fbbe3abb, davem, linux-crypto, linux-kernel,
syzkaller-bugs
Looks like this was picked up by syzbot too:
Reported-by: syzbot+3266db0c26d1fbbe3abb@syzkaller.appspotmail.com
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 4+ messages in thread
* [syzbot] [crypto?] KMSAN: uninit-value in af_alg_free_sg (2)
@ 2024-01-14 10:15 syzbot
0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2024-01-14 10:15 UTC (permalink / raw)
To: davem, herbert, linux-crypto, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 0dd3ee311255 Linux 6.7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=169326ade80000
kernel config: https://syzkaller.appspot.com/x/.config?x=373206b1ae2fe3d4
dashboard link: https://syzkaller.appspot.com/bug?extid=3266db0c26d1fbbe3abb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/983c6822f4f0/disk-0dd3ee31.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f7ac98ec5a78/vmlinux-0dd3ee31.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f568a85da78f/bzImage-0dd3ee31.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3266db0c26d1fbbe3abb@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in af_alg_free_sg+0x1a7/0x270 crypto/af_alg.c:547
af_alg_free_sg+0x1a7/0x270 crypto/af_alg.c:547
hash_sendmsg+0x1938/0x1c30 crypto/algif_hash.c:172
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2586
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2640
__sys_sendmmsg+0x3c4/0x950 net/socket.c:2726
__do_sys_sendmmsg net/socket.c:2755 [inline]
__se_sys_sendmmsg net/socket.c:2752 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2752
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x121/0x3c0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
sock_kmalloc+0x128/0x1c0 net/core/sock.c:2688
hash_accept_parent_nokey crypto/algif_hash.c:418 [inline]
hash_accept_parent+0xbf/0x430 crypto/algif_hash.c:445
af_alg_accept+0x1fc/0x810 crypto/af_alg.c:439
hash_accept+0x340/0x790 crypto/algif_hash.c:254
do_accept+0x606/0xa80 net/socket.c:1929
__sys_accept4_file net/socket.c:1969 [inline]
__sys_accept4+0x18e/0x360 net/socket.c:1999
__do_sys_accept4 net/socket.c:2010 [inline]
__se_sys_accept4 net/socket.c:2007 [inline]
__x64_sys_accept4+0xb8/0x120 net/socket.c:2007
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 6735 Comm: syz-executor.4 Not tainted 6.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-01 5:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-26 13:11 [syzbot] [crypto?] KMSAN: uninit-value in af_alg_free_sg (2) xingwei lee
2024-02-01 5:49 ` [PATCH] crypto: algif_hash - Remove bogus SGL free on zero-length error path Herbert Xu
2024-02-01 5:53 ` Herbert Xu
-- strict thread matches above, loose matches on Subject: below --
2024-01-14 10:15 [syzbot] [crypto?] KMSAN: uninit-value in af_alg_free_sg (2) syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.