KASAN: use-after-free Read in crypto_destroy_tfm
Hello, syzbot found the following crash on: HEAD commit:0644f186fc9d Merge tag 'for_linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=102bc25780 kernel config: https://syzkaller.appspot.com/x/.config?x=61c12b53c2a25ec4 dashboard link: https://syzkaller.appspot.com/bug?extid=352126a5be7ccb25754e compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+352126a5be7ccb257...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in crypto_destroy_tfm+0x2a3/0x300 crypto/api.c:573 Read of size 8 at addr 8801d9023238 by task syz-executor6/10078 CPU: 1 PID: 10078 Comm: syz-executor6 Not tainted 4.17.0-rc2+ #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 crypto_destroy_tfm+0x2a3/0x300 crypto/api.c:573 crypto_free_rng include/crypto/rng.h:122 [inline] rng_release+0x18/0x20 crypto/algif_rng.c:124 alg_do_release crypto/af_alg.c:119 [inline] alg_sock_destruct+0x92/0xe0 crypto/af_alg.c:362 __sk_destruct+0xff/0xa40 net/core/sock.c:1566 sk_destruct+0x78/0x90 net/core/sock.c:1601 __sk_free+0x22e/0x340 net/core/sock.c:1612 sk_free+0x42/0x50 net/core/sock.c:1623 sock_put include/net/sock.h:1664 [inline] af_alg_release+0x6e/0x90 crypto/af_alg.c:126 sock_release+0x96/0x1b0 net/socket.c:594 sock_close+0x16/0x20 net/socket.c:1149 __fput+0x34d/0x890 fs/file_table.c:209 fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1e4/0x290 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 do_group_exit+0x16f/0x430 kernel/exit.c:968 get_signal+0x886/0x1960 kernel/signal.c:2469 do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455979 RSP: 002b:7f4f4bbc2c68 EFLAGS: 0246 ORIG_RAX: 0036 RAX: RBX: 7f4f4bbc36d4 RCX: 00455979 RDX: 0001 RSI: 0117 RDI: 0014 RBP: 0072bf50 R08: R09: R10: 204f7000 R11: 0246 R12: R13: 0519 R14: 006faaf8 R15: 0001 Allocated by task 4484: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:987 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0xb01/0xfa0 net/netlink/af_netlink.c:1876 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4484: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 skb_free_head+0x99/0xc0 net/core/skbuff.c:550 skb_release_data+0x690/0x860 net/core/skbuff.c:570 skb_release_all+0x4a/0x60 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] consume_skb+0x18b/0x550 net/core/skbuff.c:701 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x593/0x740 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 do_syscall_64+0x1b1/0x800 arch/x86/entry
KMSAN: uninit-value in af_alg_free_areq_sgls
Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit e2ab7e8abba47a2f2698216258e5d8727ae58717 (Fri Apr 6 16:24:31 2018 +) kmsan: temporarily disable visitAsmInstruction() to help syzbot syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=9c251bdd09f83b92ba95 So far this crash happened 11 times on https://github.com/google/kmsan.git/master. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5551473324720128 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4782073151750144 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5003160619843584 Kernel config: https://syzkaller.appspot.com/x/.config?id=6627248707860932248 compiler: clang version 7.0.0 (trunk 329391) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9c251bdd09f83b92b...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. == BUG: KMSAN: uninit-value in atomic_sub arch/x86/include/asm/atomic.h:65 [inline] BUG: KMSAN: uninit-value in af_alg_free_areq_sgls+0x5ff/0xb20 crypto/af_alg.c:669 CPU: 1 PID: 3568 Comm: syzkaller909997 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 atomic_sub arch/x86/include/asm/atomic.h:65 [inline] af_alg_free_areq_sgls+0x5ff/0xb20 crypto/af_alg.c:669 af_alg_free_resources+0x66/0xf0 crypto/af_alg.c:1033 _aead_recvmsg crypto/algif_aead.c:321 [inline] aead_recvmsg+0x9a4/0x2960 crypto/algif_aead.c:334 aead_recvmsg_nokey+0x129/0x160 crypto/algif_aead.c:452 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0x1d0/0x230 net/socket.c:810 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205 __sys_recvmsg net/socket.c:2250 [inline] SYSC_recvmsg+0x298/0x3c0 net/socket.c:2262 SyS_recvmsg+0x54/0x80 net/socket.c:2257 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43ff29 RSP: 002b:7ffd9919c808 EFLAGS: 0207 ORIG_RAX: 002f RAX: ffda RBX: 004002c8 RCX: 0043ff29 RDX: RSI: 2040 RDI: 0004 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0207 R12: 00401850 R13: 004018e0 R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 __kmalloc+0x23c/0x350 mm/slub.c:3791 kmalloc include/linux/slab.h:517 [inline] sock_kmalloc+0x14e/0x270 net/core/sock.c:1986 af_alg_get_rsgl+0x427/0xe10 crypto/af_alg.c:1149 _aead_recvmsg crypto/algif_aead.c:163 [inline] aead_recvmsg+0x953/0x2960 crypto/algif_aead.c:334 aead_recvmsg_nokey+0x129/0x160 crypto/algif_aead.c:452 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0x1d0/0x230 net/socket.c:810 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205 __sys_recvmsg net/socket.c:2250 [inline] SYSC_recvmsg+0x298/0x3c0 net/socket.c:2262 SyS_recvmsg+0x54/0x80 net/socket.c:2257 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 == --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
Re: KASAN: use-after-free Read in crypto_aead_free_instance
Am Mittwoch, 20. Dezember 2017, 10:50:10 CET schrieb Dmitry Vyukov: Hi Dmitry, On Wed, Dec 20, 2017 at 10:29 AM, Stephan Mueller <smuel...@chronox.de> wrote: > Am Mittwoch, 20. Dezember 2017, 10:19:43 CET schrieb Dmitry Vyukov: > > Hi Dmitry, > >> > This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG >> > - >> > limit mask and type". >> >> Hi Stephan, >> >> syzbot does not understand arbitrary English prose, it only understands > > this: >> > Once a fix for this bug is merged into any tree, reply to this email >> > with: >> > #syz fix: exact-commit-title >> >> Let's tell it about the fix: >> >> #syz fix: crypto: AF_ALG - limit mask and type > > I have seen that this is the approach, but the fix is not yet in the tree. > I just want to let folks know that there is a patch. Ah, ok, sorry. It's just difficult to tell when there is a reason to not provide the tag right now, or when people are don't know about them or ignore. If the patch is merged with this title, then there is nothing else to do. If it's merged under a different title, a new "#syz fix:" tag will override the old one. Maybe you can teach the syzcaller that there is a proposed fix? E.g. #syz proposed: commit-title unknown command "proposed:" Ciao Stephan
Re: KASAN: use-after-free Read in crypto_aead_free_instance
Am Mittwoch, 20. Dezember 2017, 10:50:10 CET schrieb Dmitry Vyukov: Hi Dmitry, On Wed, Dec 20, 2017 at 10:29 AM, Stephan Mueller <smuel...@chronox.de> wrote: > Am Mittwoch, 20. Dezember 2017, 10:19:43 CET schrieb Dmitry Vyukov: > > Hi Dmitry, > >> > This issue vanishes after applying the patch "[PATCH v2] crypto: AF_ALG >> > - >> > limit mask and type". >> >> Hi Stephan, >> >> syzbot does not understand arbitrary English prose, it only understands > > this: >> > Once a fix for this bug is merged into any tree, reply to this email >> > with: >> > #syz fix: exact-commit-title >> >> Let's tell it about the fix: >> >> #syz fix: crypto: AF_ALG - limit mask and type > > I have seen that this is the approach, but the fix is not yet in the tree. > I just want to let folks know that there is a patch. Ah, ok, sorry. It's just difficult to tell when there is a reason to not provide the tag right now, or when people are don't know about them or ignore. If the patch is merged with this title, then there is nothing else to do. If it's merged under a different title, a new "#syz fix:" tag will override the old one. Maybe you can teach the syzcaller that there is a proposed fix? E.g. #syz proposed: commit-title unknown command "proposed:" Ciao Stephan -- You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/18467907.EfXNf1iGip%40tauon.chronox.de. For more options, visit https://groups.google.com/d/optout.
