| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <415469.1686877408@warthog.procyon.org.uk>
Date: Fri, 16 Jun 2023 02:03:28 +0100
From: David Howells <dhowells@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: dhowells@...hat.com,
syzbot <syzbot+13a08c0bf4d212766c3c@...kaller.appspotmail.com>,
davem@...emloft.net, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] general protection fault in shash_async_final
Hi Herbert,
Here's a slightly more comprehensive test program for the hashing code to
exercise some combinations of sendmsg, sendmsg+MSG_MORE and recvmsg.
David
---
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>
#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)
static int hashfd;
static unsigned char buf[1024], sbuf[1024];
static const unsigned char no_zeros[2] = { 0xe3, 0xb0 };
static const unsigned char one_zero[2] = { 0x6e, 0x34 };
static const unsigned char two_zeros[2] = { 0x96, 0xa2 };
static void do_send(unsigned int n, unsigned int flags)
{
struct msghdr msg;
struct iovec iov[1];
int res;
memset(&msg, 0, sizeof(msg));
iov[0].iov_base = sbuf;
iov[0].iov_len = n;
msg.msg_iov = iov;
msg.msg_iovlen = 1;
res = sendmsg(hashfd, &msg, flags);
OSERROR(res, "sendmsg");
}
static void do_recv(unsigned int ix, const unsigned char r[2])
{
struct msghdr msg;
struct iovec iov[1];
int res, i;
memset(&msg, 0, sizeof(msg));
iov[0].iov_base = buf;
iov[0].iov_len = sizeof(buf);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
res = recvmsg(hashfd, &msg, 0);
OSERROR(res, "recvmsg");
printf("%3u: ", ix);
for (i = 0; i < res; i++)
printf("%02x", buf[i]);
printf("\n");
if (buf[0] != r[0] || buf[1] != r[1])
fprintf(stderr, " ^ Bad result!\n");
}
int main(void)
{
struct sockaddr_alg salg;
int algfd, res;
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
OSERROR(algfd, "socket");
memset(&salg, 0, sizeof(salg));
salg.salg_family = AF_ALG;
strcpy(salg.salg_type, "hash");
strcpy(salg.salg_name, "sha256");
res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
OSERROR(res, "bind/alg");
hashfd = accept4(algfd, NULL, 0, 0);
OSERROR(hashfd, "accept/alg");
//res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
//OSERROR(res, "setsockopt/ALG_SET_KEY");
/* Test no send */
do_recv(__LINE__, no_zeros);
/* Test single send of 0 */
do_send(0, 0);
do_recv(__LINE__, no_zeros);
do_send(0, MSG_MORE);
do_recv(__LINE__, no_zeros);
/* Test single send of 1 */
do_send(1, 0);
do_recv(__LINE__, one_zero);
do_send(1, MSG_MORE);
do_recv(__LINE__, one_zero);
/* Test single send of 2 */
do_send(2, 0);
do_recv(__LINE__, two_zeros);
do_send(2, MSG_MORE);
do_recv(__LINE__, two_zeros);
/* Test two sends of 1 */
do_send(1, 0);
do_send(1, 0);
do_recv(__LINE__, one_zero);
do_send(1, 0);
do_send(1, MSG_MORE);
do_recv(__LINE__, one_zero);
do_send(1, MSG_MORE);
do_send(1, 0);
do_recv(__LINE__, two_zeros);
do_send(1, MSG_MORE);
do_send(1, MSG_MORE);
do_recv(__LINE__, two_zeros);
/* Test send of 0 then send of 2 */
do_send(0, 0);
do_send(2, 0);
do_recv(__LINE__, two_zeros);
do_send(0, 0);
do_send(2, MSG_MORE);
do_recv(__LINE__, two_zeros);
do_send(0, MSG_MORE);
do_send(2, 0);
do_recv(__LINE__, two_zeros);
do_send(0, MSG_MORE);
do_send(2, MSG_MORE);
do_recv(__LINE__, two_zeros);
/* Test send of 2 then send of 0 */
do_send(2, 0);
do_send(0, 0);
do_recv(__LINE__, no_zeros);
do_send(2, 0);
do_send(0, MSG_MORE);
do_recv(__LINE__, no_zeros);
do_send(2, MSG_MORE);
do_send(0, 0);
do_recv(__LINE__, two_zeros);
do_send(2, MSG_MORE);
do_send(0, MSG_MORE);
do_recv(__LINE__, two_zeros);
return 0;
}
Powered by blists - more mailing lists