Re: bad page state due to PF_ALG socket
On Thu, Dec 17, 2015 at 4:58 AM, Dmitry Vyukovwrote: > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > Modules linked in: > CPU: 3 PID: 7168 Comm: a.out Tainted: GB 4.4.0-rc3+ #151 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > task: 88003712ad00 ti: 8800331d8000 task.ti: 8800331d8000 > RIP: 0010:[] [] > skcipher_recvmsg+0x82/0x1f10 > RSP: 0018:8800331dfb80 EFLAGS: 00010203 > RAX: dc00 RBX: 88006b98f300 RCX: 00010040 > RDX: 0002 RSI: 8800331dfdc0 RDI: 0016 > RBP: 8800331dfc80 R08: 8800331dfdd0 R09: 000a > R10: 00010040 R11: 0246 R12: 0006 > R13: 8800331dfdc0 R14: 8800331dfdc0 R15: 00010040 > FS: 02630880(0063) GS:88006cf0() knlGS: > CS: 0010 DS: ES: CR0: 8005003b > CR2: 00c8200d73b0 CR3: 64c58000 CR4: 06e0 > Stack: > 88006aba6024 88006ab24520 88006ab24510 88006aba67e0 > 88006aba602c ed000d574cfc 88006ab24518 > 88006aba602d 1000 88006ab24500 88006aba6a48 > Call Trace: > [< inline >] sock_recvmsg_nosec net/socket.c:712 > [] sock_recvmsg+0xaa/0xe0 net/socket.c:720 > [] SYSC_recvfrom+0x1e4/0x370 net/socket.c:1707 > [] SyS_recvfrom+0x40/0x50 net/socket.c:1681 > [] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 I think it is probably fixed by: commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b Author: tadeusz.st...@intel.com Date: Tue Dec 15 10:46:17 2015 -0800 net: fix uninitialized variable issue -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
bad page state due to PF_ALG socket
Hello, The following program triggers multiple bugs including bad page state warnings and GPFs: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include void foo() { long r0 = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0); long r1 = syscall(SYS_mmap, 0x2000ul, 0x1ul, 0x3ul, 0x32ul, 0xul, 0x0ul); *(uint16_t*)0x20001000 = 0x26; memcpy((void*)0x20001002, "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14); *(uint32_t*)0x20001010 = 0xf; *(uint32_t*)0x20001014 = 0x100; memcpy((void*)0x20001018, "\x65\x63\x62\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); long r7 = syscall(SYS_bind, r0, 0x20001000ul, 0x58ul, 0, 0, 0); long r8 = syscall(SYS_accept4, r0, 0x0ul, 0x200023fdul, 0x800ul, 0, 0); memcpy((void*)0x2000,