[REGRESSION] 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")

2016-11-16 Thread Laura Abbott
Hi,

Fedora got a bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1395896
of an oops with this program:

#include 
#include 
#include 

int main(int argc, char *argv[]) {
static const union {
struct sockaddr sa;
struct sockaddr_alg alg;
} sa = {
.alg.salg_family = AF_ALG,
.alg.salg_type = "hash",
.alg.salg_name = "sha256",
};
char c;
int fd1, fd2;

fd1 = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd1, , sizeof(sa));
fd2 = accept(fd1, NULL, 0);
recv(fd2, , sizeof(c), 0);

return 0;
}


[   10.802304] BUG: unable to handle kernel NULL pointer dereference at 
0008
[   10.803970] IP: [] shash_ahash_digest+0x1e/0x100
[   10.805046] PGD eb37067 PUD 12425067 PMD 0 
[   10.806019] Oops:  [#1] SMP
[   10.806702] Modules linked in:
[   10.807421] CPU: 0 PID: 1098 Comm: a.out Not tainted 4.8.0-rc1+ #29
[   10.808444] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.9.1-1.fc24 04/01/2014
[   10.809839] task: 880010a92400 task.stack: 880012458000
[   10.810653] RIP: 0010:[]  [] 
shash_ahash_digest+0x1e/0x100
[   10.811979] RSP: 0018:88001245bd48  EFLAGS: 00010246
[   10.812730] RAX: 1000 RBX: 88001249b390 RCX: 
[   10.814419] RDX:  RSI: 88001249b390 RDI: 88001249b340
[   10.815303] RBP: 88001245bd68 R08: 88000eb54fa0 R09: 
[   10.816126] R10: 88000eb547d0 R11: 0001 R12: 812f7520
[   10.816946] R13: 88001249b340 R14: 88001245be38 R15: 
[   10.818098] FS:  7f1849f3a700() GS:88001180() 
knlGS:
[   10.819644] CS:  0010 DS:  ES:  CR0: 80050033
[   10.820370] CR2: 0008 CR3: 0eb36000 CR4: 06f0
[   10.821198] Stack:
[   10.821641]  88001249b340 812f7520 880012498c18 
88001245be38
[   10.822905]  88001245bd78 812f753f 88001245bda0 
812f6aa4
[   10.824168]  88001249b060 88001249b060 0001 
88001245bdb0
[   10.825434] Call Trace:
[   10.825910]  [] ? shash_ahash_digest+0x100/0x100
[   10.826663]  [] shash_async_digest+0x1f/0x30
[   10.827389]  [] crypto_ahash_op+0x24/0x60
[   10.828097]  [] crypto_ahash_digest+0x11/0x20
[   10.828835]  [] hash_recvmsg+0x1a4/0x1c0
[   10.829539]  [] sock_recvmsg+0x38/0x40
[   10.830232]  [] SYSC_recvfrom+0xcb/0x130
[   10.830937]  [] ? sock_map_fd+0x3f/0x60
[   10.831635]  [] SyS_recvfrom+0x9/0x10
[   10.832317]  [] entry_SYSCALL_64_fastpath+0x1a/0xa4
[   10.833091] Code: 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 55 b8 00 10 00 00 
48 89 e5 41 56 41 55 41 54 53 49 89 fd 48 8b 4f 38 41 8b 55 30 48 89 f3 <8b> 79 
08 29 f8 39 41 0c 0f 46 41 0c 39 c2 73 74 48 8b 31 48 83 
[   10.838754] RIP  [] shash_ahash_digest+0x1e/0x100
[   10.839560]  RSP 
[   10.840112] CR2: 0008
[   10.840674] ---[ end trace 4314dcc948f7acad ]---
[   10.841320] Kernel panic - not syncing: Fatal exception
[   10.842106] Kernel Offset: disabled

It looks like hash_recvmsg sets the sg to NULL with 

ahash_request_set_crypt(>req, NULL, ctx->result, 0);

which then blows up when crypto_ahash_digest -> hash_ahash_digest
tries to access it. 

Thanks,
Laura


[REGRESSION] 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")

2016-11-16 Thread Laura Abbott
Hi,

Fedora got a bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1395896
of an oops with this program:

#include 
#include 
#include 

int main(int argc, char *argv[]) {
static const union {
struct sockaddr sa;
struct sockaddr_alg alg;
} sa = {
.alg.salg_family = AF_ALG,
.alg.salg_type = "hash",
.alg.salg_name = "sha256",
};
char c;
int fd1, fd2;

fd1 = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd1, , sizeof(sa));
fd2 = accept(fd1, NULL, 0);
recv(fd2, , sizeof(c), 0);

return 0;
}


[   10.802304] BUG: unable to handle kernel NULL pointer dereference at 
0008
[   10.803970] IP: [] shash_ahash_digest+0x1e/0x100
[   10.805046] PGD eb37067 PUD 12425067 PMD 0 
[   10.806019] Oops:  [#1] SMP
[   10.806702] Modules linked in:
[   10.807421] CPU: 0 PID: 1098 Comm: a.out Not tainted 4.8.0-rc1+ #29
[   10.808444] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.9.1-1.fc24 04/01/2014
[   10.809839] task: 880010a92400 task.stack: 880012458000
[   10.810653] RIP: 0010:[]  [] 
shash_ahash_digest+0x1e/0x100
[   10.811979] RSP: 0018:88001245bd48  EFLAGS: 00010246
[   10.812730] RAX: 1000 RBX: 88001249b390 RCX: 
[   10.814419] RDX:  RSI: 88001249b390 RDI: 88001249b340
[   10.815303] RBP: 88001245bd68 R08: 88000eb54fa0 R09: 
[   10.816126] R10: 88000eb547d0 R11: 0001 R12: 812f7520
[   10.816946] R13: 88001249b340 R14: 88001245be38 R15: 
[   10.818098] FS:  7f1849f3a700() GS:88001180() 
knlGS:
[   10.819644] CS:  0010 DS:  ES:  CR0: 80050033
[   10.820370] CR2: 0008 CR3: 0eb36000 CR4: 06f0
[   10.821198] Stack:
[   10.821641]  88001249b340 812f7520 880012498c18 
88001245be38
[   10.822905]  88001245bd78 812f753f 88001245bda0 
812f6aa4
[   10.824168]  88001249b060 88001249b060 0001 
88001245bdb0
[   10.825434] Call Trace:
[   10.825910]  [] ? shash_ahash_digest+0x100/0x100
[   10.826663]  [] shash_async_digest+0x1f/0x30
[   10.827389]  [] crypto_ahash_op+0x24/0x60
[   10.828097]  [] crypto_ahash_digest+0x11/0x20
[   10.828835]  [] hash_recvmsg+0x1a4/0x1c0
[   10.829539]  [] sock_recvmsg+0x38/0x40
[   10.830232]  [] SYSC_recvfrom+0xcb/0x130
[   10.830937]  [] ? sock_map_fd+0x3f/0x60
[   10.831635]  [] SyS_recvfrom+0x9/0x10
[   10.832317]  [] entry_SYSCALL_64_fastpath+0x1a/0xa4
[   10.833091] Code: 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 55 b8 00 10 00 00 
48 89 e5 41 56 41 55 41 54 53 49 89 fd 48 8b 4f 38 41 8b 55 30 48 89 f3 <8b> 79 
08 29 f8 39 41 0c 0f 46 41 0c 39 c2 73 74 48 8b 31 48 83 
[   10.838754] RIP  [] shash_ahash_digest+0x1e/0x100
[   10.839560]  RSP 
[   10.840112] CR2: 0008
[   10.840674] ---[ end trace 4314dcc948f7acad ]---
[   10.841320] Kernel panic - not syncing: Fatal exception
[   10.842106] Kernel Offset: disabled

It looks like hash_recvmsg sets the sg to NULL with 

ahash_request_set_crypt(>req, NULL, ctx->result, 0);

which then blows up when crypto_ahash_digest -> hash_ahash_digest
tries to access it. 

Thanks,
Laura