lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190610222524.GS63833@gmail.com>
Date:   Mon, 10 Jun 2019 15:25:25 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     Boris Pismenny <borisp@...lanox.com>,
        Aviad Yehezkel <aviadye@...lanox.com>,
        Dave Watson <davejwatson@...com>
Cc:     Alexander Potapenko <glider@...gle.com>,
        David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
        syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com,
        syzkaller-bugs@...glegroups.com
Subject: [net/tls] Re: KMSAN: uninit-value in gf128mul_4k_lle (3)

This TLS bug is still present.  See more recent report here:
https://syzkaller.appspot.com/text?tag=CrashReport&x=10613446a00000

On Wed, Nov 28, 2018 at 11:58:37AM +0100, 'Alexander Potapenko' via syzkaller-bugs wrote:
> On Sat, Nov 24, 2018 at 12:02 AM Ard Biesheuvel
> <ard.biesheuvel@...aro.org> wrote:
> >
> > (+ TLS maintainers)
> 
> This bug is also reproducible without KMSAN: if we fill the newly
> allocated skb fragment with "AAAA" (see the patch below) we can see
> these bytes being passed into the crypto functions.
> Note that KMSAN enables CONFIG_GENERIC_CSUM, so one might need
> something along the lines of
> https://github.com/google/kmsan/commit/fffec98ae2a605a3b8a6b3518e3d61d66c1bfd0a
> to reproduce this.
> 
> =======================================
> diff --git a/crypto/algapi.c b/crypto/algapi.c
> index 2545c5f89c4c..654b3e9877a5 100644
> --- a/crypto/algapi.c
> +++ b/crypto/algapi.c
> @@ -1005,6 +1005,25 @@ void __crypto_xor(u8 *dst, const u8 *src1,
> const u8 *src2, unsigned int len)
>  {
>         int relalign = 0;
> 
> +       char saved;
> +       char *s1 = (char*)src1, *s2 = (char*)src2;
> +       if (len) {
> +               saved = s1[len-1];
> +               s1[len-1] = 0;
> +               if (strstr(s1, "AAAA"))
> +                       pr_err("src1: %s\n", s1);
> +               s1[len-1] = saved;
> +       }
> +       if (len) {
> +               saved = s2[len-1];
> +               s2[len-1] = 0;
> +               if (strstr(s2, "AAAA")) {
> +                       pr_err("src2: %s\n", s2);
> +                       if (s1 == s2)
> +                               pr_err("s1 == s2\n");
> +               }
> +               s2[len-1] = saved;
> +       }
>         if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) {
>                 int size = sizeof(unsigned long);
>                 int d = (((unsigned long)dst ^ (unsigned long)src1) |
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 080a880a1761..83f15668c3e8 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2216,6 +2216,7 @@ bool skb_page_frag_refill(unsigned int sz,
> struct page_frag *pfrag, gfp_t gfp)
>                                           SKB_FRAG_PAGE_ORDER);
>                 if (likely(pfrag->page)) {
>                         pfrag->size = PAGE_SIZE << SKB_FRAG_PAGE_ORDER;
> +                       memset(page_address(pfrag->page), 'A', pfrag->size);
>                         return true;
>                 }
>         }
> 
> The bug itself seems to be a data race, it only worked for me with the
> multithreaded C reproducer that collided the syscalls.
> > On Fri, 23 Nov 2018 at 23:51, syzbot
> > <syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    cddc52641fd2 kmsan: use __memmove() in fixup_bad_iret()
> > > git tree:       https://github.com/google/kmsan.git/master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=111c426d400000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=e2808e34f8becb71
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=f8495bff23a879a6d0bd
> > > compiler:       clang version 8.0.0 (trunk 343298)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17c0326d400000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e4d45d400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+f8495bff23a879a6d0bd@...kaller.appspotmail.com
> > >
> > > Local variable description: ----walk@...pto_ctr_crypt
> > > Variable was created at:
> > >   crypto_ctr_crypt+0xae/0xc30 crypto/ctr.c:129
> > >   skcipher_crypt_blkcipher crypto/skcipher.c:622 [inline]
> > >   skcipher_encrypt_blkcipher+0x232/0x340 crypto/skcipher.c:631
> > > ==================================================================
> > > BUG: KMSAN: uninit-value in gf128mul_4k_lle+0x29e/0x310
> > > crypto/gf128mul.c:391
> > > CPU: 0 PID: 8470 Comm: syz-executor696 Not tainted 4.20.0-rc2+ #88
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > >   __dump_stack lib/dump_stack.c:77 [inline]
> > >   dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > >   kmsan_report+0x19f/0x300 mm/kmsan/kmsan.c:911
> > >   __msan_warning+0x76/0xc0 mm/kmsan/kmsan_instr.c:415
> > >   gf128mul_4k_lle+0x29e/0x310 crypto/gf128mul.c:391
> > >   ghash_update+0x9d3/0x10e0 crypto/ghash-generic.c:75
> > >   crypto_shash_update crypto/shash.c:103 [inline]
> > >   shash_ahash_update+0x4de/0x600 crypto/shash.c:244
> > >   shash_async_update+0x50/0x60 crypto/shash.c:252
> > >   crypto_ahash_update include/crypto/hash.h:557 [inline]
> > >   gcm_hash_update crypto/gcm.c:235 [inline]
> > >   gcm_hash_assoc_remain_continue crypto/gcm.c:344 [inline]
> > >   gcm_hash_assoc_continue crypto/gcm.c:375 [inline]
> > >   gcm_hash_init_continue crypto/gcm.c:400 [inline]
> > >   gcm_hash+0x1dbe/0x4870 crypto/gcm.c:430
> > >   gcm_encrypt_continue crypto/gcm.c:455 [inline]
> > >   crypto_gcm_encrypt+0x781/0xaa0 crypto/gcm.c:484
> > >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> > >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> > >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> > >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> > >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> > >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> > >   sock_sendmsg_nosec net/socket.c:621 [inline]
> > >   sock_sendmsg net/socket.c:631 [inline]
> > >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> > >   __do_sys_sendto net/socket.c:1800 [inline]
> > >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> > >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> > >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x448509
> > > Code: e8 fc e5 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 0b 01 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f9ff6aa3cd8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
> > > RAX: ffffffffffffffda RBX: 00000000006f0038 RCX: 0000000000448509
> > > RDX: 000000000039a191 RSI: 00000000200005c0 RDI: 0000000000000003
> > > RBP: 00000000006f0030 R08: 0000000020000000 R09: 000000000000001c
> > > R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006f003c
> > > R13: 00000000007ffc6f R14: 00007f9ff6aa49c0 R15: 00000000000003e8
> > >
> > > Uninit was stored to memory at:
> > >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> > >   kmsan_save_stack mm/kmsan/kmsan.c:267 [inline]
> > >   kmsan_internal_chain_origin+0x136/0x240 mm/kmsan/kmsan.c:569
> > >   __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:292
> > >   __crypto_xor+0x224/0x15c0 crypto/algapi.c:1029
> > >   crypto_xor include/crypto/algapi.h:219 [inline]
> > >   ghash_update+0x991/0x10e0 crypto/ghash-generic.c:74
> > >   crypto_shash_update crypto/shash.c:103 [inline]
> > >   shash_ahash_update+0x4de/0x600 crypto/shash.c:244
> > >   shash_async_update+0x50/0x60 crypto/shash.c:252
> > >   crypto_ahash_update include/crypto/hash.h:557 [inline]
> > >   gcm_hash_update crypto/gcm.c:235 [inline]
> > >   gcm_hash_assoc_remain_continue crypto/gcm.c:344 [inline]
> > >   gcm_hash_assoc_continue crypto/gcm.c:375 [inline]
> > >   gcm_hash_init_continue crypto/gcm.c:400 [inline]
> > >   gcm_hash+0x1dbe/0x4870 crypto/gcm.c:430
> > >   gcm_encrypt_continue crypto/gcm.c:455 [inline]
> > >   crypto_gcm_encrypt+0x781/0xaa0 crypto/gcm.c:484
> > >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> > >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> > >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> > >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> > >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> > >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> > >   sock_sendmsg_nosec net/socket.c:621 [inline]
> > >   sock_sendmsg net/socket.c:631 [inline]
> > >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> > >   __do_sys_sendto net/socket.c:1800 [inline]
> > >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> > >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> > >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> > >   kmsan_save_stack mm/kmsan/kmsan.c:267 [inline]
> > >   kmsan_internal_chain_origin+0x136/0x240 mm/kmsan/kmsan.c:569
> > >   __msan_chain_origin+0x6d/0xb0 mm/kmsan/kmsan_instr.c:292
> > >   __crypto_xor+0x224/0x15c0 crypto/algapi.c:1029
> > >   crypto_xor include/crypto/algapi.h:219 [inline]
> > >   crypto_ctr_crypt_inplace crypto/ctr.c:115 [inline]
> > >   crypto_ctr_crypt+0x776/0xc30 crypto/ctr.c:142
> > >   skcipher_crypt_blkcipher crypto/skcipher.c:622 [inline]
> > >   skcipher_encrypt_blkcipher+0x232/0x340 crypto/skcipher.c:631
> > >   crypto_skcipher_encrypt include/crypto/skcipher.h:534 [inline]
> > >   crypto_gcm_encrypt+0x512/0xaa0 crypto/gcm.c:483
> > >   crypto_aead_encrypt include/crypto/aead.h:364 [inline]
> > >   tls_do_encryption net/tls/tls_sw.c:460 [inline]
> > >   tls_push_record+0x2545/0x4290 net/tls/tls_sw.c:657
> > >   bpf_exec_tx_verdict+0x16c0/0x1b40 net/tls/tls_sw.c:694
> > >   tls_sw_sendmsg+0x136d/0x2a30 net/tls/tls_sw.c:949
> > >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> > >   sock_sendmsg_nosec net/socket.c:621 [inline]
> > >   sock_sendmsg net/socket.c:631 [inline]
> > >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> > >   __do_sys_sendto net/socket.c:1800 [inline]
> > >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> > >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> > >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was created at:
> > >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline]
> > >   kmsan_internal_alloc_meta_for_pages+0x155/0x740 mm/kmsan/kmsan.c:689
> > >   kmsan_alloc_page+0x77/0xc0 mm/kmsan/kmsan_hooks.c:320
> > >   __alloc_pages_nodemask+0x12ac/0x64d0 mm/page_alloc.c:4421
> > >   alloc_pages_current+0x55d/0x7d0 mm/mempolicy.c:2080
> > >   alloc_pages include/linux/gfp.h:511 [inline]
> > >   skb_page_frag_refill+0x48e/0x7a0 net/core/sock.c:2213
> > >   sk_page_frag_refill+0xa4/0x330 net/core/sock.c:2233
> > >   sk_msg_alloc+0x22f/0x11a0 net/core/skmsg.c:37
> > >   tls_alloc_encrypted_msg net/tls/tls_sw.c:236 [inline]
> > >   tls_sw_sendmsg+0xd0c/0x2a30 net/tls/tls_sw.c:871
> > >   inet_sendmsg+0x4e9/0x800 net/ipv4/af_inet.c:798
> > >   sock_sendmsg_nosec net/socket.c:621 [inline]
> > >   sock_sendmsg net/socket.c:631 [inline]
> > >   __sys_sendto+0x940/0xb80 net/socket.c:1788
> > >   __do_sys_sendto net/socket.c:1800 [inline]
> > >   __se_sys_sendto+0x107/0x130 net/socket.c:1796
> > >   __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
> > >   do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > >   entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > ==================================================================
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@...glegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ