[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00000000000093ab2d060cdbbbe2@google.com>
Date: Tue, 19 Dec 2023 04:09:04 -0800
From: syzbot <syzbot+8ffb0839a24e9c6bfa76@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] KASAN: slab-out-of-bounds Read in arc4_crypt
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in arc4_crypt
"syz-executor.0" (5497) uses obsolete ecb(arc4) skcipher
ivs: ffff8880296a9ae0, v: 0, s: 0, ri: 0000000000000010, wi: 0000000000000000, crypto_lskcipher_crypt_sg
==================================================================
BUG: KASAN: slab-out-of-bounds in arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46
Read of size 4 at addr ffff8880296a9ee0 by task syz-executor.0/5497
CPU: 1 PID: 5497 Comm: syz-executor.0 Not tainted 6.7.0-rc5-next-20231215-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
arc4_crypt+0x31c/0x4e0 lib/crypto/arc4.c:46
crypto_arc4_crypt+0x61/0x70 crypto/arc4.c:37
crypto_lskcipher_crypt_sg+0x398/0x600 crypto/lskcipher.c:235
crypto_skcipher_decrypt+0xda/0x160 crypto/skcipher.c:693
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0xc2b/0x1040 crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2801
___sys_recvmsg+0x115/0x1a0 net/socket.c:2843
__sys_recvmsg+0x114/0x1e0 net/socket.c:2873
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f029aa7cba9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f029b7d40c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007f029ab9bf80 RCX: 00007f029aa7cba9
RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 0000000000000004
RBP: 00007f029aac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f029ab9bf80 R15: 00007fff19420af8
</TASK>
Allocated by task 78:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slub.c:3817 [inline]
slab_alloc_node mm/slub.c:3864 [inline]
kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3883
__d_alloc+0x32/0xac0 fs/dcache.c:1769
d_alloc+0x4e/0x220 fs/dcache.c:1849
d_alloc_parallel+0xe9/0x12d0 fs/dcache.c:2638
__lookup_slow+0x194/0x450 fs/namei.c:1678
lookup_one_len+0x17d/0x1b0 fs/namei.c:2755
start_creating.part.0+0x12f/0x3a0 fs/debugfs/inode.c:382
start_creating fs/debugfs/inode.c:355 [inline]
__debugfs_create_file+0xa5/0x620 fs/debugfs/inode.c:427
minstrel_ht_add_sta_debugfs+0x2f/0x50 net/mac80211/rc80211_minstrel_ht_debugfs.c:332
rate_control_add_sta_debugfs net/mac80211/rate.h:60 [inline]
sta_info_insert_finish net/mac80211/sta_info.c:879 [inline]
sta_info_insert_rcu+0xe3e/0x1ab0 net/mac80211/sta_info.c:944
ieee80211_ibss_finish_sta+0x21c/0x3a0 net/mac80211/ibss.c:575
ieee80211_ibss_add_sta+0x3a8/0x730 net/mac80211/ibss.c:631
ieee80211_update_sta_info net/mac80211/ibss.c:1005 [inline]
ieee80211_rx_bss_info net/mac80211/ibss.c:1096 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1577 [inline]
ieee80211_ibss_rx_queued_mgmt+0x28b7/0x3140 net/mac80211/ibss.c:1604
ieee80211_iface_process_skb net/mac80211/iface.c:1589 [inline]
ieee80211_iface_work+0xa67/0xda0 net/mac80211/iface.c:1643
cfg80211_wiphy_work+0x24e/0x330 net/wireless/core.c:437
process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2787
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_set_track+0x24/0x30 mm/kasan/common.c:61
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slub.c:3985 [inline]
__kmalloc_node_track_caller+0x220/0x470 mm/slub.c:4005
kmemdup+0x29/0x60 mm/util.c:131
kmemdup include/linux/fortify-string.h:761 [inline]
ip6t_register_table+0x1d0/0x420 net/ipv6/netfilter/ip6_tables.c:1768
ip6table_security_table_init+0x40/0x60 net/ipv6/netfilter/ip6table_security.c:45
xt_find_table_lock+0x2cf/0x4e0 net/netfilter/x_tables.c:1259
xt_request_find_table_lock+0x28/0xf0 net/netfilter/x_tables.c:1284
get_info+0x1a1/0x7c0 net/ipv4/netfilter/ip_tables.c:963
do_ip6t_get_ctl+0x16a/0xae0 net/ipv6/netfilter/ip6_tables.c:1660
nf_getsockopt+0x76/0xe0 net/netfilter/nf_sockopt.c:116
ipv6_getsockopt+0x1f9/0x2b0 net/ipv6/ipv6_sockglue.c:1488
tcp_getsockopt+0x97/0xf0 net/ipv4/tcp.c:4361
do_sock_getsockopt+0x2e1/0x6c0 net/socket.c:2371
__sys_getsockopt+0x1a1/0x270 net/socket.c:2400
__do_sys_getsockopt net/socket.c:2410 [inline]
__se_sys_getsockopt net/socket.c:2407 [inline]
__x64_sys_getsockopt+0xbd/0x150 net/socket.c:2407
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
Second to last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
__kasan_record_aux_stack+0xc2/0xd0 mm/kasan/generic.c:517
__call_rcu_common.constprop.0+0x9a/0x7b0 kernel/rcu/tree.c:2689
call_rcu_hurry include/linux/rcupdate.h:114 [inline]
dst_release net/core/dst.c:167 [inline]
dst_release+0x1b5/0x1e0 net/core/dst.c:164
refdst_drop include/net/dst.h:263 [inline]
skb_dst_drop include/net/dst.h:275 [inline]
skb_release_head_state+0x254/0x2b0 net/core/skbuff.c:1041
skb_release_all net/core/skbuff.c:1056 [inline]
kfree_skb_add_bulk net/core/skbuff.c:1129 [inline]
kfree_skb_list_reason+0x17b/0x4c0 net/core/skbuff.c:1151
__dev_xmit_skb net/core/dev.c:3840 [inline]
__dev_queue_xmit+0x255b/0x3d40 net/core/dev.c:4311
dev_queue_xmit include/linux/netdevice.h:3165 [inline]
neigh_resolve_output net/core/neighbour.c:1563 [inline]
neigh_resolve_output+0x584/0x8f0 net/core/neighbour.c:1543
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x673/0x1820 net/ipv6/ip6_output.c:137
__ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
ip6_finish_output+0x3c7/0xf70 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1e2/0x530 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ndisc_send_skb+0xa13/0x18f0 net/ipv6/ndisc.c:509
ndisc_send_rs+0x133/0x6a0 net/ipv6/ndisc.c:719
addrconf_dad_completed+0x486/0x1030 net/ipv6/addrconf.c:4303
addrconf_dad_begin net/ipv6/addrconf.c:4068 [inline]
addrconf_dad_work+0xd5c/0x14b0 net/ipv6/addrconf.c:4170
process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2787
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
The buggy address belongs to the object at ffff8880296a9800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 1024 bytes to the right of
allocated 736-byte region [ffff8880296a9800, ffff8880296a9ae0)
The buggy address belongs to the physical page:
page:ffffea0000a5aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880296ac000 pfn:0x296a8
head:ffffea0000a5aa00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888013041dc0 ffffea00052f8a00 0000000000000003
raw: ffff8880296ac000 000000008010000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2871, tgid 2871 (kworker/u4:11), ts 83336024213, free_ts 79470601630
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1540
prep_new_page mm/page_alloc.c:1547 [inline]
get_page_from_freelist+0xa19/0x3740 mm/page_alloc.c:3355
__alloc_pages+0x22e/0x2410 mm/page_alloc.c:4611
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:2191 [inline]
allocate_slab mm/slub.c:2358 [inline]
new_slab+0x283/0x3c0 mm/slub.c:2411
___slab_alloc+0x4ab/0x1990 mm/slub.c:3544
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3629
__slab_alloc_node mm/slub.c:3682 [inline]
slab_alloc_node mm/slub.c:3854 [inline]
__do_kmalloc_node mm/slub.c:3984 [inline]
__kmalloc_node_track_caller+0x367/0x470 mm/slub.c:4005
kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1298 [inline]
nlmsg_new include/net/netlink.h:1010 [inline]
inet6_rt_notify+0xf0/0x2b0 net/ipv6/route.c:6171
fib6_del_route net/ipv6/ip6_fib.c:1999 [inline]
fib6_del+0xfae/0x17a0 net/ipv6/ip6_fib.c:2034
fib6_clean_node+0x41f/0x5b0 net/ipv6/ip6_fib.c:2196
fib6_walk_continue+0x44c/0x8c0 net/ipv6/ip6_fib.c:2118
fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2166
fib6_clean_tree+0xd7/0x110 net/ipv6/ip6_fib.c:2246
page last free pid 5061 tgid 5053 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2390
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2530
vfree+0x181/0x7a0 mm/vmalloc.c:2842
snd_dma_free_pages+0x51/0x60 sound/core/memalloc.c:126
do_free_pages sound/core/pcm_memory.c:93 [inline]
do_free_pages sound/core/pcm_memory.c:88 [inline]
snd_pcm_lib_free_pages+0x172/0x380 sound/core/pcm_memory.c:499
do_hw_free sound/core/pcm_native.c:893 [inline]
snd_pcm_release_substream.part.0+0x29c/0x330 sound/core/pcm_native.c:2760
snd_pcm_release_substream+0x5b/0x70 sound/core/pcm_native.c:2754
snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2413 [inline]
snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2405 [inline]
snd_pcm_oss_release+0x175/0x310 sound/core/oss/pcm_oss.c:2592
__fput+0x270/0xbb0 fs/file_table.c:381
__fput_sync+0x47/0x50 fs/file_table.c:466
__do_sys_close fs/open.c:1595 [inline]
__se_sys_close fs/open.c:1580 [inline]
__x64_sys_close+0x86/0xf0 fs/open.c:1580
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x62/0x6a
Memory state around the buggy address:
ffff8880296a9d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880296a9e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880296a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880296a9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880296a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 17cb8a20 Add linux-next specific files for 20231215
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=168fefc6e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ec104439b5dbc583
dashboard link: https://syzkaller.appspot.com/bug?extid=8ffb0839a24e9c6bfa76
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14276121e80000
Powered by blists - more mailing lists