| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Nov 2017 23:53:07 -0800
From: Eric Biggers <ebiggers3@...il.com>
To: syzbot
<bot+3401d9494b9380f7244bcc7fec49680878fccba6@...kaller.appspotmail.com>
Cc: davem@...emloft.net, herbert@...dor.apana.org.au,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
Stephan Mueller <smueller@...onox.de>
Subject: Re: general protection fault in blkcipher_walk_done
On Mon, Nov 27, 2017 at 09:37:38PM -0800, Eric Biggers wrote:
> On Mon, Nov 27, 2017 at 10:56:47AM -0800, syzbot wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> > git://git.cmpxchg.org/linux-mmots.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
>
> Still happens on latest Linus tree (v4.15-rc1) with crypto/master merged in. It
> seems that _aead_recvmsg() is being confused by the operation mode being changed
> from encryption to decryption while it has dropped the socket lock in
> af_alg_wait_for_data(). Here's a simplified reproducer:
>
Stephan, why does af_alg_get_rsgl() call af_alg_wait_for_data()? It's not
actually reading anything from the "TX SGL" yet; it's just preparing the "RX
SGL". It seems to be in completely the wrong place. And how exactly should the
AEAD interface know when to wait anyway, given that someone could ask to encrypt
0 bytes to get the authentication tag for that?
Eric
Powered by blists - more mailing lists