[syzbot] [crypto?] general protection fault in aead_recvmsg
0 views
Skip to first unread message
syzbot
12:32 PM (11 hours ago) 12:32 PM
to da...@davemloft.net, her...@gondor.apana.org.au, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d8a9a4b11a13 Merge tag 'v7.0-rc6-smb3-client-fix' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17649d02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=aa11561819dc42ebbc7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17b0946a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eb8dda580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ecb473e5a4ef/disk-d8a9a4b1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/eaedee0e571e/vmlinux-d8a9a4b1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e2ba27a7ba82/bzImage-d8a9a4b1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa1156...@syzkaller.appspotmail.com
trusted_key: syz.0.17 sent an empty control message without MSG_MORE.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5987 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
FS: 000055556d3e1500(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004580 CR3: 0000000035e06000 CR4: 00000000003526f0
Call Trace:
<TASK>
_aead_recvmsg crypto/algif_aead.c:186 [inline]
aead_recvmsg+0x719/0x1030 crypto/algif_aead.c:240
sock_recvmsg_nosec+0x10c/0x140 net/socket.c:1078
____sys_recvmsg+0x3e3/0x4a0 net/socket.c:2810
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f726eb9c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9ba0f7c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f726ee15fa0 RCX: 00007f726eb9c819
RDX: 0000000000000002 RSI: 0000200000004580 RDI: 0000000000000004
RBP: 00007f726ec32c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000060 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f726ee15fac R14: 00007f726ee15fa0 R15: 00007f726ee15fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
FS: 000055556d3e1500(0000) GS:ffff888125557000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055607067bee0 CR3: 0000000035e06000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: e8 b5 b9 52 fd call 0xfd52b9ba
5: f6 c3 01 test $0x1,%bl
8: 0f 85 0a 01 00 00 jne 0x118
e: e8 c7 b4 52 fd call 0xfd52b4da
13: 4c 89 f3 mov %r14,%rbx
16: eb 07 jmp 0x1f
18: e8 bd b4 52 fd call 0xfd52b4da
1d: 31 db xor %ebx,%ebx
1f: 4c 8d 7b 08 lea 0x8(%rbx),%r15
23: 4c 89 f8 mov %r15,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 0f b6 04 28 movzbl (%rax,%rbp,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 1d 02 00 00 jne 0x253
36: 41 8b 07 mov (%r15),%eax
39: 89 44 24 04 mov %eax,0x4(%rsp)
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7d .byte 0x7d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d8a9a4b11a13 Merge tag 'v7.0-rc6-smb3-client-fix' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17649d02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=aa11561819dc42ebbc7c
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17b0946a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eb8dda580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ecb473e5a4ef/disk-d8a9a4b1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/eaedee0e571e/vmlinux-d8a9a4b1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e2ba27a7ba82/bzImage-d8a9a4b1.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa1156...@syzkaller.appspotmail.com
trusted_key: syz.0.17 sent an empty control message without MSG_MORE.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5987 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
FS: 000055556d3e1500(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000004580 CR3: 0000000035e06000 CR4: 00000000003526f0
Call Trace:
<TASK>
_aead_recvmsg crypto/algif_aead.c:186 [inline]
aead_recvmsg+0x719/0x1030 crypto/algif_aead.c:240
sock_recvmsg_nosec+0x10c/0x140 net/socket.c:1078
____sys_recvmsg+0x3e3/0x4a0 net/socket.c:2810
___sys_recvmsg+0x215/0x590 net/socket.c:2854
do_recvmmsg+0x334/0x800 net/socket.c:2949
__sys_recvmmsg net/socket.c:3023 [inline]
__do_sys_recvmmsg net/socket.c:3046 [inline]
__se_sys_recvmmsg net/socket.c:3039 [inline]
__x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f726eb9c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9ba0f7c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f726ee15fa0 RCX: 00007f726eb9c819
RDX: 0000000000000002 RSI: 0000200000004580 RDI: 0000000000000004
RBP: 00007f726ec32c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000060 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f726ee15fac R14: 00007f726ee15fa0 R15: 00007f726ee15fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
FS: 000055556d3e1500(0000) GS:ffff888125557000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055607067bee0 CR3: 0000000035e06000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: e8 b5 b9 52 fd call 0xfd52b9ba
5: f6 c3 01 test $0x1,%bl
8: 0f 85 0a 01 00 00 jne 0x118
e: e8 c7 b4 52 fd call 0xfd52b4da
13: 4c 89 f3 mov %r14,%rbx
16: eb 07 jmp 0x1f
18: e8 bd b4 52 fd call 0xfd52b4da
1d: 31 db xor %ebx,%ebx
1f: 4c 8d 7b 08 lea 0x8(%rbx),%r15
23: 4c 89 f8 mov %r15,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 0f b6 04 28 movzbl (%rax,%rbp,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 1d 02 00 00 jne 0x253
36: 41 8b 07 mov (%r15),%eax
39: 89 44 24 04 mov %eax,0x4(%rsp)
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7d .byte 0x7d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Herbert Xu
11:06 PM (1 hour ago) 11:06 PM
to syzbot, da...@davemloft.net, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Stephan Mueller
On Fri, Apr 03, 2026 at 09:32:26AM -0700, syzbot wrote:
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 0 UID: 0 PID: 5987 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
> RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
> Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
> RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
> RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
> RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
> FS: 000055556d3e1500(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000200000004580 CR3: 0000000035e06000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> _aead_recvmsg crypto/algif_aead.c:186 [inline]
Again this is an existing bug that has been uncovered:
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 0 UID: 0 PID: 5987 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
> RIP: 0010:memcpy_sglist+0x420/0x730 crypto/scatterwalk.c:177
> Code: e8 b5 b9 52 fd f6 c3 01 0f 85 0a 01 00 00 e8 c7 b4 52 fd 4c 89 f3 eb 07 e8 bd b4 52 fd 31 db 4c 8d 7b 08 4c 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 1d 02 00 00 41 8b 07 89 44 24 04 49 8d 7d
> RSP: 0018:ffffc900035a7698 EFLAGS: 00010202
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888026dc1e80
> RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
> RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> R13: ffff88802543b200 R14: ffff888033865080 R15: 0000000000000008
> FS: 000055556d3e1500(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000200000004580 CR3: 0000000035e06000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> _aead_recvmsg crypto/algif_aead.c:186 [inline]
---8<---
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length to the variable less.
Reported-by: syzbot+aa1156...@syzkaller.appspotmail.com
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index dda15bb05e89..b0811eb7d665 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -144,6 +144,8 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
if (usedpages < outlen) {
size_t less = outlen - usedpages;
+ if (!ctx->enc)
+ less += as;
if (used < less) {
err = -EINVAL;
goto free;
--
Email: Herbert Xu <her...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Reply all
Reply to author
Forward
0 new messages