KASAN: use-after-free Read in blkcipher_walk_virt
3 views
Skip to first unread message
syzbot
Nov 30, 2017, 3:37:03 AM11/30/17
to da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
dccp_v6_rcv: dropped packet with invalid checksum
dccp_v6_rcv: dropped packet with invalid checksum
==================================================================
BUG: KASAN: use-after-free in crypto_tfm_alg_blocksize
include/linux/crypto.h:671 [inline]
BUG: KASAN: use-after-free in crypto_blkcipher_blocksize
include/linux/crypto.h:1214 [inline]
BUG: KASAN: use-after-free in blkcipher_walk_virt+0x286/0x2a0
crypto/blkcipher.c:304
Read of size 8 at addr ffff8801ccba7f38 by task syz-executor5/4473
CPU: 0 PID: 4473 Comm: syz-executor5 Not tainted 4.14.0+ #129
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
crypto_tfm_alg_blocksize include/linux/crypto.h:671 [inline]
crypto_blkcipher_blocksize include/linux/crypto.h:1214 [inline]
blkcipher_walk_virt+0x286/0x2a0 crypto/blkcipher.c:304
skcipher_null_crypt+0x10e/0x2d0 crypto/crypto_null.c:85
skcipher_crypt_blkcipher crypto/skcipher.c:619 [inline]
skcipher_encrypt_blkcipher+0x213/0x310 crypto/skcipher.c:628
crypto_skcipher_encrypt include/crypto/skcipher.h:445 [inline]
crypto_aead_copy_sgl crypto/algif_aead.c:90 [inline]
_aead_recvmsg crypto/algif_aead.c:210 [inline]
aead_recvmsg+0x7db/0x1970 crypto/algif_aead.c:313
sock_recvmsg_nosec net/socket.c:805 [inline]
sock_recvmsg+0xc9/0x110 net/socket.c:812
___sys_recvmsg+0x29b/0x630 net/socket.c:2207
__sys_recvmsg+0xe2/0x210 net/socket.c:2252
SYSC_recvmsg net/socket.c:2264 [inline]
SyS_recvmsg+0x2d/0x50 net/socket.c:2259
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452879
RSP: 002b:00007f9bf6b8dbe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452879
RDX: 0000000000010001 RSI: 0000000020e85000 RDI: 0000000000000016
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2608
R13: 00000000ffffffff R14: 00007f9bf6b8e6d4 R15: 0000000000000012
Allocated by task 4450:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3711 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3720
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
__crypto_alloc_tfm+0xd0/0x4e0 crypto/api.c:359
crypto_init_skcipher_ops_blkcipher crypto/skcipher.c:658 [inline]
crypto_skcipher_init_tfm+0x4ee/0x840 crypto/skcipher.c:824
crypto_create_tfm+0xdf/0x2e0 crypto/api.c:462
crypto_alloc_tfm+0x10e/0x2f0 crypto/api.c:540
crypto_alloc_skcipher+0x2c/0x40 crypto/skcipher.c:926
crypto_get_default_null_skcipher+0x5f/0x80 crypto/crypto_null.c:164
crypto_get_default_null_skcipher2 include/crypto/null.h:17 [inline]
aead_bind+0x89/0x140 crypto/algif_aead.c:472
alg_bind+0x1ab/0x440 crypto/af_alg.c:179
SYSC_bind+0x1b4/0x3f0 net/socket.c:1475
SyS_bind+0x24/0x30 net/socket.c:1461
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 4494:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3491 [inline]
kfree+0xca/0x250 mm/slab.c:3806
kzfree+0x28/0x30 mm/slab_common.c:1482
crypto_destroy_tfm+0x140/0x2e0 crypto/api.c:581
crypto_free_tfm include/linux/crypto.h:641 [inline]
crypto_free_blkcipher include/linux/crypto.h:1142 [inline]
crypto_exit_skcipher_ops_blkcipher+0x34/0x40 crypto/skcipher.c:644
crypto_exit_ops crypto/api.c:315 [inline]
crypto_destroy_tfm+0xb9/0x2e0 crypto/api.c:579
crypto_free_skcipher include/crypto/skcipher.h:212 [inline]
crypto_put_default_null_skcipher+0x35/0x60 crypto/crypto_null.c:185
crypto_put_default_null_skcipher2 include/crypto/null.h:22 [inline]
aead_sock_destruct+0x13c/0x220 crypto/algif_aead.c:522
__sk_destruct+0xfd/0x910 net/core/sock.c:1558
sk_destruct+0x47/0x80 net/core/sock.c:1593
__sk_free+0x57/0x230 net/core/sock.c:1601
sk_free+0x2a/0x40 net/core/sock.c:1612
sock_put include/net/sock.h:1655 [inline]
af_alg_release+0x5d/0x70 crypto/af_alg.c:126
sock_release+0x8d/0x1e0 net/socket.c:596
sock_close+0x16/0x20 net/socket.c:1125
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801ccba7f00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 56 bytes inside of
64-byte region [ffff8801ccba7f00, ffff8801ccba7f40)
The buggy address belongs to the page:
page:ffffea000732e9c0 count:1 mapcount:0 mapping:ffff8801ccba7000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801ccba7000 0000000000000000 0000000100000020
raw: ffffea00073653a0 ffffea0007411260 ffff8801db000340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801ccba7e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801ccba7e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801ccba7f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8801ccba7f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801ccba8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
dccp_v6_rcv: dropped packet with invalid checksum
dccp_v6_rcv: dropped packet with invalid checksum
==================================================================
BUG: KASAN: use-after-free in crypto_tfm_alg_blocksize
include/linux/crypto.h:671 [inline]
BUG: KASAN: use-after-free in crypto_blkcipher_blocksize
include/linux/crypto.h:1214 [inline]
BUG: KASAN: use-after-free in blkcipher_walk_virt+0x286/0x2a0
crypto/blkcipher.c:304
Read of size 8 at addr ffff8801ccba7f38 by task syz-executor5/4473
CPU: 0 PID: 4473 Comm: syz-executor5 Not tainted 4.14.0+ #129
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
crypto_tfm_alg_blocksize include/linux/crypto.h:671 [inline]
crypto_blkcipher_blocksize include/linux/crypto.h:1214 [inline]
blkcipher_walk_virt+0x286/0x2a0 crypto/blkcipher.c:304
skcipher_null_crypt+0x10e/0x2d0 crypto/crypto_null.c:85
skcipher_crypt_blkcipher crypto/skcipher.c:619 [inline]
skcipher_encrypt_blkcipher+0x213/0x310 crypto/skcipher.c:628
crypto_skcipher_encrypt include/crypto/skcipher.h:445 [inline]
crypto_aead_copy_sgl crypto/algif_aead.c:90 [inline]
_aead_recvmsg crypto/algif_aead.c:210 [inline]
aead_recvmsg+0x7db/0x1970 crypto/algif_aead.c:313
sock_recvmsg_nosec net/socket.c:805 [inline]
sock_recvmsg+0xc9/0x110 net/socket.c:812
___sys_recvmsg+0x29b/0x630 net/socket.c:2207
__sys_recvmsg+0xe2/0x210 net/socket.c:2252
SYSC_recvmsg net/socket.c:2264 [inline]
SyS_recvmsg+0x2d/0x50 net/socket.c:2259
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452879
RSP: 002b:00007f9bf6b8dbe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452879
RDX: 0000000000010001 RSI: 0000000020e85000 RDI: 0000000000000016
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2608
R13: 00000000ffffffff R14: 00007f9bf6b8e6d4 R15: 0000000000000012
Allocated by task 4450:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3711 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3720
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
__crypto_alloc_tfm+0xd0/0x4e0 crypto/api.c:359
crypto_init_skcipher_ops_blkcipher crypto/skcipher.c:658 [inline]
crypto_skcipher_init_tfm+0x4ee/0x840 crypto/skcipher.c:824
crypto_create_tfm+0xdf/0x2e0 crypto/api.c:462
crypto_alloc_tfm+0x10e/0x2f0 crypto/api.c:540
crypto_alloc_skcipher+0x2c/0x40 crypto/skcipher.c:926
crypto_get_default_null_skcipher+0x5f/0x80 crypto/crypto_null.c:164
crypto_get_default_null_skcipher2 include/crypto/null.h:17 [inline]
aead_bind+0x89/0x140 crypto/algif_aead.c:472
alg_bind+0x1ab/0x440 crypto/af_alg.c:179
SYSC_bind+0x1b4/0x3f0 net/socket.c:1475
SyS_bind+0x24/0x30 net/socket.c:1461
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 4494:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3491 [inline]
kfree+0xca/0x250 mm/slab.c:3806
kzfree+0x28/0x30 mm/slab_common.c:1482
crypto_destroy_tfm+0x140/0x2e0 crypto/api.c:581
crypto_free_tfm include/linux/crypto.h:641 [inline]
crypto_free_blkcipher include/linux/crypto.h:1142 [inline]
crypto_exit_skcipher_ops_blkcipher+0x34/0x40 crypto/skcipher.c:644
crypto_exit_ops crypto/api.c:315 [inline]
crypto_destroy_tfm+0xb9/0x2e0 crypto/api.c:579
crypto_free_skcipher include/crypto/skcipher.h:212 [inline]
crypto_put_default_null_skcipher+0x35/0x60 crypto/crypto_null.c:185
crypto_put_default_null_skcipher2 include/crypto/null.h:22 [inline]
aead_sock_destruct+0x13c/0x220 crypto/algif_aead.c:522
__sk_destruct+0xfd/0x910 net/core/sock.c:1558
sk_destruct+0x47/0x80 net/core/sock.c:1593
__sk_free+0x57/0x230 net/core/sock.c:1601
sk_free+0x2a/0x40 net/core/sock.c:1612
sock_put include/net/sock.h:1655 [inline]
af_alg_release+0x5d/0x70 crypto/af_alg.c:126
sock_release+0x8d/0x1e0 net/socket.c:596
sock_close+0x16/0x20 net/socket.c:1125
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801ccba7f00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 56 bytes inside of
64-byte region [ffff8801ccba7f00, ffff8801ccba7f40)
The buggy address belongs to the page:
page:ffffea000732e9c0 count:1 mapcount:0 mapping:ffff8801ccba7000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801ccba7000 0000000000000000 0000000100000020
raw: ffffea00073653a0 ffffea0007411260 ffff8801db000340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801ccba7e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801ccba7e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801ccba7f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8801ccba7f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8801ccba8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Eric Biggers
Nov 30, 2017, 3:59:49 AM11/30/17
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, Nov 30, 2017 at 12:37:01AM -0800, syzbot wrote:
> ==================================================================
> BUG: KASAN: use-after-free in crypto_tfm_alg_blocksize
> include/linux/crypto.h:671 [inline]
> BUG: KASAN: use-after-free in crypto_blkcipher_blocksize
> include/linux/crypto.h:1214 [inline]
> BUG: KASAN: use-after-free in blkcipher_walk_virt+0x286/0x2a0
> crypto/blkcipher.c:304
> Read of size 8 at addr ffff8801ccba7f38 by task syz-executor5/4473
>
#syz dup: KASAN: use-after-free Read in aead_recvmsg
> ==================================================================
> BUG: KASAN: use-after-free in crypto_tfm_alg_blocksize
> include/linux/crypto.h:671 [inline]
> BUG: KASAN: use-after-free in crypto_blkcipher_blocksize
> include/linux/crypto.h:1214 [inline]
> BUG: KASAN: use-after-free in blkcipher_walk_virt+0x286/0x2a0
> crypto/blkcipher.c:304
> Read of size 8 at addr ffff8801ccba7f38 by task syz-executor5/4473
>
Reply all
Reply to author
Forward
0 new messages