lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAG_fn=UGCoDk04tL2vB981JmXgo6+-RUPmrTa3dSsK5UbZaTjA@mail.gmail.com>
Date:   Wed, 28 Nov 2018 11:58:37 +0100
From:   Alexander Potapenko <glider@...gle.com>
To:     Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc:     syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com,
        borisp@...lanox.com, aviadye@...lanox.com, davejwatson@...com,
        David Miller <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        linux-crypto@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: uninit-value in gf128mul_4k_lle (3)

On Sat, Nov 24, 2018 at 12:02 AM Ard Biesheuvel
<ard.biesheuvel@...aro.org> wrote:
>
> (+ TLS maintainers)

This bug is also reproducible without KMSAN: if we fill the newly
allocated skb fragment with "AAAA" (see the patch below) we can see
these bytes being passed into the crypto functions.
Note that KMSAN enables CONFIG_GENERIC_CSUM, so one might need
something along the lines of
https://github.com/google/kmsan/commit/fffec98ae2a605a3b8a6b3518e3d61d66c1bfd0a
to reproduce this.

=======================================
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 2545c5f89c4c..654b3e9877a5 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -1005,6 +1005,25 @@ void __crypto_xor(u8 *dst, const u8 *src1,
const u8 *src2, unsigned int len)
 {
        int relalign = 0;

+       char saved;
+       char *s1 = (char*)src1, *s2 = (char*)src2;
+       if (len) {
+               saved = s1[len-1];
+               s1[len-1] = 0;
+               if (strstr(s1, "AAAA"))
+                       pr_err("src1: %s\n", s1);
+               s1[len-1] = saved;
+       }
+       if (len) {
+               saved = s2[len-1];
+               s2[len-1] = 0;
+               if (strstr(s2, "AAAA")) {
+                       pr_err("src2: %s\n", s2);
+                       if (s1 == s2)
+                               pr_err("s1 == s2\n");
+               }
+               s2[len-1] = saved;
+       }
        if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) {
                int size = sizeof(unsigned long);
                int d = (((unsigned long)dst ^ (unsigned long)src1) |
diff --git a/net/core/sock.c b/net/core/sock.c
index 080a880a1761..83f15668c3e8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2216,6 +2216,7 @@ bool skb_page_frag_refill(unsigned int sz,
struct page_frag *pfrag, gfp_t gfp)
                                          SKB_FRAG_PAGE_ORDER);
                if (likely(pfrag->page)) {
                        pfrag->size = PAGE_SIZE << SKB_FRAG_PAGE_ORDER;
+                       memset(page_address(pfrag->page), 'A', pfrag->size);
                        return true;
                }
        }

The bug itself seems to be a data race, it only worked for me with the
multithreaded C reproducer that collided the syscalls.
> On Fri, 23 Nov 2018 at 23:51, syzbot
> <syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    cddc52641fd2 kmsan: use __memmove() in fixup_bad_iret()
> > git tree:       https://github.com/google/kmsan.git/master
> > console output: https://syzkaller.appspot.com/x/log.txt?x=111c426d400000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e2808e34f8becb71
> > dashboard link: https://syzkaller.appspot.com/bug?extid=f8495bff23a879a6d0bd
> > compiler:       clang version 8.0.0 (trunk 343298)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17c0326d400000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e4d45d400000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com
> >
> > Local variable description: ----walk@...pto_ctr_crypt
> > Variable was created at:
> >   crypto_ctr_crypt+0xae/0xc30 crypto/ctr.c:129
> >   skcipher_crypt_blkcipher crypto/skcipher.c:622 [inline]
> >   skcipher_encrypt_blkcipher+0x232/0x340 crypto/skcipher.c:631
> > ==================================================================
> > BUG: KMSAN: uninit-value in gf128mul_4k_lle+0x29e/0x310
> > crypto/gf128mul.c:391
> > CPU: 0 PID: 8470 Comm: syz-executor696 Not tainted 4.20.0-rc2+ #88
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0x32d/0x480 lib/dump_stack.c:113
> >   kmsan_report+0x19f/0x300 mm/kmsan/kmsan.c:911
> >   __msan_warning+0x76/0xc0 mm/kmsan/kmsan_instr.c:415
> >   gf128mul_4k_lle+0x29e/0x310 crypto/gf128mul.c:391
> >   ghash_update+0x9d3/0x10e0 crypto/ghash-generic.c:75
> >   crypto_shash_update crypto/shash.c:103 [inline]
> >   shash_ahash_update+0x4de/0x600 crypto/shash.c:244
> >   shash_async_update+0x50/0x60 crypto/shash.c:252
> >   crypto_ahash_update include/crypto/hash.h:557 [inline]
> >   gcm_hash_update crypto/gcm.c:235 [inline]
> >   gcm_hash_assoc_remain_continue crypto/gcm.c:344 [inline]
> >   gcm_hash_assoc_continue crypto/gcm.c:375 [inline]
> >   gcm_hash_init_continue crypto/gcm.c:400 [inline]
> >   gcm_hash+0x1dbe/0x4870 crypto/gcm.c:430
> >   gcm_encrypt_continue crypto/gcm.c:455 [inline]
> >   crypto_gcm_encrypt+0x781/0xaa0 crypto/gcm.c:484
> >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> >   sock_sendmsg_nosec net/socket.c:621 [inline]
> >   sock_sendmsg net/socket.c:631 [inline]
> >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> >   __do_sys_sendto net/socket.c:1800 [inline]
> >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x448509
> > Code: e8 fc e5 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 0b 01 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f9ff6aa3cd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
> > RAX: ffffffffffffffda RBX: 00000000006f0038 RCX: 0000000000448509
> > RDX: 000000000039a191 RSI: 00000000200005c0 RDI: 0000000000000003
> > RBP: 00000000006f0030 R08: 0000000020000000 R09: 000000000000001c
> > R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006f003c
> > R13: 00000000007ffc6f R14: 00007f9ff6aa49c0 R15: 00000000000003e8
> >
> > Uninit was stored to memory at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> >   kmsan_save_stack mm/kmsan/kmsan.c:267 [inline]
> >   kmsan_internal_chain_origin+0x136/0x240 mm/kmsan/kmsan.c:569
> >   __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:292
> >   __crypto_xor+0x224/0x15c0 crypto/algapi.c:1029
> >   crypto_xor include/crypto/algapi.h:219 [inline]
> >   ghash_update+0x991/0x10e0 crypto/ghash-generic.c:74
> >   crypto_shash_update crypto/shash.c:103 [inline]
> >   shash_ahash_update+0x4de/0x600 crypto/shash.c:244
> >   shash_async_update+0x50/0x60 crypto/shash.c:252
> >   crypto_ahash_update include/crypto/hash.h:557 [inline]
> >   gcm_hash_update crypto/gcm.c:235 [inline]
> >   gcm_hash_assoc_remain_continue crypto/gcm.c:344 [inline]
> >   gcm_hash_assoc_continue crypto/gcm.c:375 [inline]
> >   gcm_hash_init_continue crypto/gcm.c:400 [inline]
> >   gcm_hash+0x1dbe/0x4870 crypto/gcm.c:430
> >   gcm_encrypt_continue crypto/gcm.c:455 [inline]
> >   crypto_gcm_encrypt+0x781/0xaa0 crypto/gcm.c:484
> >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> >   sock_sendmsg_nosec net/socket.c:621 [inline]
> >   sock_sendmsg net/socket.c:631 [inline]
> >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> >   __do_sys_sendto net/socket.c:1800 [inline]
> >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was stored to memory at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> >   kmsan_save_stack mm/kmsan/kmsan.c:267 [inline]
> >   kmsan_internal_chain_origin+0x136/0x240 mm/kmsan/kmsan.c:569
> >   __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:292
> >   __crypto_xor+0x224/0x15c0 crypto/algapi.c:1029
> >   crypto_xor include/crypto/algapi.h:219 [inline]
> >   crypto_ctr_crypt_inplace crypto/ctr.c:115 [inline]
> >   crypto_ctr_crypt+0x776/0xc30 crypto/ctr.c:142
> >   skcipher_crypt_blkcipher crypto/skcipher.c:622 [inline]
> >   skcipher_encrypt_blkcipher+0x232/0x340 crypto/skcipher.c:631
> >   crypto_skcipher_encrypt include/crypto/skcipher.h:534 [inline]
> >   crypto_gcm_encrypt+0x512/0xaa0 crypto/gcm.c:483
> >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> >   sock_sendmsg_nosec net/socket.c:621 [inline]
> >   sock_sendmsg net/socket.c:631 [inline]
> >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> >   __do_sys_sendto net/socket.c:1800 [inline]
> >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was created at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> >   kmsan_internal_alloc_meta_for_pages+0x155/0x740 mm/kmsan/kmsan.c:689
> >   kmsan_alloc_page+0x77/0xc0 mm/kmsan/kmsan_hooks.c:320
> >   __alloc_pages_nodemask+0x12ac/0x64d0 mm/page_alloc.c:4421
> >   alloc_pages_current+0x55d/0x7d0 mm/mempolicy.c:2080
> >   alloc_pages include/linux/gfp.h:511 [inline]
> >   skb_page_frag_refill+0x48e/0x7a0 net/core/sock.c:2213
> >   sk_page_frag_refill+0xa4/0x330 net/core/sock.c:2233
> >   sk_msg_alloc+0x22f/0x11a0 net/core/skmsg.c:37
> >   tls_alloc_encrypted_msg net/tls/tls_sw.c:236 [inline]
> >   tls_sw_sendmsg+0xd0c/0x2a30 net/tls/tls_sw.c:871
> >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> >   sock_sendmsg_nosec net/socket.c:621 [inline]
> >   sock_sendmsg net/socket.c:631 [inline]
> >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> >   __do_sys_sendto net/socket.c:1800 [inline]
> >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAKv%2BGu8nZhmFhSy_FJLA2HkO4O56N3BdowNKmBcmCRoH%2BiNx%2BA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ