lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1433015.1686741914@warthog.procyon.org.uk>
Date: Wed, 14 Jun 2023 12:25:14 +0100
From: David Howells <dhowells@...hat.com>
To: syzbot <syzbot+13a08c0bf4d212766c3c@...kaller.appspotmail.com>
Cc: dhowells@...hat.com, davem@...emloft.net,
    herbert@...dor.apana.org.au, linux-crypto@...r.kernel.org,
    linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
    pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] general protection fault in shash_async_final

Here's a reduced testcase for this.  The key seems to be passing MSG_MORE to
sendmsg() and then not following up with more data before calling recvmsg().
Apart from not oopsing, I wonder what the behaviour should be here?  Should
recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the
existing operation?

David
---
// https://syzkaller.appspot.com/bug?id=f5d9d503fe959e3b605abdaeedb39b072556281a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>

#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)

int main(void)
{
	struct sockaddr_alg salg;
	struct msghdr msg;
	int algfd, hashfd, res;

	algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
	OSERROR(algfd, "socket");

	memset(&salg, 0, sizeof(salg));
	salg.salg_family = AF_ALG;
	strcpy(salg.salg_type, "hash");
	strcpy(salg.salg_name, "digest_null-generic");
	res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
	OSERROR(res, "bind/alg");

	hashfd = accept4(algfd, NULL, 0, 0);
	OSERROR(hashfd, "accept/alg");

	res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
	OSERROR(res, "setsockopt/ALG_SET_KEY");

	memset(&msg, 0, sizeof(msg));
	res = sendmsg(hashfd, &msg, MSG_MORE);
	OSERROR(res, "sendmsg");

	res = recvmsg(hashfd, &msg, 0);
	OSERROR(res, "recvmsg");
	return 0;
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ