[syzbot] [crypto?] KASAN: slab-out-of-bounds Read in arc4_crypt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 17cb8a20bde6 Add linux-next specific files for 20231215
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1129f3b6e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d23c01e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14cfe021e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ae1915546a0a/disk-17cb8a20.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b0f2ec7a35f4/vmlinux-17cb8a20.xz
kernel image: https://storage.googleapis.com/syzbot-assets/619edb9cb864/bzImage-17cb8a20.xz

The issue was bisected to:

commit 47309ea1359115125d9cab17a279c8df72b47235
Author: Herbert Xu <her...@gondor.apana.org.au>
Date: Tue Nov 28 06:52:57 2023 +0000

crypto: arc4 - Add internal state

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=130bb292e80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=108bb292e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=170bb292e80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8ffb08...@syzkaller.appspotmail.com
Fixes: 47309ea13591 ("crypto: arc4 - Add internal state")

"syz-executor161" (5061) uses obsolete ecb(arc4) skcipher
==================================================================
BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46
Read of size 4 at addr ffff888079f44ee0 by task syz-executor161/5061

CPU: 1 PID: 5061 Comm: syz-executor161 Not tainted 6.7.0-rc5-next-20231215-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46
crypto_arc4_crypt+0x61/0x70 crypto/arc4.c:37
crypto_lskcipher_crypt_sg+0x28c/0x460 crypto/lskcipher.c:229
crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:693
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0xc2b/0x1040 crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801
___sys_recvmsg+0x115/0x1a0 net/socket.c:2843
__sys_recvmsg+0x114/0x1e0 net/socket.c:2873
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7effab449b79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff6c0657f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007effab449b79
RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004
RBP: 0000000000003a28 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>

Allocated by task 78:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slub.c:3985 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3998
kmalloc include/linux/slab.h:594 [inline]
kzalloc include/linux/slab.h:711 [inline]
kobject_get_path+0xce/0x2b0 lib/kobject.c:159
kobject_uevent_env+0x26b/0x1800 lib/kobject_uevent.c:529
kset_register+0x1b6/0x2a0 lib/kobject.c:873
bus_register+0x1bf/0x6a0 drivers/base/bus.c:868
gpiolib_dev_init+0x1b/0x1c0 drivers/gpio/gpiolib.c:4684
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slub.c:3985 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3998
kmalloc include/linux/slab.h:594 [inline]
kzalloc include/linux/slab.h:711 [inline]
acpi_os_allocate_zeroed include/acpi/platform/aclinuxex.h:57 [inline]
acpi_ns_internalize_name+0x149/0x220 drivers/acpi/acpica/nsutils.c:331
acpi_ns_get_node_unlocked+0x164/0x310 drivers/acpi/acpica/nsutils.c:666
acpi_ns_get_node+0x4c/0x70 drivers/acpi/acpica/nsutils.c:726
acpi_ns_evaluate+0x6eb/0xca0 drivers/acpi/acpica/nseval.c:62
acpi_ut_evaluate_object+0xda/0x490 drivers/acpi/acpica/uteval.c:60
acpi_ut_execute_HID+0x8e/0x3b0 drivers/acpi/acpica/utids.c:45
acpi_ns_get_device_callback+0x182/0x510 drivers/acpi/acpica/nsxfeval.c:679
acpi_ns_walk_namespace+0x3fe/0x5a0 drivers/acpi/acpica/nswalk.c:233
acpi_get_devices+0x135/0x160 drivers/acpi/acpica/nsxfeval.c:805
acpi_ec_dsdt_probe+0x4b/0x160 drivers/acpi/ec.c:1769
acpi_bus_init drivers/acpi/bus.c:1372 [inline]
acpi_init+0x2c5/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Second to last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3871
kmem_cache_zalloc include/linux/slab.h:701 [inline]
acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline]
acpi_ut_allocate_object_desc_dbg drivers/acpi/acpica/utobject.c:359 [inline]
acpi_ut_create_internal_object_dbg+0x7b/0x400 drivers/acpi/acpica/utobject.c:69
acpi_ds_create_buffer_field+0x389/0x610 drivers/acpi/acpica/dsfield.c:214
acpi_ds_load2_end_op+0x5d8/0x1070 drivers/acpi/acpica/dswload2.c:475
acpi_ds_exec_end_op+0xbb7/0x1460 drivers/acpi/acpica/dswexec.c:542
acpi_ps_parse_loop+0x429/0x1ce0 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x3c1/0xca0 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_table+0x37b/0x4c0 drivers/acpi/acpica/psxface.c:295
acpi_ns_execute_table+0x3ee/0x550 drivers/acpi/acpica/nsparse.c:116
acpi_ns_load_table+0x5b/0x130 drivers/acpi/acpica/nsload.c:71
acpi_tb_load_namespace+0x435/0x700 drivers/acpi/acpica/tbxfload.c:186
acpi_load_tables+0x2c/0x110 drivers/acpi/acpica/tbxfload.c:59
acpi_bus_init drivers/acpi/bus.c:1321 [inline]
acpi_init+0x123/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

The buggy address belongs to the object at ffff888079f44800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1024 bytes to the right of
allocated 736-byte region [ffff888079f44800, ffff888079f44ae0)

The buggy address belongs to the physical page:
page:ffffea0001e7d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79f40
head:ffffea0001e7d000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013041dc0 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4686, tgid 4686 (udevd), ts 39444184156, free_ts 23975115080
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
__do_kmalloc_node mm/slub.c:3984 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3998
kmalloc include/linux/slab.h:594 [inline]
load_elf_phdrs+0x103/0x210 fs/binfmt_elf.c:526
load_elf_binary+0x14ca/0x4e10 fs/binfmt_elf.c:955
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1778 [inline]
bprm_execve fs/exec.c:1853 [inline]
bprm_execve+0x7ef/0x1a80 fs/exec.c:1809
do_execveat_common.isra.0+0x679/0x8e0 fs/exec.c:1974
do_execve fs/exec.c:2048 [inline]
__do_sys_execve fs/exec.c:2124 [inline]
__se_sys_execve fs/exec.c:2119 [inline]
__x64_sys_execve+0x8c/0xb0 fs/exec.c:2119
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530
free_contig_range+0xb6/0x190 mm/page_alloc.c:6579
destroy_args+0xa69/0xe40 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x16fc/0x3250 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Memory state around the buggy address:
ffff888079f44d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888079f44e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888079f44e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888079f44f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888079f44f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6
diff --git a/crypto/lskcipher.c b/crypto/lskcipher.c
index a06008e112f3..36968495607d 100644
--- a/crypto/lskcipher.c
+++ b/crypto/lskcipher.c
@@ -215,6 +215,12 @@ static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,

flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP;

+ printk("ivs: %p, v: %d, s: %u, ri: %p, wi: %p, %s\n",
+ ivs, IS_ERR_OR_NULL(ivs), ivsize, req->iv, walk.iv, __func__);
+
+ if (IS_ERR_OR_NULL(ivs))
+ ivs = kzalloc(ivsize, GFP_KERNEL);
+
if (req->base.flags & CRYPTO_SKCIPHER_REQ_CONT)
flags |= CRYPTO_LSKCIPHER_FLAG_CONT;
else

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in arc4_crypt

"syz-executor.0" (5497) uses obsolete ecb(arc4) skcipher
ivs: ffff8880296a9ae0, v: 0, s: 0, ri: 0000000000000010, wi: 0000000000000000, crypto_lskcipher_crypt_sg

==================================================================
BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46

Read of size 4 at addr ffff8880296a9ee0 by task syz-executor.0/5497

CPU: 1 PID: 5497 Comm: syz-executor.0 Not tainted 6.7.0-rc5-next-20231215-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46
crypto_arc4_crypt+0x61/0x70 crypto/arc4.c:37

crypto_lskcipher_crypt_sg+0x398/0x600 crypto/lskcipher.c:235

crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:693
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0xc2b/0x1040 crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801
___sys_recvmsg+0x115/0x1a0 net/socket.c:2843
__sys_recvmsg+0x114/0x1e0 net/socket.c:2873
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

RIP: 0033:0x7f029aa7cba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f029b7d40c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007f029ab9bf80 RCX: 00007f029aa7cba9

RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004

RBP: 00007f029aac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f029ab9bf80 R15: 00007fff19420af8

</TASK>

Allocated by task 78:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61

__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]

kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3883
__d_alloc+0x32/0xac0 fs/dcache.c:1769
d_alloc+0x4e/0x220 fs/dcache.c:1849
d_alloc_parallel+0xe9/0x12d0 fs/dcache.c:2638
__lookup_slow+0x194/0x450 fs/namei.c:1678
lookup_one_len+0x17d/0x1b0 fs/namei.c:2755
start_creating.part.0+0x12f/0x3a0 fs/debugfs/inode.c:382
start_creating fs/debugfs/inode.c:355 [inline]
__debugfs_create_file+0xa5/0x620 fs/debugfs/inode.c:427
minstrel_ht_add_sta_debugfs+0x2f/0x50 net/mac80211/rc80211_minstrel_ht_debugfs.c:332
rate_control_add_sta_debugfs net/mac80211/rate.h:60 [inline]
sta_info_insert_finish net/mac80211/sta_info.c:879 [inline]
sta_info_insert_rcu+0xe3e/0x1ab0 net/mac80211/sta_info.c:944
ieee80211_ibss_finish_sta+0x21c/0x3a0 net/mac80211/ibss.c:575
ieee80211_ibss_add_sta+0x3a8/0x730 net/mac80211/ibss.c:631
ieee80211_update_sta_info net/mac80211/ibss.c:1005 [inline]
ieee80211_rx_bss_info net/mac80211/ibss.c:1096 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1577 [inline]
ieee80211_ibss_rx_queued_mgmt+0x28b7/0x3140 net/mac80211/ibss.c:1604
ieee80211_iface_process_skb net/mac80211/iface.c:1589 [inline]
ieee80211_iface_work+0xa67/0xda0 net/mac80211/iface.c:1643
cfg80211_wiphy_work+0x24e/0x330 net/wireless/core.c:437
process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2787
kthread+0x2c1/0x3a0 kernel/kthread.c:388

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slub.c:3985 [inline]

__kmalloc_node_track_caller+0x220/0x470 mm/slub.c:4005
kmemdup+0x29/0x60 mm/util.c:131
kmemdup include/linux/fortify-string.h:761 [inline]
ip6t_register_table+0x1d0/0x420 net/ipv6/netfilter/ip6_tables.c:1768
ip6table_security_table_init+0x40/0x60 net/ipv6/netfilter/ip6table_security.c:45
xt_find_table_lock+0x2cf/0x4e0 net/netfilter/x_tables.c:1259
xt_request_find_table_lock+0x28/0xf0 net/netfilter/x_tables.c:1284
get_info+0x1a1/0x7c0 net/ipv4/netfilter/ip_tables.c:963
do_ip6t_get_ctl+0x16a/0xae0 net/ipv6/netfilter/ip6_tables.c:1660
nf_getsockopt+0x76/0xe0 net/netfilter/nf_sockopt.c:116
ipv6_getsockopt+0x1f9/0x2b0 net/ipv6/ipv6_sockglue.c:1488
tcp_getsockopt+0x97/0xf0 net/ipv4/tcp.c:4361
do_sock_getsockopt+0x2e1/0x6c0 net/socket.c:2371
__sys_getsockopt+0x1a1/0x270 net/socket.c:2400
__do_sys_getsockopt net/socket.c:2410 [inline]
__se_sys_getsockopt net/socket.c:2407 [inline]
__x64_sys_getsockopt+0xbd/0x150 net/socket.c:2407

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

Second to last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47

__kasan_record_aux_stack+0xc2/0xd0 mm/kasan/generic.c:517
__call_rcu_common.constprop.0+0x9a/0x7b0 kernel/rcu/tree.c:2689
call_rcu_hurry include/linux/rcupdate.h:114 [inline]
dst_release net/core/dst.c:167 [inline]
dst_release+0x1b5/0x1e0 net/core/dst.c:164
refdst_drop include/net/dst.h:263 [inline]
skb_dst_drop include/net/dst.h:275 [inline]
skb_release_head_state+0x254/0x2b0 net/core/skbuff.c:1041
skb_release_all net/core/skbuff.c:1056 [inline]
kfree_skb_add_bulk net/core/skbuff.c:1129 [inline]
kfree_skb_list_reason+0x17b/0x4c0 net/core/skbuff.c:1151
__dev_xmit_skb net/core/dev.c:3840 [inline]
__dev_queue_xmit+0x255b/0x3d40 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
neigh_resolve_output net/core/neighbour.c:1563 [inline]
neigh_resolve_output+0x584/0x8f0 net/core/neighbour.c:1543
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x673/0x1820 net/ipv6/ip6_output.c:137
__ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
ip6_finish_output+0x3c7/0xf70 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1e2/0x530 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ndisc_send_skb+0xa13/0x18f0 net/ipv6/ndisc.c:509
ndisc_send_rs+0x133/0x6a0 net/ipv6/ndisc.c:719
addrconf_dad_completed+0x486/0x1030 net/ipv6/addrconf.c:4303
addrconf_dad_begin net/ipv6/addrconf.c:4068 [inline]
addrconf_dad_work+0xd5c/0x14b0 net/ipv6/addrconf.c:4170
process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2787
kthread+0x2c1/0x3a0 kernel/kthread.c:388

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

The buggy address belongs to the object at ffff8880296a9800

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1024 bytes to the right of

allocated 736-byte region [ffff8880296a9800, ffff8880296a9ae0)

The buggy address belongs to the physical page:

page:ffffea0000a5aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880296ac000 pfn:0x296a8
head:ffffea0000a5aa00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013041dc0 ffffea00052f8a00 0000000000000003
raw: ffff8880296ac000 000000008010000a 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2871, tgid 2871 (kworker/u4:11), ts 83336024213, free_ts 79470601630

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
__do_kmalloc_node mm/slub.c:3984 [inline]

__kmalloc_node_track_caller+0x367/0x470 mm/slub.c:4005
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
nlmsg_new include/net/netlink.h:1010 [inline]
inet6_rt_notify+0xf0/0x2b0 net/ipv6/route.c:6171
fib6_del_route net/ipv6/ip6_fib.c:1999 [inline]
fib6_del+0xfae/0x17a0 net/ipv6/ip6_fib.c:2034
fib6_clean_node+0x41f/0x5b0 net/ipv6/ip6_fib.c:2196
fib6_walk_continue+0x44c/0x8c0 net/ipv6/ip6_fib.c:2118
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2166
fib6_clean_tree+0xd7/0x110 net/ipv6/ip6_fib.c:2246
page last free pid 5061 tgid 5053 stack trace:

reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530

vfree+0x181/0x7a0 mm/vmalloc.c:2842
snd_dma_free_pages+0x51/0x60 sound/core/memalloc.c:126
do_free_pages sound/core/pcm_memory.c:93 [inline]
do_free_pages sound/core/pcm_memory.c:88 [inline]
snd_pcm_lib_free_pages+0x172/0x380 sound/core/pcm_memory.c:499
do_hw_free sound/core/pcm_native.c:893 [inline]
snd_pcm_release_substream.part.0+0x29c/0x330 sound/core/pcm_native.c:2760
snd_pcm_release_substream+0x5b/0x70 sound/core/pcm_native.c:2754
snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2413 [inline]
snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2405 [inline]
snd_pcm_oss_release+0x175/0x310 sound/core/oss/pcm_oss.c:2592
__fput+0x270/0xbb0 fs/file_table.c:381
__fput_sync+0x47/0x50 fs/file_table.c:466
__do_sys_close fs/open.c:1595 [inline]
__se_sys_close fs/open.c:1580 [inline]
__x64_sys_close+0x86/0xf0 fs/open.c:1580

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

Memory state around the buggy address:

ffff8880296a9d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880296a9e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880296a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880296a9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880296a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=168fefc6e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14276121e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 02cea2149504..299547b0e200 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -120,6 +120,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
if (IS_ERR(areq))
return PTR_ERR(areq);

+ printk("req: %p, %s\n", &areq->cra_u.skcipher_req, __func__);
/* convert iovecs of output buffers into RX SGL */
err = af_alg_get_rsgl(sk, msg, flags, areq, ctx->used, &len);
if (err)
diff --git a/crypto/arc4.c b/crypto/arc4.c
index 1a4825c97c5a..79621f4f4c68 100644
--- a/crypto/arc4.c
+++ b/crypto/arc4.c
@@ -29,6 +29,7 @@ static int crypto_arc4_crypt(struct crypto_lskcipher *tfm, const u8 *src,
{
struct arc4_ctx *ctx = crypto_lskcipher_ctx(tfm);

+ printk("%p, flags: %u, ctx: %p, %s\n", siv, flags, ctx, __func__);
if (!(flags & CRYPTO_LSKCIPHER_FLAG_CONT))
memcpy(siv, ctx, sizeof(*ctx));

diff --git a/crypto/lskcipher.c b/crypto/lskcipher.c
index a06008e112f3..0a429ffc086f 100644
--- a/crypto/lskcipher.c
+++ b/crypto/lskcipher.c
@@ -215,6 +215,10 @@ static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,

flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP;

+ printk("r: %p, ivs: %p, v: %d, s: %u, ri: %p, wi: %p, f: %u, wnb: %u, %s\n",
+ req, ivs, IS_ERR_OR_NULL(ivs), ivsize, req->iv, walk.iv,
+ req->base.flags, walk.nbytes, __func__);

+
if (req->base.flags & CRYPTO_SKCIPHER_REQ_CONT)
flags |= CRYPTO_LSKCIPHER_FLAG_CONT;
else

@@ -224,6 +228,9 @@ static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,
flags |= CRYPTO_LSKCIPHER_FLAG_FINAL;

err = skcipher_walk_virt(&walk, req, false);
+ printk("ivs: %p, v: %d, s: %u, ri: %p, wi: %p, f: %u, wnb: %u, %s\n",

+ ivs, IS_ERR_OR_NULL(ivs), ivsize, req->iv, walk.iv,

+ req->base.flags, walk.nbytes, __func__);

while (walk.nbytes) {
err = crypt(tfm, walk.src.virt.addr, walk.dst.virt.addr,
diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index bc70e159d27d..08409990b58a 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -716,6 +716,8 @@ static int crypto_lskcipher_import(struct skcipher_request *req, const void *in)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
u8 *ivs = skcipher_request_ctx(req);

+ printk("%p, csa: %u, csi: %u, tfm: %p, in: %p, %s\n",
+ ivs, crypto_skcipher_alignmask(tfm), crypto_skcipher_ivsize(tfm), tfm, in, __func__);
ivs = PTR_ALIGN(ivs, crypto_skcipher_alignmask(tfm) + 1);

memcpy(ivs + crypto_skcipher_ivsize(tfm), in,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in arc4_crypt

"syz-executor.0" (5493) uses obsolete ecb(arc4) skcipher
req: ffff8880798ffa90, _skcipher_recvmsg
r: ffff8880798ffa90, ivs: ffff8880798ffae0, v: 0, s: 0, ri: 0000000000000010, wi: 0000000000000000, f: 1536, wnb: 0, crypto_lskcipher_crypt_sg
ivs: ffff8880798ffae0, v: 0, s: 0, ri: 0000000000000010, wi: 0000000000000010, f: 1536, wnb: 2, crypto_lskcipher_crypt_sg
ffff8880798ffae0, flags: 514, ctx: ffff88807b10a020, crypto_arc4_crypt

==================================================================
BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46

Read of size 4 at addr ffff8880798ffee0 by task syz-executor.0/5493

CPU: 1 PID: 5493 Comm: syz-executor.0 Not tainted 6.7.0-rc5-next-20231215-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46

crypto_arc4_crypt+0x7f/0x90 crypto/arc4.c:38
crypto_lskcipher_crypt_sg+0x41f/0x680 crypto/lskcipher.c:236
crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:693
_skcipher_recvmsg crypto/algif_skcipher.c:200 [inline]
skcipher_recvmsg+0xc41/0x1050 crypto/algif_skcipher.c:222

sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801
___sys_recvmsg+0x115/0x1a0 net/socket.c:2843
__sys_recvmsg+0x114/0x1e0 net/socket.c:2873
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

RIP: 0033:0x7f34dc47cba9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f34dd1060c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007f34dc59bf80 RCX: 00007f34dc47cba9

RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004

RBP: 00007f34dc4c847a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f34dc59bf80 R15: 00007ffcf6c49838

</TASK>

Allocated by task 78:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]
kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3883
__d_alloc+0x32/0xac0 fs/dcache.c:1769
d_alloc+0x4e/0x220 fs/dcache.c:1849
d_alloc_parallel+0xe9/0x12d0 fs/dcache.c:2638
__lookup_slow+0x194/0x450 fs/namei.c:1678
lookup_one_len+0x17d/0x1b0 fs/namei.c:2755

securityfs_create_dentry+0xe3/0x4c0 security/inode.c:131
lockdown_secfs_init+0x29/0x60 security/lockdown/lockdown.c:159

do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Last potentially related work creation:

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]

kmalloc_trace+0x2ff/0x330 mm/slub.c:4011
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
acpi_ec_alloc+0x3c/0x380 drivers/acpi/ec.c:1374
acpi_ec_dsdt_probe+0x26/0x160 drivers/acpi/ec.c:1761

acpi_bus_init drivers/acpi/bus.c:1372 [inline]
acpi_init+0x2c5/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Second to last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47

kasan_set_track+0x24/0x30 mm/kasan/common.c:61
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]

kmem_cache_alloc+0x136/0x320 mm/slub.c:3871
kmem_cache_zalloc include/linux/slab.h:701 [inline]
acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline]
acpi_ut_allocate_object_desc_dbg drivers/acpi/acpica/utobject.c:359 [inline]
acpi_ut_create_internal_object_dbg+0x7b/0x400 drivers/acpi/acpica/utobject.c:69

acpi_ex_create_method+0x35/0x2c0 drivers/acpi/acpica/excreate.c:421
acpi_ds_load2_end_op+0xd85/0x1070 drivers/acpi/acpica/dswload2.c:668
acpi_ds_exec_end_op+0x513/0x1460 drivers/acpi/acpica/dswexec.c:638

acpi_ps_parse_loop+0x429/0x1ce0 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x3c1/0xca0 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_table+0x37b/0x4c0 drivers/acpi/acpica/psxface.c:295
acpi_ns_execute_table+0x3ee/0x550 drivers/acpi/acpica/nsparse.c:116
acpi_ns_load_table+0x5b/0x130 drivers/acpi/acpica/nsload.c:71
acpi_tb_load_namespace+0x435/0x700 drivers/acpi/acpica/tbxfload.c:186
acpi_load_tables+0x2c/0x110 drivers/acpi/acpica/tbxfload.c:59
acpi_bus_init drivers/acpi/bus.c:1321 [inline]
acpi_init+0x123/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

The buggy address belongs to the object at ffff8880798ff800

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1024 bytes to the right of

allocated 736-byte region [ffff8880798ff800, ffff8880798ffae0)

The buggy address belongs to the physical page:

page:ffffea0001e63e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x798f8
head:ffffea0001e63e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 00fff00000000840 ffff888013041dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4738, tgid 4738 (dhcpcd-run-hook), ts 46995283544, free_ts 46977104435

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
__do_kmalloc_node mm/slub.c:3984 [inline]

__kmalloc+0x3b4/0x440 mm/slub.c:3998
kmalloc include/linux/slab.h:594 [inline]

kzalloc include/linux/slab.h:711 [inline]
tomoyo_init_log+0x142a/0x2100 security/tomoyo/audit.c:275
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x18f/0x200 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xef5/0x2020 security/tomoyo/domain.c:878
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12a/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x6a/0xe0 security/security.c:1187
search_binary_handler fs/exec.c:1724 [inline]

exec_binprm fs/exec.c:1778 [inline]
bprm_execve fs/exec.c:1853 [inline]

bprm_execve+0x730/0x1a80 fs/exec.c:1809
do_execveat_common.isra.0+0x679/0x8e0 fs/exec.c:1974
page last free pid 4737 tgid 4737 stack trace:

reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530

__put_partials+0x14c/0x160 mm/slub.c:2926
qlink_free mm/kasan/quarantine.c:178 [inline]
qlist_free_all+0xc1/0x1e0 mm/kasan/quarantine.c:194
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:301
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:306

kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]

kmalloc_trace+0x147/0x330 mm/slub.c:4011
kmalloc include/linux/slab.h:590 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x19f/0x2100 security/tomoyo/audit.c:255
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_permission+0x270/0x3b0 security/tomoyo/file.c:573
tomoyo_check_open_permission+0x373/0x3b0 security/tomoyo/file.c:777
tomoyo_file_open security/tomoyo/tomoyo.c:333 [inline]
tomoyo_file_open+0xa7/0xd0 security/tomoyo/tomoyo.c:328
security_file_open+0x75/0x620 security/security.c:2914
do_dentry_open+0x583/0x18c0 fs/open.c:940
do_open fs/namei.c:3631 [inline]
path_openat+0x1df1/0x2990 fs/namei.c:3788
do_filp_open+0x1dc/0x430 fs/namei.c:3815

Memory state around the buggy address:

ffff8880798ffd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880798ffe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880798ffe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880798fff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880798fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16624b3ee80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16765921e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c

index 02cea2149504..1c50f6e3f334 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -120,6 +120,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
if (IS_ERR(areq))
return PTR_ERR(areq);

+ printk("req: %p, areqlen: %u, %s\n",
+ &areq->cra_u.skcipher_req, areq->areqlen, __func__);
+ if (areq->areqlen < 1032)
+ areq->cra_u.skcipher_req->__ctx = kzalloc(1032, GFP_KERNEL);

/* convert iovecs of output buffers into RX SGL */
err = af_alg_get_rsgl(sk, msg, flags, areq, ctx->used, &len);
if (err)
diff --git a/crypto/arc4.c b/crypto/arc4.c
index 1a4825c97c5a..79621f4f4c68 100644
--- a/crypto/arc4.c
+++ b/crypto/arc4.c
@@ -29,6 +29,7 @@ static int crypto_arc4_crypt(struct crypto_lskcipher *tfm, const u8 *src,
{
struct arc4_ctx *ctx = crypto_lskcipher_ctx(tfm);

+ printk("%p, flags: %u, ctx: %p, %s\n", siv, flags, ctx, __func__);
if (!(flags & CRYPTO_LSKCIPHER_FLAG_CONT))
memcpy(siv, ctx, sizeof(*ctx));

diff --git a/crypto/lskcipher.c b/crypto/lskcipher.c

index a06008e112f3..4dda11ce6536 100644

--- a/crypto/lskcipher.c
+++ b/crypto/lskcipher.c
@@ -215,6 +215,10 @@ static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,

flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP;

+ printk("r: %p, ivs: %p, v: %d, s: %u, ri: %p, wi: %p, f: %u, wnb: %u, am: %u, %s\n",

+ req, ivs, IS_ERR_OR_NULL(ivs), ivsize, req->iv, walk.iv,

+ req->base.flags, walk.nbytes, crypto_skcipher_alignmask(skcipher), __func__);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

crypto/algif_skcipher.c:126:41: error: invalid type argument of '->' (have 'struct skcipher_request')

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14d50921e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 02cea2149504..1c50f6e3f334 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -120,6 +120,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
if (IS_ERR(areq))
return PTR_ERR(areq);

+ printk("req: %p, areqlen: %u, %s\n",
+ &areq->cra_u.skcipher_req, areq->areqlen, __func__);
+ if (areq->areqlen < 1032)

+ areq->cra_u.skcipher_req.__ctx = kzalloc(1032, GFP_KERNEL);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

crypto/algif_skcipher.c:126:48: error: invalid use of flexible array member

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a124e9e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c

index 02cea2149504..e1f44dc60e4a 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -106,7 +106,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
struct af_alg_async_req *areq;
unsigned cflags = 0;
int err = 0;
- size_t len = 0;
+ size_t len = 0, aqlen;

if (!ctx->init || (ctx->more && ctx->used < bs)) {
err = af_alg_wait_for_data(sk, flags, bs);
@@ -115,11 +115,13 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
}

/* Allocate cipher request for current operation. */
- areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
- crypto_skcipher_reqsize(tfm));
+ aqlen = sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm);
+ areq = af_alg_alloc_areq(sk, aqlen + 1032);
if (IS_ERR(areq))
return PTR_ERR(areq);

+ printk("req: %p, areqlen: %u, al: %u, %s\n",
+ &areq->cra_u.skcipher_req, areq->areqlen, aqlen, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8ffb08...@syzkaller.appspotmail.com

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11bf56f1e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15903701e80000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/lskcipher.c b/crypto/lskcipher.c
index a06008e112f3..f7727698b797 100644
--- a/crypto/lskcipher.c
+++ b/crypto/lskcipher.c
@@ -205,11 +205,19 @@ static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,
struct crypto_lskcipher **ctx = crypto_skcipher_ctx(skcipher);
u8 *ivs = skcipher_request_ctx(req);
struct crypto_lskcipher *tfm = *ctx;
+ struct lskcipher_alg *alg = crypto_lskcipher_alg(tfm);
struct skcipher_walk walk;
unsigned ivsize;
u32 flags;
int err;
+ static u8 relen;

+ if (!relen) {
+ printk("req: %p, alg: %p, ss: %u, %s\n", req, alg, alg->co.statesize, __func__);
+ *req->__ctx = kzalloc(alg->co.statesize, GFP_KERNEL);
+ req->areqlen += alg->co.statesize;
+ relen = 1;
+ }
ivsize = crypto_lskcipher_ivsize(tfm);
ivs = PTR_ALIGN(ivs, crypto_skcipher_alignmask(skcipher) + 1);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

crypto/lskcipher.c:218:20: error: 'struct skcipher_request' has no member named 'areqlen'

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=155c7011e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 02cea2149504..236ba4221b07 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -102,11 +102,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
struct crypto_skcipher *tfm = pask->private;
+ struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
unsigned int bs = crypto_skcipher_chunksize(tfm);

struct af_alg_async_req *areq;
unsigned cflags = 0;
int err = 0;
- size_t len = 0;
+ size_t len = 0, aqlen;

if (!ctx->init || (ctx->more && ctx->used < bs)) {
err = af_alg_wait_for_data(sk, flags, bs);

@@ -115,8 +116,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,

}

/* Allocate cipher request for current operation. */
- areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
- crypto_skcipher_reqsize(tfm));
+ aqlen = sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm);

+ if (alg->co.base.cra_type != &crypto_skcipher_type)
+ aqlen += alg->co.statesize;
+ printk("%u, %s\n", alg->co.statesize, __func__);
+ areq = af_alg_alloc_areq(sk, aqlen);
if (IS_ERR(areq))
return PTR_ERR(areq);

diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index bc70e159d27d..0ae4a05a5aa7 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -44,7 +44,6 @@ struct skcipher_walk_buffer {
u8 buffer[];
};

-static const struct crypto_type crypto_skcipher_type;

static int skcipher_walk_next(struct skcipher_walk *walk);

diff --git a/include/crypto/internal/skcipher.h b/include/crypto/internal/skcipher.h
index 7ae42afdcf3e..3c05872652f2 100644
--- a/include/crypto/internal/skcipher.h
+++ b/include/crypto/internal/skcipher.h
@@ -24,6 +24,7 @@

struct aead_request;
struct rtattr;
+static const struct crypto_type crypto_skcipher_type;

struct skcipher_instance {
void (*free)(struct skcipher_instance *inst);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

crypto/algif_skcipher.c:120:39: error: 'crypto_skcipher_type' undeclared (first use in this function); did you mean 'crypto_skcipher_tfm'?

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1546519ee80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c

index 02cea2149504..72ce8e9c16d5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -33,6 +33,7 @@
#include <linux/module.h>
#include <linux/net.h>
#include <net/sock.h>
+#include <crypto/internal/skcipher.h>

static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
size_t size)
@@ -102,11 +103,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,

struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
struct crypto_skcipher *tfm = pask->private;
+ struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
unsigned int bs = crypto_skcipher_chunksize(tfm);
struct af_alg_async_req *areq;
unsigned cflags = 0;
int err = 0;
- size_t len = 0;
+ size_t len = 0, aqlen;

if (!ctx->init || (ctx->more && ctx->used < bs)) {
err = af_alg_wait_for_data(sk, flags, bs);

@@ -115,8 +117,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in arc4_crypt

"syz-executor.0" (5486) uses obsolete ecb(arc4) skcipher
0, _skcipher_recvmsg

==================================================================
BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46

Read of size 4 at addr ffff8880221f66e0 by task syz-executor.0/5486

CPU: 0 PID: 5486 Comm: syz-executor.0 Not tainted 6.7.0-rc5-next-20231215-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46

crypto_arc4_crypt+0x61/0x70 crypto/arc4.c:37
crypto_lskcipher_crypt_sg+0x28c/0x460 crypto/lskcipher.c:229

crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:692
_skcipher_recvmsg crypto/algif_skcipher.c:204 [inline]
skcipher_recvmsg+0xcd6/0x1100 crypto/algif_skcipher.c:226

sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801
___sys_recvmsg+0x115/0x1a0 net/socket.c:2843
__sys_recvmsg+0x114/0x1e0 net/socket.c:2873
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

RIP: 0033:0x7fa471e7cba9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fa472b000c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007fa471f9bf80 RCX: 00007fa471e7cba9

RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004

RBP: 00007fa471ec847a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007fa471f9bf80 R15: 00007ffec9ceddb8

</TASK>

Allocated by task 78:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61

____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384

kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]

mpls_add_dev net/mpls/af_mpls.c:1461 [inline]
mpls_dev_notify+0x339/0xa00 net/mpls/af_mpls.c:1618
notifier_call_chain+0xb6/0x3d0 kernel/notifier.c:93
call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1966
call_netdevice_notifiers_extack net/core/dev.c:2004 [inline]
call_netdevice_notifiers net/core/dev.c:2018 [inline]
register_netdevice+0x16e2/0x1da0 net/core/dev.c:10288
lowpan_newlink+0x30b/0x5c0 net/ieee802154/6lowpan/core.c:174
rtnl_newlink_create net/core/rtnetlink.c:3521 [inline]
__rtnl_newlink+0x118a/0x1940 net/core/rtnetlink.c:3741
rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3754
rtnetlink_rcv_msg+0x3c7/0xe00 net/core/rtnetlink.c:6566
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367
netlink_sendmsg+0x8b4/0xd70 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x225/0x310 net/socket.c:2189
__do_sys_sendto net/socket.c:2201 [inline]
__se_sys_sendto net/socket.c:2197 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2197

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

Last potentially related work creation:
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
kmalloc_trace+0x2ff/0x330 mm/slub.c:4011
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]

acpi_os_allocate_zeroed include/acpi/platform/aclinuxex.h:57 [inline]
acpi_ut_evaluate_object+0x80/0x490 drivers/acpi/acpica/uteval.c:50
acpi_ut_execute_CID+0x9a/0x780 drivers/acpi/acpica/utids.c:214
acpi_ns_get_device_callback+0x2ee/0x510 drivers/acpi/acpica/nsxfeval.c:694

acpi_ns_walk_namespace+0x3fe/0x5a0 drivers/acpi/acpica/nswalk.c:233
acpi_get_devices+0x135/0x160 drivers/acpi/acpica/nsxfeval.c:805

acpi_early_processor_control_setup+0x5a/0xb0 drivers/acpi/acpi_processor.c:601
acpi_bus_init drivers/acpi/bus.c:1366 [inline]
acpi_init+0x2c0/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236

Second to last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3871
kmem_cache_zalloc include/linux/slab.h:701 [inline]
acpi_os_acquire_object include/acpi/platform/aclinuxex.h:67 [inline]

acpi_ns_create_node+0x68/0x100 drivers/acpi/acpica/nsalloc.c:35
acpi_ns_search_and_enter+0x2ec/0x810 drivers/acpi/acpica/nssearch.c:373
acpi_ns_lookup+0x71e/0xce0 drivers/acpi/acpica/nsaccess.c:589
acpi_ds_create_buffer_field+0x2dc/0x610 drivers/acpi/acpica/dsfield.c:176

acpi_ds_load2_end_op+0x5d8/0x1070 drivers/acpi/acpica/dswload2.c:475
acpi_ds_exec_end_op+0xbb7/0x1460 drivers/acpi/acpica/dswexec.c:542

acpi_ps_parse_loop+0x429/0x1ce0 drivers/acpi/acpica/psloop.c:525
acpi_ps_parse_aml+0x3c1/0xca0 drivers/acpi/acpica/psparse.c:475
acpi_ps_execute_table+0x37b/0x4c0 drivers/acpi/acpica/psxface.c:295
acpi_ns_execute_table+0x3ee/0x550 drivers/acpi/acpica/nsparse.c:116
acpi_ns_load_table+0x5b/0x130 drivers/acpi/acpica/nsload.c:71
acpi_tb_load_namespace+0x435/0x700 drivers/acpi/acpica/tbxfload.c:186
acpi_load_tables+0x2c/0x110 drivers/acpi/acpica/tbxfload.c:59
acpi_bus_init drivers/acpi/bus.c:1321 [inline]
acpi_init+0x123/0xb70 drivers/acpi/bus.c:1430
do_one_initcall+0x128/0x680 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x692/0xc30 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

The buggy address belongs to the object at ffff8880221f6000

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1024 bytes to the right of

allocated 736-byte region [ffff8880221f6000, ffff8880221f62e0)

The buggy address belongs to the physical page:

page:ffffea0000887c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x221f0
head:ffffea0000887c00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013041dc0 ffffea0000a19000 0000000000000003
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 12, tgid 12 (kworker/u4:1), ts 88321977785, free_ts 88105026975

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
__do_kmalloc_node mm/slub.c:3984 [inline]

__kmalloc_node_track_caller+0x367/0x470 mm/slub.c:4005
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
nlmsg_new include/net/netlink.h:1010 [inline]
inet6_rt_notify+0xf0/0x2b0 net/ipv6/route.c:6171
fib6_del_route net/ipv6/ip6_fib.c:1999 [inline]
fib6_del+0xfae/0x17a0 net/ipv6/ip6_fib.c:2034
fib6_clean_node+0x41f/0x5b0 net/ipv6/ip6_fib.c:2196
fib6_walk_continue+0x44c/0x8c0 net/ipv6/ip6_fib.c:2118
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2166
fib6_clean_tree+0xd7/0x110 net/ipv6/ip6_fib.c:2246

page last free pid 5144 tgid 5144 stack trace:

reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530
__put_partials+0x14c/0x160 mm/slub.c:2926
qlink_free mm/kasan/quarantine.c:178 [inline]
qlist_free_all+0xc1/0x1e0 mm/kasan/quarantine.c:194
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:301
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:306
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]

kmem_cache_alloc+0x136/0x320 mm/slub.c:3871
vm_area_alloc+0x1f/0x220 kernel/fork.c:463
do_brk_flags+0x2e1/0x1e30 mm/mmap.c:3166
__do_sys_brk+0x6ec/0xb40 mm/mmap.c:259

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a

Memory state around the buggy address:

ffff8880221f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880221f6600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880221f6680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880221f6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880221f6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12e6ec26e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14d429d6e80000

[Edward Adam Davis]

please test slab-out-of-bounds Read in arc4_crypt

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c

index 02cea2149504..b69d361b5515 100644

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -33,6 +33,7 @@
#include <linux/module.h>
#include <linux/net.h>
#include <net/sock.h>
+#include <crypto/internal/skcipher.h>

static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
size_t size)
@@ -102,11 +103,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
struct crypto_skcipher *tfm = pask->private;
+ struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
unsigned int bs = crypto_skcipher_chunksize(tfm);
struct af_alg_async_req *areq;
unsigned cflags = 0;
int err = 0;
- size_t len = 0;
+ size_t len = 0, aqlen;

if (!ctx->init || (ctx->more && ctx->used < bs)) {
err = af_alg_wait_for_data(sk, flags, bs);

@@ -115,8 +117,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,

}

/* Allocate cipher request for current operation. */
- areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
- crypto_skcipher_reqsize(tfm));
+ aqlen = sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm);
+ if (alg->co.base.cra_type != &crypto_skcipher_type)

+ aqlen += 1032;

[Edward Adam Davis]

The space allocated to areq is not sufficient to access the member __ctx of
struct skcipher_request, as the space occupied by struct arc4_ctx for reading
is 1032 bytes, while the requested memory size in skcipher_recvmsg() is:
sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm) = 736 bytes,
which does not include the memory required for __ctx of struct skcipher_request.

Reported-by: syzbot+8ffb08...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
crypto/algif_skcipher.c | 10 +++++++---
crypto/skcipher.c | 1 -
include/crypto/internal/skcipher.h | 1 +
3 files changed, 8 insertions(+), 4 deletions(-)

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8ffb08...@syzkaller.appspotmail.com

Tested on:

commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=162b1ac9e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=179117d1e80000

[Herbert Xu]

On Wed, Dec 20, 2023 at 11:53:55PM +0800, Edward Adam Davis wrote:
> The space allocated to areq is not sufficient to access the member __ctx of
> struct skcipher_request, as the space occupied by struct arc4_ctx for reading
> is 1032 bytes, while the requested memory size in skcipher_recvmsg() is:
> sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm) = 736 bytes,
> which does not include the memory required for __ctx of struct skcipher_request.

I cannot reproduce this. The total allocated size I get is 1768.

How can crypto_skcipher_reqsize(tfm) return zero?

Thanks,
--
Email: Herbert Xu <her...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[Herbert Xu]

On Wed, Dec 20, 2023 at 11:53:55PM +0800, Edward Adam Davis wrote:

> The space allocated to areq is not sufficient to access the member __ctx of
> struct skcipher_request, as the space occupied by struct arc4_ctx for reading
> is 1032 bytes, while the requested memory size in skcipher_recvmsg() is:
> sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm) = 736 bytes,
> which does not include the memory required for __ctx of struct skcipher_request.
>
> Reported-by: syzbot+8ffb08...@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <ead...@qq.com>
> ---
> crypto/algif_skcipher.c | 10 +++++++---
> crypto/skcipher.c | 1 -
> include/crypto/internal/skcipher.h | 1 +
> 3 files changed, 8 insertions(+), 4 deletions(-)

I see where the real bug is. The statesize is not being passed
along by ecb so that's why we end up with no memory.

Cheers,

[Herbert Xu]

On Mon, Dec 18, 2023 at 06:43:27AM -0800, syzbot wrote:
>
> syzbot found the following issue on:
>
> HEAD commit: 17cb8a20bde6 Add linux-next specific files for 20231215
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1129f3b6e80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
> dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d23c01e80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14cfe021e80000

---8<---
When ecb is used to wrap an lskcipher, the statesize isn't set
correctly. Fix this by making the simple instance creator set
the statesize.

Reported-by: syzbot+8ffb08...@syzkaller.appspotmail.com
Reported-by: Edward Adam Davis <ead...@qq.com>
Fixes: 662ea18d089b ("crypto: skcipher - Make use of internal state")
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

diff --git a/crypto/lskcipher.c b/crypto/lskcipher.c
index a06008e112f3..0b6dd8aa21f2 100644
--- a/crypto/lskcipher.c
+++ b/crypto/lskcipher.c
@@ -642,6 +642,7 @@ struct lskcipher_instance *lskcipher_alloc_instance_simple(
inst->alg.co.min_keysize = cipher_alg->co.min_keysize;
inst->alg.co.max_keysize = cipher_alg->co.max_keysize;
inst->alg.co.ivsize = cipher_alg->co.base.cra_blocksize;
+ inst->alg.co.statesize = cipher_alg->co.statesize;

/* Use struct crypto_lskcipher * by default, can be overridden */
inst->alg.co.base.cra_ctxsize = sizeof(struct crypto_lskcipher *);

[kernel test robot]

Hi Edward,

kernel test robot noticed the following build warnings:

[auto build test WARNING on next-20231222]

url: https://github.com/intel-lab-lkp/linux/commits/Edward-Adam-Davis/crypto-fix-oob-Read-in-arc4_crypt/20231222-172845
base: next-20231222
patch link: https://lore.kernel.org/r/tencent_656D589558EA3EED8ACF3C79166F202E010A%40qq.com
patch subject: [PATCH next] crypto: fix oob Read in arc4_crypt
config: i386-buildonly-randconfig-003-20231224 (https://download.01.org/0day-ci/archive/20231225/202312250259...@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231225/202312250259...@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <l...@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202312250259...@intel.com/

All warnings (new ones prefixed by >>):

In file included from drivers/crypto/padlock-aes.c:13:
>> include/crypto/internal/skcipher.h:27:33: warning: 'crypto_skcipher_type' defined but not used [-Wunused-const-variable=]
27 | static const struct crypto_type crypto_skcipher_type;
| ^~~~~~~~~~~~~~~~~~~~


vim +/crypto_skcipher_type +27 include/crypto/internal/skcipher.h

24
25 struct aead_request;
26 struct rtattr;
> 27 static const struct crypto_type crypto_skcipher_type;
28

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki