general protection fault in scatterwalk_copychunks
15 views
Skip to first unread message
syzbot
Apr 21, 2019, 3:15:07 AM4/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e03257200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=bc78bb581922f5035c8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=149f283d200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113d65f3200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bc78bb...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1555828599.751:36): avc: denied { map } for
pid=7065 comm="syz-executor423" path="/root/syz-executor423430392"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7065 Comm: syz-executor423 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8880a9ec4500 task.stack: ffff88809de08000
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:86 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline]
RIP: 0010:scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55
RSP: 0018:ffff88809de0f3d8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000001000 RCX: ffff8880a0dcd534
RDX: 0000000000000002 RSI: ffff888098480000 RDI: ffff8880a0dcd528
RBP: ffff88809de0f448 R08: ffffed1012136352 R09: 0000000000000002
R10: ffffed1012136351 R11: ffff8880909b1a8c R12: 0000000000001000
R13: 0000000000000000 R14: ffff88809de0f4a0 R15: 0000000000003000
FS: 0000000001e90880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000455350 CR3: 000000009df46000 CR4: 00000000001406f0
Call Trace:
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0x101/0x170 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x90b/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x437/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x15a/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x95/0xf0 net/socket.c:3415
sock_sendpage+0x8b/0xc0 net/socket.c:871
pipe_to_sendpage+0x244/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x351/0x790 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x126/0x1a0 fs/splice.c:1018
splice_direct_to_actor+0x2a1/0x7b0 fs/splice.c:973
do_splice_direct+0x18d/0x230 fs/splice.c:1061
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4403e9
RSP: 002b:00007ffe6ad1e9c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403e9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000012 R09: 65732f636f72702f
R10: 0000000000010010 R11: 0000000000000246 R12: 0000000000401cd0
R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
Code: 00 00 fc ff df 80 3c 02 00 0f 85 37 01 00 00 49 8d 45 10 4d 89 2e 48
89 c2 48 89 45 c0 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 7d 01 00 00 48 b8 00 00 00
RIP: scatterwalk_start include/crypto/scatterwalk.h:86 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55 RSP:
ffff88809de0f3d8
---[ end trace 4e117918face6864 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e03257200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=bc78bb581922f5035c8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=149f283d200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113d65f3200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bc78bb...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1555828599.751:36): avc: denied { map } for
pid=7065 comm="syz-executor423" path="/root/syz-executor423430392"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 7065 Comm: syz-executor423 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8880a9ec4500 task.stack: ffff88809de08000
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:86 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline]
RIP: 0010:scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55
RSP: 0018:ffff88809de0f3d8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000001000 RCX: ffff8880a0dcd534
RDX: 0000000000000002 RSI: ffff888098480000 RDI: ffff8880a0dcd528
RBP: ffff88809de0f448 R08: ffffed1012136352 R09: 0000000000000002
R10: ffffed1012136351 R11: ffff8880909b1a8c R12: 0000000000001000
R13: 0000000000000000 R14: ffff88809de0f4a0 R15: 0000000000003000
FS: 0000000001e90880(0000) GS:ffff8880aee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000455350 CR3: 000000009df46000 CR4: 00000000001406f0
Call Trace:
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0x101/0x170 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x90b/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x437/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x15a/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x95/0xf0 net/socket.c:3415
sock_sendpage+0x8b/0xc0 net/socket.c:871
pipe_to_sendpage+0x244/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x351/0x790 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x126/0x1a0 fs/splice.c:1018
splice_direct_to_actor+0x2a1/0x7b0 fs/splice.c:973
do_splice_direct+0x18d/0x230 fs/splice.c:1061
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4403e9
RSP: 002b:00007ffe6ad1e9c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403e9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000012 R09: 65732f636f72702f
R10: 0000000000010010 R11: 0000000000000246 R12: 0000000000401cd0
R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
Code: 00 00 fc ff df 80 3c 02 00 0f 85 37 01 00 00 49 8d 45 10 4d 89 2e 48
89 c2 48 89 45 c0 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02
84 c0 74 08 3c 03 0f 8e 7d 01 00 00 48 b8 00 00 00
RIP: scatterwalk_start include/crypto/scatterwalk.h:86 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_pagedone include/crypto/scatterwalk.h:111 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_pagedone include/crypto/scatterwalk.h:95 [inline] RSP:
ffff88809de0f3d8
RIP: scatterwalk_copychunks+0x4d6/0x6b0 crypto/scatterwalk.c:55 RSP:
ffff88809de0f3d8
---[ end trace 4e117918face6864 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages