From: Eric Biggers <ebiggers3@gmail.com>
To: syzbot
<bot+3401d9494b9380f7244bcc7fec49680878fccba6@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, herbert@gondor.apana.org.au,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Stephan Mueller <smueller@chronox.de>
Subject: Re: general protection fault in blkcipher_walk_done
Date: Mon, 27 Nov 2017 23:53:07 -0800 [thread overview]
Message-ID: <20171128075307.GA23413@zzz.localdomain> (raw)
In-Reply-To: <20171128053738.GA2383@zzz.localdomain>
On Mon, Nov 27, 2017 at 09:37:38PM -0800, Eric Biggers wrote:
> On Mon, Nov 27, 2017 at 10:56:47AM -0800, syzbot wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> > git://git.cmpxchg.org/linux-mmots.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
>
> Still happens on latest Linus tree (v4.15-rc1) with crypto/master merged in. It
> seems that _aead_recvmsg() is being confused by the operation mode being changed
> from encryption to decryption while it has dropped the socket lock in
> af_alg_wait_for_data(). Here's a simplified reproducer:
>
Stephan, why does af_alg_get_rsgl() call af_alg_wait_for_data()? It's not
actually reading anything from the "TX SGL" yet; it's just preparing the "RX
SGL". It seems to be in completely the wrong place. And how exactly should the
AEAD interface know when to wait anyway, given that someone could ask to encrypt
0 bytes to get the authentication tag for that?
Eric
next prev parent reply other threads:[~2017-11-28 7:53 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 18:56 general protection fault in blkcipher_walk_done syzbot
2017-11-28 5:37 ` Eric Biggers
2017-11-28 7:53 ` Eric Biggers [this message]
2017-11-28 8:31 ` Stephan Mueller
2017-11-28 9:03 ` Stephan Mueller
2017-11-28 21:33 ` [PATCH v2] crypto: AF_ALG - race-free access of encryption flag Stephan Müller
2017-11-28 22:40 ` Eric Biggers
2017-11-28 23:02 ` Herbert Xu
2017-11-29 6:48 ` Stephan Mueller
2017-11-29 7:10 ` Herbert Xu
2017-11-29 7:17 ` Stephan Mueller
2017-11-29 10:17 ` [PATCH] crypto: AF_ALG - wait for data at beginning of recvmsg Stephan Müller
2017-11-29 10:22 ` Herbert Xu
2017-11-29 10:28 ` Stephan Mueller
2017-11-29 10:42 ` Herbert Xu
2017-11-29 11:02 ` [PATCH v2] " Stephan Müller
2017-12-11 11:45 ` Herbert Xu
2017-11-29 11:05 ` [PATCH v2] crypto: AF_ALG - race-free access of encryption flag Stephan Müller
2017-11-29 12:17 ` Herbert Xu
2017-12-11 19:10 ` general protection fault in blkcipher_walk_done Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128075307.GA23413@zzz.localdomain \
--to=ebiggers3@gmail.com \
--cc=bot+3401d9494b9380f7244bcc7fec49680878fccba6@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).