[syzbot] [arm?] [crypto?] KASAN: invalid-access Read in neon_aes_ctr_encrypt
10 views
Skip to first unread message
syzbot
Feb 16, 2024, 8:35:28 PMFeb 16
to catalin...@arm.com, da...@davemloft.net, her...@gondor.apana.org.au, linux-ar...@lists.infradead.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, wi...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: c664e16bb1ba Merge tag 'docs-6.8-fixes2' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e83cc8180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4dde08ba7d52a4b
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fff792180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cbe4dc180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-c664e16b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/864da5a66121/vmlinux-c664e16b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/044de3e4ddc5/Image-c664e16b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1ceaa...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: invalid-access in neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
Read at addr fcff000006797ff1 by task syz-executor675/3149
Pointer tag: [fc], memory tag: [fe]
CPU: 1 PID: 3149 Comm: syz-executor675 Not tainted 6.8.0-rc4-syzkaller-00005-gc664e16bb1ba #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:291
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x108/0x618 mm/kasan/report.c:488
kasan_report+0x88/0xac mm/kasan/report.c:601
report_tag_fault arch/arm64/mm/fault.c:334 [inline]
do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
__do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
do_bad_area arch/arm64/mm/fault.c:493 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:772
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:848
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593
neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
ctr_encrypt+0xfc/0x144 arch/arm64/crypto/aes-neonbs-glue.c:230
crypto_skcipher_decrypt+0x4c/0x60 crypto/skcipher.c:695
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0x39c/0x46c crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg net/socket.c:1068 [inline]
sock_recvmsg net/socket.c:1064 [inline]
sock_read_iter+0xec/0x118 net/socket.c:1138
call_read_iter include/linux/fs.h:2079 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x2cc/0x304 fs/read_write.c:476
ksys_read+0xe8/0x104 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__arm64_sys_read+0x1c/0x28 fs/read_write.c:627
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
The buggy address belongs to the physical page:
page:0000000060acabc6 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x46797
flags: 0x1ffc28000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xa)
page_type: 0xffffffff()
raw: 01ffc28000000000 fffffc0000168bc8 fffffc0000199e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000006797d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff000006797e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff000006797f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff000006798000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff000006798100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c664e16bb1ba Merge tag 'docs-6.8-fixes2' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e83cc8180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4dde08ba7d52a4b
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fff792180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cbe4dc180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-c664e16b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/864da5a66121/vmlinux-c664e16b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/044de3e4ddc5/Image-c664e16b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1ceaa...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: invalid-access in neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
Read at addr fcff000006797ff1 by task syz-executor675/3149
Pointer tag: [fc], memory tag: [fe]
CPU: 1 PID: 3149 Comm: syz-executor675 Not tainted 6.8.0-rc4-syzkaller-00005-gc664e16bb1ba #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:291
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x108/0x618 mm/kasan/report.c:488
kasan_report+0x88/0xac mm/kasan/report.c:601
report_tag_fault arch/arm64/mm/fault.c:334 [inline]
do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
__do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
do_bad_area arch/arm64/mm/fault.c:493 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:772
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:848
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593
neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
ctr_encrypt+0xfc/0x144 arch/arm64/crypto/aes-neonbs-glue.c:230
crypto_skcipher_decrypt+0x4c/0x60 crypto/skcipher.c:695
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0x39c/0x46c crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg net/socket.c:1068 [inline]
sock_recvmsg net/socket.c:1064 [inline]
sock_read_iter+0xec/0x118 net/socket.c:1138
call_read_iter include/linux/fs.h:2079 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x2cc/0x304 fs/read_write.c:476
ksys_read+0xe8/0x104 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__arm64_sys_read+0x1c/0x28 fs/read_write.c:627
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
The buggy address belongs to the physical page:
page:0000000060acabc6 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x46797
flags: 0x1ffc28000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xa)
page_type: 0xffffffff()
raw: 01ffc28000000000 fffffc0000168bc8 fffffc0000199e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000006797d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff000006797e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff000006797f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff000006798000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff000006798100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Ard Biesheuvel
Feb 17, 2024, 9:34:46 AMFeb 17
to syzbot, catalin...@arm.com, da...@davemloft.net, her...@gondor.apana.org.au, linux-ar...@lists.infradead.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, wi...@kernel.org
syzbot
Feb 17, 2024, 10:01:09 AMFeb 17
to ar...@kernel.org, catalin...@arm.com, da...@davemloft.net, her...@gondor.apana.org.au, linux-ar...@lists.infradead.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, wi...@kernel.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f1ceaa...@syzkaller.appspotmail.com
Tested on:
commit: 67e0a702 crypto: arm64/neonbs - fix out-of-bounds acce..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git neon-aes-ctr-fix
console output: https://syzkaller.appspot.com/x/log.txt?x=122f4464180000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f1ceaa...@syzkaller.appspotmail.com
Tested on:
commit: 67e0a702 crypto: arm64/neonbs - fix out-of-bounds acce..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git neon-aes-ctr-fix
console output: https://syzkaller.appspot.com/x/log.txt?x=122f4464180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4dde08ba7d52a4b
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages