KASAN: slab-out-of-bounds Write in sha3_final

[syzbot]

Hello,

syzkaller hit the following crash on
6fc478f80f6809cc4b1a4230f47a62d3b7378dc0
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


==================================================================
BUG: KASAN: slab-out-of-bounds in memset include/linux/string.h:326 [inline]
BUG: KASAN: slab-out-of-bounds in sha3_final+0xeb/0x2e0
crypto/sha3_generic.c:173
Write of size 4294967223 at addr ffff8801cc23a759 by task
syzkaller163089/3049

CPU: 0 PID: 3049 Comm: syzkaller163089 Not tainted 4.14.0-next-20171124+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memset+0x23/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:326 [inline]
sha3_final+0xeb/0x2e0 crypto/sha3_generic.c:173
crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
hmac_final+0x16c/0x2b0 crypto/hmac.c:135
crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
hmac_final+0x16c/0x2b0 crypto/hmac.c:135
crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
shash_async_final+0x35/0x40 crypto/shash.c:241
crypto_ahash_op+0xbc/0x140 crypto/ahash.c:354
crypto_ahash_final+0x57/0x70 crypto/ahash.c:359
hash_sendmsg+0x686/0x9c0 crypto/algif_hash.c:131
sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
___sys_sendmsg+0x322/0x8a0 net/socket.c:2048
__sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
SYSC_sendmmsg net/socket.c:2169 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2164
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4403f9
RSP: 002b:00007ffc5b02b7d8 EFLAGS: 00000207 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403f9
RDX: 0000000000000005 RSI: 00000000209fe000 RDI: 0000000000000004
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d60
R13: 0000000000401df0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3049:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3712 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3721
kmalloc include/linux/slab.h:519 [inline]
sock_kmalloc+0x112/0x190 net/core/sock.c:1979
hash_accept_parent_nokey+0x76/0x320 crypto/algif_hash.c:470
hash_accept_parent+0x9a/0xd0 crypto/algif_hash.c:497
af_alg_accept+0x125/0x670 crypto/af_alg.c:294
alg_accept+0x46/0x60 crypto/af_alg.c:330
SYSC_accept4+0x384/0x850 net/socket.c:1573
SyS_accept4 net/socket.c:1523 [inline]
SYSC_accept net/socket.c:1607 [inline]
SyS_accept+0x26/0x30 net/socket.c:1604
entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801cc23a240
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1305 bytes inside of
2048-byte region [ffff8801cc23a240, ffff8801cc23aa40)
The buggy address belongs to the page:
page:ffffea0007308e80 count:1 mapcount:0 mapping:ffff8801cc23a240 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801cc23a240 0000000000000000 0000000100000003
raw: ffffea000733a7a0 ffff8801db001950 ffff8801db000c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801cc23a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cc23a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801cc23a780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801cc23a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801cc23a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[Eric Biggers]

On Tue, Nov 28, 2017 at 05:24:01AM -0800, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> 6fc478f80f6809cc4b1a4230f47a62d3b7378dc0
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memset include/linux/string.h:326 [inline]
> BUG: KASAN: slab-out-of-bounds in sha3_final+0xeb/0x2e0
> crypto/sha3_generic.c:173
> Write of size 4294967223 at addr ffff8801cc23a759 by task
> syzkaller163089/3049

#syz dup: KASAN: stack-out-of-bounds Write in sha3_update