[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
Test passed with AWS in this cycle. ** Changed in: linux-aws (Ubuntu Bionic) Status: In Progress => Fix Released ** Changed in: linux-aws (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux-aws package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux-aws source package in Bionic: Fix Released Status in linux source package in Cosmic: Won't Fix Status in linux-aws source package in Cosmic: Won't Fix Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11:
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux-aws package in Ubuntu: New Status in linux source package in Bionic: Fix Released Status in linux-aws source package in Bionic: In Progress Status in linux source package in Cosmic: Won't Fix Status in linux-aws source package in Cosmic: Won't Fix Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg]
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
** Changed in: linux-aws (Ubuntu Cosmic) Status: New => Won't Fix ** Changed in: linux-aws (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux-aws (Ubuntu Bionic) Assignee: (unassigned) => Po-Hsu Lin (cypressyew) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux-aws package in Ubuntu: New Status in linux source package in Bionic: Fix Released Status in linux-aws source package in Bionic: In Progress Status in linux source package in Cosmic: Won't Fix Status in linux-aws source package in Cosmic: Won't Fix Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
** Also affects: linux-aws (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux-aws package in Ubuntu: New Status in linux source package in Bionic: Fix Released Status in linux-aws source package in Bionic: New Status in linux source package in Cosmic: Won't Fix Status in linux-aws source package in Cosmic: New Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f 1f 44 00 00 55 48 89
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
** Changed in: linux (Ubuntu Cosmic) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Won't Fix Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 <8b> 14 06 0f ca 89 94 05 d0 fe ff ff 48 83 c0 04 48 83
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
af_alg06 test passed with the B/C. ** Changed in: ubuntu-kernel-tests Status: In Progress => Fix Released ** Tags removed: verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done-bionic verification-done-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Committed Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
This bug was fixed in the package linux - 4.15.0-55.60 --- linux (4.15.0-55.60) bionic; urgency=medium * linux: 4.15.0-55.60 -proposed tracker (LP: #1834954) * Request backport of ceph commits into bionic (LP: #1834235) - ceph: use atomic_t for ceph_inode_info::i_shared_gen - ceph: define argument structure for handle_cap_grant - ceph: flush pending works before shutdown super - ceph: send cap releases more aggressively - ceph: single workqueue for inode related works - ceph: avoid dereferencing invalid pointer during cached readdir - ceph: quota: add initial infrastructure to support cephfs quotas - ceph: quota: support for ceph.quota.max_files - ceph: quota: don't allow cross-quota renames - ceph: fix root quota realm check - ceph: quota: support for ceph.quota.max_bytes - ceph: quota: update MDS when max_bytes is approaching - ceph: quota: add counter for snaprealms with quota - ceph: avoid iput_final() while holding mutex or in dispatch thread * QCA9377 isn't being recognized sometimes (LP: #1757218) - SAUCE: USB: Disable USB2 LPM at shutdown * hns: fix ICMP6 neighbor solicitation messages discard problem (LP: #1833140) - net: hns: fix ICMP6 neighbor solicitation messages discard problem - net: hns: fix unsigned comparison to less than zero * Fix occasional boot time crash in hns driver (LP: #1833138) - net: hns: Fix probabilistic memory overwrite when HNS driver initialized * use-after-free in hns_nic_net_xmit_hw (LP: #1833136) - net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() * hns: attempt to restart autoneg when disabled should report error (LP: #1833147) - net: hns: Restart autoneg need return failed when autoneg off * systemd 237-3ubuntu10.14 ADT test failure on Bionic ppc64el (test-seccomp) (LP: #1821625) - powerpc: sys_pkey_alloc() and sys_pkey_free() system calls - powerpc: sys_pkey_mprotect() system call * [UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different (LP: #1832625) - pkey: Indicate old mkvp only if old and current mkvp are different * [UBUNTU] kernel: Fix gcm-aes-s390 wrong scatter-gather list processing (LP: #1832623) - s390/crypto: fix gcm-aes-s390 selftest failures * System crashes on hot adding a core with drmgr command (4.15.0-48-generic) (LP: #1833716) - powerpc/numa: improve control of topology updates - powerpc/numa: document topology_updates_enabled, disable by default * Kernel modules generated incorrectly when system is localized to a non- English language (LP: #1828084) - scripts: override locale from environment when running recordmcount.pl * [UBUNTU] kernel: Fix wrong dispatching for control domain CPRBs (LP: #1832624) - s390/zcrypt: Fix wrong dispatching for control domain CPRBs * CVE-2019-11815 - net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). * Sound device not detected after resume from hibernate (LP: #1826868) - drm/i915: Force 2*96 MHz cdclk on glk/cnl when audio power is enabled - drm/i915: Save the old CDCLK atomic state - drm/i915: Remove redundant store of logical CDCLK state - drm/i915: Skip modeset for cdclk changes if possible * Handle overflow in proc_get_long of sysctl (LP: #1833935) - sysctl: handle overflow in proc_get_long * Dell XPS 13 (9370) defaults to s2idle sleep/suspend instead of deep, NVMe drains lots of power under s2idle (LP: #1808957) - Revert "UBUNTU: SAUCE: pci/nvme: prevent WDC PC SN720 NVMe from entering D3 and being disabled" - Revert "UBUNTU: SAUCE: nvme: add quirk to not call disable function when suspending" - Revert "UBUNTU: SAUCE: pci: prevent Intel NVMe SSDPEKKF from entering D3" - Revert "SAUCE: nvme: add quirk to not call disable function when suspending" - Revert "SAUCE: pci: prevent sk hynix nvme from entering D3" - PCI: PM: Avoid possible suspend-to-idle issue - PCI: PM: Skip devices in D0 for suspend-to-idle - nvme-pci: Sync queues on reset - nvme: Export get and set features - nvme-pci: Use host managed power state for suspend * linux v4.15 ftbfs on a newer host kernel (e.g. hwe) (LP: #1823429) - selinux: use kernel linux/socket.h for genheaders and mdp * 32-bit x86 kernel 4.15.0-50 crash in vmalloc_sync_all (LP: #1830433) - x86/mm/pat: Disable preemption around __flush_tlb_all() - x86/mm: Drop usage of __flush_tlb_all() in kernel_physical_mapping_init() - x86/mm: Disable ioremap free page handling on x86-PAE - ioremap: Update pgtable free interfaces with addr - x86/mm: Add TLB purge to free pmd/pte page interfaces - x86/init: fix build with CONFIG_SWAP=n - x86/mm: provide pmdp_establish() helper - x86/mm: Use WRITE_ONCE() when setting PTEs * hinic: fix oops due to race in set_rx_mode (LP: #1832048) - hinic: fix a bug in
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS:
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS:
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Cosmic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Bug description: == Justification == From the commit message: Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte 'enckeylen', followed by an authentication key and an encryption key. crypto_authenc_extractkeys() parses the key to find the inner keys. However, it fails to consider the case where the rtattr's payload is longer than 4 bytes but not 4-byte aligned, and where the key ends before the next 4-byte aligned boundary. In this case, 'keylen -= RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This causes a buffer overread and crash during crypto_ahash_setkey(). This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message) == Fix == 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) This patch can be cherry-picked into B/C, and it's already in X/D/E. == Test == Test kernels could be found here: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ Both verified on a KVM node, this issue will no longer exist. == Regression potential == Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. == Original bug report == LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
https://lists.ubuntu.com/archives/kernel-team/2019-May/100831.html ** Description changed: - LTP: starting af_alg06 - BUG: unable to handle kernel paging request at 9cbe - IP: sha256_transform+0x28/0x1b20 - PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 - Oops: [#1] SMP PTI - Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy - CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 - RIP: 0010:sha256_transform+0x28/0x1b20 - RSP: 0018:b58e8344baa0 EFLAGS: 00010283 - RAX: 0034 RBX: 9cbe000c RCX: - RDX: RSI: 9cbdffcc RDI: b58e8344bca8 - RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 - R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c - R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c - FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: - CS: 0010 DS: ES: CR0: 80050033 - CR2: 9cbe CR3: 7c1da000 CR4: 06f0 - DR0: DR1: DR2: - DR3: DR6: fffe0ff0 DR7: 0400 - Call Trace: - sha256_generic_block_fn+0x36/0x50 - crypto_sha256_finup+0xef/0x170 - crypto_shash_finup+0x25/0x30 - shash_digest_unaligned+0x47/0x60 - crypto_shash_digest+0x2e/0x40 - hmac_setkey+0x15a/0x210 - ? tty_insert_flip_string_fixed_flag+0x86/0xe0 - crypto_shash_setkey+0x35/0xc0 - ? pty_write+0x71/0x90 - shash_async_setkey+0x15/0x20 - crypto_ahash_setkey+0x38/0xb0 - crypto_authenc_setkey+0x68/0x100 [authenc] - crypto_aead_setkey+0x35/0xc0 - aead_setkey+0x15/0x20 [algif_aead] - alg_setsockopt+0x112/0x140 [af_alg] - SyS_setsockopt+0x86/0xf0 - do_syscall_64+0x73/0x130 - entry_SYSCALL_64_after_hwframe+0x3d/0xa2 - RIP: 0033:0x7f9f29f61e6a - RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 - RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a - RDX: 0001 RSI: 0117 RDI: 0006 - RBP: 0006 R08: 0009 R09: 7ffdd050b960 - R10: 7ffdd050ba4f R11: 0207 R12: 0001 - R13: R14: R15: 56456d64d908 - Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 <8b> 14 06 0f ca 89 94 05 d0 fe ff ff 48 83 c0 04 48 83 f8 40 75 - RIP: sha256_transform+0x28/0x1b20 RSP: b58e8344baa0 - CR2: 9cbe - ---[ end trace ac2d55c95d4eed9d ]--- + == Justification == + From the commit message: + Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte + 'enckeylen', followed by an authentication key and an encryption key. + crypto_authenc_extractkeys() parses the key to find the inner keys. + + However, it fails to consider the case where the rtattr's payload is + longer than 4 bytes but not 4-byte aligned, and where the key ends + before the next 4-byte aligned boundary. In this case, 'keylen -= + RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This + causes a buffer overread and crash during crypto_ahash_setkey(). + + This error can be reproduced easily with the af_alg06 test in LTP test + suite. (Basically it's the reproducer in the commit message) + + == Fix == + 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len) + This patch can be cherry-picked into B/C, and it's already in X/D/E. + + == Test == + Test kernels could be found here: + https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/ + + Both verified on a KVM node, this issue will no longer exist. + + == Regression potential == + Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it. + + + LTP: starting af_alg06 + BUG: unable to handle kernel paging request at 9cbe + IP: sha256_transform+0x28/0x1b20 + PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 + Oops: [#1] SMP PTI + Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
Test passed with the Cosmic test kernel: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/C/ [ 69.838499] LTP: starting af_alg06 [ 69.845786] NET: Registered protocol family 38 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Bug description: LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 <8b> 14 06 0f ca 89 94 05 d0 fe ff ff 48 83 c0 04 48 83 f8 40 75 RIP: sha256_transform+0x28/0x1b20 RSP: b58e8344baa0 CR2: 9cbe ---[ end trace ac2d55c95d4eed9d ]--- ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-50-generic 4.15.0-50.54 ProcVersionSignature: User Name 4.15.0-50.54-generic 4.15.18 Uname: Linux 4.15.0-50-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 May 20 08:23 seq crw-rw 1 root audio 116, 33 May 20 08:23 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: Date: Mon May 20 08:44:39 2019 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 cirrusdrmfb ProcKernelCmdLine:
[Kernel-packages] [Bug 1829725] Re: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C
Test passed with the Bionic test kernel: https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/B/ [ 89.621610] LTP: starting af_alg06 [ 89.626967] NET: Registered protocol family 38 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1829725 Title: af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Bug description: LTP: starting af_alg06 BUG: unable to handle kernel paging request at 9cbe IP: sha256_transform+0x28/0x1b20 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0 Oops: [#1] SMP PTI Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:sha256_transform+0x28/0x1b20 RSP: 0018:b58e8344baa0 EFLAGS: 00010283 RAX: 0034 RBX: 9cbe000c RCX: RDX: RSI: 9cbdffcc RDI: b58e8344bca8 RBP: b58e8344bbd0 R08: 1b6c96f6 R09: b58e8344baa0 R10: 7a9a01a1 R11: 1ecb7428 R12: 9cc0f332c00c R13: b58e8344bca8 R14: 9cbff4d8d048 R15: 9cbff332c00c FS: 7f9f2a44d580() GS:9cbfffc0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 9cbe CR3: 7c1da000 CR4: 06f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sha256_generic_block_fn+0x36/0x50 crypto_sha256_finup+0xef/0x170 crypto_shash_finup+0x25/0x30 shash_digest_unaligned+0x47/0x60 crypto_shash_digest+0x2e/0x40 hmac_setkey+0x15a/0x210 ? tty_insert_flip_string_fixed_flag+0x86/0xe0 crypto_shash_setkey+0x35/0xc0 ? pty_write+0x71/0x90 shash_async_setkey+0x15/0x20 crypto_ahash_setkey+0x38/0xb0 crypto_authenc_setkey+0x68/0x100 [authenc] crypto_aead_setkey+0x35/0xc0 aead_setkey+0x15/0x20 [algif_aead] alg_setsockopt+0x112/0x140 [af_alg] SyS_setsockopt+0x86/0xf0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f9f29f61e6a RSP: 002b:7ffdd050ba38 EFLAGS: 0207 ORIG_RAX: 0036 RAX: ffda RBX: 7f9f2a44d500 RCX: 7f9f29f61e6a RDX: 0001 RSI: 0117 RDI: 0006 RBP: 0006 R08: 0009 R09: 7ffdd050b960 R10: 7ffdd050ba4f R11: 0207 R12: 0001 R13: R14: R15: 56456d64d908 Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 <8b> 14 06 0f ca 89 94 05 d0 fe ff ff 48 83 c0 04 48 83 f8 40 75 RIP: sha256_transform+0x28/0x1b20 RSP: b58e8344baa0 CR2: 9cbe ---[ end trace ac2d55c95d4eed9d ]--- ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-50-generic 4.15.0-50.54 ProcVersionSignature: User Name 4.15.0-50.54-generic 4.15.18 Uname: Linux 4.15.0-50-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 May 20 08:23 seq crw-rw 1 root audio 116, 33 May 20 08:23 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: Date: Mon May 20 08:44:39 2019 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 cirrusdrmfb ProcKernelCmdLine:
