Re: bad page state due to PF_ALG socket

2015-12-21 Thread Cong Wang 
On Thu, Dec 17, 2015 at 4:58 AM, Dmitry Vyukov  wrote:
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault:  [#1] SMP KASAN
> Modules linked in:
> CPU: 3 PID: 7168 Comm: a.out Tainted: GB   4.4.0-rc3+ #151
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: 88003712ad00 ti: 8800331d8000 task.ti: 8800331d8000
> RIP: 0010:[]  []
> skcipher_recvmsg+0x82/0x1f10
> RSP: 0018:8800331dfb80  EFLAGS: 00010203
> RAX: dc00 RBX: 88006b98f300 RCX: 00010040
> RDX: 0002 RSI: 8800331dfdc0 RDI: 0016
> RBP: 8800331dfc80 R08: 8800331dfdd0 R09: 000a
> R10: 00010040 R11: 0246 R12: 0006
> R13: 8800331dfdc0 R14: 8800331dfdc0 R15: 00010040
> FS:  02630880(0063) GS:88006cf0() knlGS:
> CS:  0010 DS:  ES:  CR0: 8005003b
> CR2: 00c8200d73b0 CR3: 64c58000 CR4: 06e0
> Stack:
>  88006aba6024 88006ab24520 88006ab24510 88006aba67e0
>  88006aba602c ed000d574cfc  88006ab24518
>  88006aba602d 1000 88006ab24500 88006aba6a48
> Call Trace:
>  [< inline >] sock_recvmsg_nosec net/socket.c:712
>  [] sock_recvmsg+0xaa/0xe0 net/socket.c:720
>  [] SYSC_recvfrom+0x1e4/0x370 net/socket.c:1707
>  [] SyS_recvfrom+0x40/0x50 net/socket.c:1681
>  [] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185

I think it is probably fixed by:

commit 130ed5d105dde141e7fe60d5440aa53e0a84f13b
Author: tadeusz.st...@intel.com 
Date:   Tue Dec 15 10:46:17 2015 -0800

net: fix uninitialized variable issue
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

bad page state due to PF_ALG socket

2015-12-17 Thread Dmitry Vyukov 
Hello,

The following program triggers multiple bugs including bad page state
warnings and GPFs:


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include 
#include 
#include 
#include 

void foo()
{
long r0 = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
long r1 = syscall(SYS_mmap, 0x2000ul, 0x1ul, 0x3ul,
0x32ul, 0xul, 0x0ul);
*(uint16_t*)0x20001000 = 0x26;
memcpy((void*)0x20001002,
"\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
*(uint32_t*)0x20001010 = 0xf;
*(uint32_t*)0x20001014 = 0x100;
memcpy((void*)0x20001018,
"\x65\x63\x62\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
64);
long r7 = syscall(SYS_bind, r0, 0x20001000ul, 0x58ul, 0, 0, 0);
long r8 = syscall(SYS_accept4, r0, 0x0ul, 0x200023fdul, 0x800ul, 0, 0);
memcpy((void*)0x2000,