[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_08175DFCDDF2993CCFAB0D88A5BD0D889207@qq.com>
Date: Wed, 20 Dec 2023 20:51:53 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+8ffb0839a24e9c6bfa76@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] KASAN: slab-out-of-bounds Read in arc4_crypt
please test slab-out-of-bounds Read in arc4_crypt
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 17cb8a20bde6
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 02cea2149504..236ba4221b07 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -102,11 +102,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
struct crypto_skcipher *tfm = pask->private;
+ struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
unsigned int bs = crypto_skcipher_chunksize(tfm);
struct af_alg_async_req *areq;
unsigned cflags = 0;
int err = 0;
- size_t len = 0;
+ size_t len = 0, aqlen;
if (!ctx->init || (ctx->more && ctx->used < bs)) {
err = af_alg_wait_for_data(sk, flags, bs);
@@ -115,8 +116,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
}
/* Allocate cipher request for current operation. */
- areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
- crypto_skcipher_reqsize(tfm));
+ aqlen = sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm);
+ if (alg->co.base.cra_type != &crypto_skcipher_type)
+ aqlen += alg->co.statesize;
+ printk("%u, %s\n", alg->co.statesize, __func__);
+ areq = af_alg_alloc_areq(sk, aqlen);
if (IS_ERR(areq))
return PTR_ERR(areq);
diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index bc70e159d27d..0ae4a05a5aa7 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -44,7 +44,6 @@ struct skcipher_walk_buffer {
u8 buffer[];
};
-static const struct crypto_type crypto_skcipher_type;
static int skcipher_walk_next(struct skcipher_walk *walk);
diff --git a/include/crypto/internal/skcipher.h b/include/crypto/internal/skcipher.h
index 7ae42afdcf3e..3c05872652f2 100644
--- a/include/crypto/internal/skcipher.h
+++ b/include/crypto/internal/skcipher.h
@@ -24,6 +24,7 @@
struct aead_request;
struct rtattr;
+static const struct crypto_type crypto_skcipher_type;
struct skcipher_instance {
void (*free)(struct skcipher_instance *inst);
Powered by blists - more mailing lists