KASAN: use-after-free Read in crypto_aead_free_instance
8 views
Skip to first unread message
syzbot
Dec 20, 2017, 2:48:03 AM12/20/17
to da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
032b4cc8ff84490c4bc7c4ef8c91e6d83a637538
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
BUG: KASAN: use-after-free in crypto_aead_free_instance+0xc0/0xd0
crypto/aead.c:154
Read of size 8 at addr ffff8801c32cf240 by task cryptomgr_test/6646
CPU: 1 PID: 6646 Comm: cryptomgr_test Not tainted 4.15.0-rc3+ #132
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
crypto_aead_free_instance+0xc0/0xd0 crypto/aead.c:154
crypto_free_instance+0x6d/0x100 crypto/algapi.c:77
crypto_destroy_instance+0x3c/0x80 crypto/algapi.c:85
crypto_alg_put crypto/internal.h:116 [inline]
crypto_remove_final+0x212/0x370 crypto/algapi.c:331
crypto_alg_tested+0x445/0x6f0 crypto/algapi.c:320
cryptomgr_test+0x17/0x30 crypto/algboss.c:226
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Allocated by task 6641:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610
kmalloc include/linux/slab.h:499 [inline]
kzalloc include/linux/slab.h:688 [inline]
pcrypt_create_aead crypto/pcrypt.c:291 [inline]
pcrypt_create+0x137/0x6c0 crypto/pcrypt.c:346
cryptomgr_probe+0x74/0x240 crypto/algboss.c:75
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Freed by task 3335:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xca/0x250 mm/slab.c:3803
crypto_larval_destroy+0x110/0x150 crypto/api.c:107
crypto_alg_put crypto/internal.h:116 [inline]
crypto_larval_kill+0x1e8/0x2e0 crypto/api.c:167
crypto_alg_mod_lookup+0x178/0x1b0 crypto/api.c:283
crypto_find_alg crypto/api.c:501 [inline]
crypto_alloc_tfm+0xf3/0x2f0 crypto/api.c:534
crypto_alloc_aead+0x2c/0x40 crypto/aead.c:342
aead_bind+0x70/0x140 crypto/algif_aead.c:482
alg_bind+0x1ab/0x440 crypto/af_alg.c:179
SYSC_bind+0x1b4/0x3f0 net/socket.c:1454
SyS_bind+0x24/0x30 net/socket.c:1440
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
The buggy address belongs to the object at ffff8801c32cf240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff8801c32cf240, ffff8801c32cf640)
The buggy address belongs to the page:
page:000000004ffd125b count:1 mapcount:0 mapping:000000007c8f03ee index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c32ce040 0000000000000000 0000000100000007
raw: ffffea00070b6ca0 ffffea00070b9120 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c32cf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c32cf180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801c32cf200: fb fb fb fb fb fb fb fb fb fb fb fb 00 00 00 00
^
ffff8801c32cf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c32cf300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
032b4cc8ff84490c4bc7c4ef8c91e6d83a637538
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
BUG: KASAN: use-after-free in crypto_aead_free_instance+0xc0/0xd0
crypto/aead.c:154
Read of size 8 at addr ffff8801c32cf240 by task cryptomgr_test/6646
CPU: 1 PID: 6646 Comm: cryptomgr_test Not tainted 4.15.0-rc3+ #132
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
crypto_aead_free_instance+0xc0/0xd0 crypto/aead.c:154
crypto_free_instance+0x6d/0x100 crypto/algapi.c:77
crypto_destroy_instance+0x3c/0x80 crypto/algapi.c:85
crypto_alg_put crypto/internal.h:116 [inline]
crypto_remove_final+0x212/0x370 crypto/algapi.c:331
crypto_alg_tested+0x445/0x6f0 crypto/algapi.c:320
cryptomgr_test+0x17/0x30 crypto/algboss.c:226
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Allocated by task 6641:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610
kmalloc include/linux/slab.h:499 [inline]
kzalloc include/linux/slab.h:688 [inline]
pcrypt_create_aead crypto/pcrypt.c:291 [inline]
pcrypt_create+0x137/0x6c0 crypto/pcrypt.c:346
cryptomgr_probe+0x74/0x240 crypto/algboss.c:75
kthread+0x37a/0x440 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441
Freed by task 3335:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xca/0x250 mm/slab.c:3803
crypto_larval_destroy+0x110/0x150 crypto/api.c:107
crypto_alg_put crypto/internal.h:116 [inline]
crypto_larval_kill+0x1e8/0x2e0 crypto/api.c:167
crypto_alg_mod_lookup+0x178/0x1b0 crypto/api.c:283
crypto_find_alg crypto/api.c:501 [inline]
crypto_alloc_tfm+0xf3/0x2f0 crypto/api.c:534
crypto_alloc_aead+0x2c/0x40 crypto/aead.c:342
aead_bind+0x70/0x140 crypto/algif_aead.c:482
alg_bind+0x1ab/0x440 crypto/af_alg.c:179
SYSC_bind+0x1b4/0x3f0 net/socket.c:1454
SyS_bind+0x24/0x30 net/socket.c:1440
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
The buggy address belongs to the object at ffff8801c32cf240
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff8801c32cf240, ffff8801c32cf640)
The buggy address belongs to the page:
page:000000004ffd125b count:1 mapcount:0 mapping:000000007c8f03ee index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c32ce040 0000000000000000 0000000100000007
raw: ffffea00070b6ca0 ffffea00070b9120 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c32cf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c32cf180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801c32cf200: fb fb fb fb fb fb fb fb fb fb fb fb 00 00 00 00
^
ffff8801c32cf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c32cf300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Stephan Müller
Dec 20, 2017, 4:15:56 AM12/20/17
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Am Mittwoch, 20. Dezember 2017, 08:48:01 CET schrieb syzbot:
Hi,
This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG - limit mask and type".
Ciao
Stephan
Stephan Müller
Dec 20, 2017, 4:17:14 AM12/20/17
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Am Mittwoch, 20. Dezember 2017, 08:48:01 CET schrieb syzbot:
Hi,
Hi,
Dmitry Vyukov
Dec 20, 2017, 4:20:05 AM12/20/17
to Stephan Müller, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
syzbot does not understand arbitrary English prose, it only understands this:
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
#syz fix: crypto: AF_ALG - limit mask and type
Stephan Mueller
Dec 20, 2017, 4:29:07 AM12/20/17
to Dmitry Vyukov, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
Am Mittwoch, 20. Dezember 2017, 10:19:43 CET schrieb Dmitry Vyukov:
Hi Dmitry,
just want to let folks know that there is a patch.
Ciao
Stephan
Hi Dmitry,
> >
> > This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG -
> > limit mask and type".
>
> Hi Stephan,
>
> syzbot does not understand arbitrary English prose, it only understands
this:
> > Once a fix for this bug is merged into any tree, reply to this email with:
> > #syz fix: exact-commit-title
>
> Let's tell it about the fix:
>
> #syz fix: crypto: AF_ALG - limit mask and type
I have seen that this is the approach, but the fix is not yet in the tree. I
> > This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG -
> > limit mask and type".
>
> Hi Stephan,
>
> syzbot does not understand arbitrary English prose, it only understands
this:
> > Once a fix for this bug is merged into any tree, reply to this email with:
> > #syz fix: exact-commit-title
>
> Let's tell it about the fix:
>
> #syz fix: crypto: AF_ALG - limit mask and type
just want to let folks know that there is a patch.
Ciao
Stephan
Dmitry Vyukov
Dec 20, 2017, 4:50:32 AM12/20/17
to Stephan Mueller, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
not provide the tag right now, or when people are don't know about
them or ignore.
If the patch is merged with this title, then there is nothing else to
do. If it's merged under a different title, a new "#syz fix:" tag will
override the old one.
Stephan Mueller
Dec 20, 2017, 4:55:30 AM12/20/17
to Dmitry Vyukov, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
#syz proposed: commit-title
Ciao
Stephan
syzbot
Dec 20, 2017, 4:55:30 AM12/20/17
to Stephan Mueller, da...@davemloft.net, dvy...@google.com, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, smue...@chronox.de, syzkall...@googlegroups.com
> Ciao
> Stephan
syzbot
Dec 20, 2017, 4:55:31 AM12/20/17
to Stephan Mueller, da...@davemloft.net, dvy...@google.com, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, smue...@chronox.de, syzkall...@googlegroups.com
unknown command "proposed:"
> Ciao
> Stephan
> --
> Ciao
> Stephan
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/18467907.EfXNf1iGip%40tauon.chronox.de.
> For more options, visit https://groups.google.com/d/optout.
Dmitry Vyukov
Dec 20, 2017, 5:16:00 AM12/20/17
to Stephan Mueller, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
Stephan Mueller
Dec 20, 2017, 6:49:49 AM12/20/17
to Dmitry Vyukov, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
Am Mittwoch, 20. Dezember 2017, 11:15:38 CET schrieb Dmitry Vyukov:
Hi Dmitry,
>
Hi Dmitry,
>
> What will be its meaning? How will it differ from fix?
Maybe a short clarification would help: what is the meaning of the syz fix
marker? Depending on this answer, all that I am thinking of is to mark bug
reports for which there are fixes actively discussed, but yet not integrated.
Thus, such marker should only help others to point them to active discussions
instead of them trying to find fixes alone.
Ciao
Stephan
Dmitry Vyukov
Dec 20, 2017, 7:00:05 AM12/20/17
to Stephan Mueller, syzbot, David Miller, Herbert Xu, linux-...@vger.kernel.org, LKML, syzkall...@googlegroups.com
On Wed, Dec 20, 2017 at 12:49 PM, Stephan Mueller <smue...@chronox.de> wrote:
> Am Mittwoch, 20. Dezember 2017, 11:15:38 CET schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>>
>> What will be its meaning? How will it differ from fix?
>
> Maybe a short clarification would help: what is the meaning of the syz fix
> marker?
It's described here:
> Am Mittwoch, 20. Dezember 2017, 11:15:38 CET schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>>
>> What will be its meaning? How will it differ from fix?
>
> Maybe a short clarification would help: what is the meaning of the syz fix
> marker?
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#bug-status-tracking
> Depending on this answer, all that I am thinking of is to mark bug
> reports for which there are fixes actively discussed, but yet not integrated.
> Thus, such marker should only help others to point them to active discussions
> instead of them trying to find fixes alone.
machine-readable command for this.
So basically what you wrote above is good:
> This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG - limit mask and type".
you meant by including "[PATCH v2]" part).
Eric Biggers
Dec 20, 2017, 5:37:40 PM12/20/17
to syzbot, da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
Reply all
Reply to author
Forward
0 new messages