BUG: unable to handle kernel NULL pointer dereference in sha512_mb_mgr_get_comp_job_avx2

[syzbot]

Hello,

syzkaller hit the following crash on
c5f66a85899705835f61d687a38f62d5a1ec4eb9
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

Unfortunately, I don't have any reproducer for this bug yet.


BUG: unable to handle kernel NULL pointer dereference at 000000000108d5fe
IP: sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251
PGD 1cd279067 P4D 1cd279067 PUD 1d2c4f067 PMD 0
Oops: 0002 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 1399 Comm: kworker/0:2 Not tainted 4.15.0-rc1+ #135
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: crypto mcryptd_queue_worker
task: 00000000087b2afb task.stack: 000000002f1b3e4d
RIP: 0010:sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251
RSP: 0018:ffff8801d2ad71b8 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff8801d58d0dd0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801d58d0c80
RBP: ffff8801d2ad71e0 R08: 0000000100000000 R09: 0000000000000001
R10: 0000000000000002 R11: 0000000000000003 R12: ffff8801d58d0c80
R13: 0000000000000286 R14: ffff8801c944e860 R15: ffffe8ffffc0fa30
FS: 0000000000000000(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000060 CR3: 00000001d3c98000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sha_complete_job+0x276/0x830 arch/x86/crypto/sha512-mb/sha512_mb.c:510
sha512_mb_update+0x2f6/0x530 arch/x86/crypto/sha512-mb/sha512_mb.c:610
crypto_ahash_update include/crypto/hash.h:522 [inline]
ahash_mcryptd_update crypto/mcryptd.c:628 [inline]
mcryptd_hash_update+0xcd/0x1c0 crypto/mcryptd.c:374
mcryptd_queue_worker+0xfe/0x660 crypto/mcryptd.c:182
process_one_work+0xbfd/0x1be0 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Code: 49 0f 42 d3 48 f7 c2 f0 ff ff ff 0f 85 9a 00 00 00 48 83 e2 0f 48 6b
da 08 48 8d 9c 1f 48 01 00 00 48 8b 03 48 c7 03 00 00 00 00 <c7> 40 60 02
00 00 00 48 8b 9f 40 01 00 00 48 c1 e3 08 48 09 d3
RIP: sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251 RSP:
ffff8801d2ad71b8
CR2: 0000000000000060
---[ end trace 879bb33f9fc9cf36 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

syzkaller has found reproducer for the following crash on
4131d5166185d0d75b5f1d4bf362a9e0bac05598
git://git.cmpxchg.org/linux-mmots.git/master

compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


BUG: unable to handle kernel NULL pointer dereference at 00000000c58b0b19
IP: sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251
PGD 1cb562067 P4D 1cb562067 PUD 1cb563067 PMD 0

Oops: 0002 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:

CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.15.0-rc1-mm1+ #29

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: crypto mcryptd_queue_worker

task: 0000000018ff7174 task.stack: 000000004c6e7fb4

RIP: 0010:sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251

RSP: 0018:ffff8801d9d171b8 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff8801d5aa38d0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801d5aa3780
RBP: ffff8801d9d171e0 R08: 0000000100000000 R09: 0000000000000001
R10: 0000000000000002 R11: 0000000000000003 R12: ffff8801d5aa3780
R13: 0000000000000282 R14: ffff8801cc115760 R15: ffffe8ffffd10630
FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000000060 CR3: 00000001cb55f000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sha_complete_job+0x276/0x830 arch/x86/crypto/sha512-mb/sha512_mb.c:510
sha512_mb_update+0x2f6/0x530 arch/x86/crypto/sha512-mb/sha512_mb.c:610
crypto_ahash_update include/crypto/hash.h:522 [inline]
ahash_mcryptd_update crypto/mcryptd.c:628 [inline]
mcryptd_hash_update+0xcd/0x1c0 crypto/mcryptd.c:374
mcryptd_queue_worker+0xfe/0x660 crypto/mcryptd.c:182

process_one_work+0xbfd/0x1bc0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:517

Code: 49 0f 42 d3 48 f7 c2 f0 ff ff ff 0f 85 9a 00 00 00 48 83 e2 0f 48 6b
da 08 48 8d 9c 1f 48 01 00 00 48 8b 03 48 c7 03 00 00 00 00 <c7> 40 60 02
00 00 00 48 8b 9f 40 01 00 00 48 c1 e3 08 48 09 d3
RIP: sha512_mb_mgr_get_comp_job_avx2+0x6e/0xee
arch/x86/crypto/sha512-mb/sha512_mb_mgr_flush_avx2.S:251 RSP:

ffff8801d9d171b8
CR2: 0000000000000060
---[ end trace 2003a6fbb2bb168e ]---

[Eric Biggers]

From: Eric Biggers <ebig...@google.com>

The SHA-512 multibuffer code keeps track of the number of blocks pending
in each lane. The minimum of these values is used to identify the next
lane that will be completed. Unused lanes are set to a large number
(0xFFFFFFFF) so that they don't affect this calculation.

However, it was forgotten to set the lengths to this value in the
initial state, where all lanes are unused. As a result it was possible
for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing
a NULL pointer dereference. Specifically this could happen in the case
where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data,
so it then called sha_complete_job() without having actually submitted
any blocks to the multi-buffer code. This hit a NULL pointer
dereference if another task happened to have submitted blocks
concurrently to the same CPU and the flush timer had not yet expired.

Fix this by initializing sha512_mb_mgr->lens correctly.

As usual, this bug was found by syzkaller.

Fixes: 45691e2d9b18 ("crypto: sha512-mb - submit/flush routines for AVX2")
Reported-by: syzbot <syzk...@googlegroups.com>
Cc: <sta...@vger.kernel.org> # v4.8+
Signed-off-by: Eric Biggers <ebig...@google.com>
---
arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c
index 36870b26067a..d08805032f01 100644
--- a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c
+++ b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c
@@ -57,10 +57,12 @@ void sha512_mb_mgr_init_avx2(struct sha512_mb_mgr *state)
{
unsigned int j;

- state->lens[0] = 0;
- state->lens[1] = 1;
- state->lens[2] = 2;
- state->lens[3] = 3;
+ /* initially all lanes are unused */
+ state->lens[0] = 0xFFFFFFFF00000000;
+ state->lens[1] = 0xFFFFFFFF00000001;
+ state->lens[2] = 0xFFFFFFFF00000002;
+ state->lens[3] = 0xFFFFFFFF00000003;
+
state->unused_lanes = 0xFF03020100;
for (j = 0; j < 4; j++)
state->ldata[j].job_in_lane = NULL;
--
2.16.0

[Herbert Xu]

On Wed, Jan 24, 2018 at 12:31:27AM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebig...@google.com>
>
> The SHA-512 multibuffer code keeps track of the number of blocks pending
> in each lane. The minimum of these values is used to identify the next
> lane that will be completed. Unused lanes are set to a large number
> (0xFFFFFFFF) so that they don't affect this calculation.
>
> However, it was forgotten to set the lengths to this value in the
> initial state, where all lanes are unused. As a result it was possible
> for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing
> a NULL pointer dereference. Specifically this could happen in the case
> where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data,
> so it then called sha_complete_job() without having actually submitted
> any blocks to the multi-buffer code. This hit a NULL pointer
> dereference if another task happened to have submitted blocks
> concurrently to the same CPU and the flush timer had not yet expired.
>
> Fix this by initializing sha512_mb_mgr->lens correctly.
>
> As usual, this bug was found by syzkaller.
>
> Fixes: 45691e2d9b18 ("crypto: sha512-mb - submit/flush routines for AVX2")
> Reported-by: syzbot <syzk...@googlegroups.com>
> Cc: <sta...@vger.kernel.org> # v4.8+
> Signed-off-by: Eric Biggers <ebig...@google.com>

Patch applied. Thanks.
--
Email: Herbert Xu <her...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[Eric Biggers]

Fixed by commit eff84b379089cd, so marking it fixed for syzbot:

#syz fix: crypto: sha512-mb - initialize pending lengths correctly

- Eric