[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <256755.1686844894@warthog.procyon.org.uk>
Date: Thu, 15 Jun 2023 17:01:34 +0100
From: David Howells <dhowells@...hat.com>
To: syzbot <syzbot+6efc50cc1f8d718d6cb7@...kaller.appspotmail.com>
Cc: dhowells@...hat.com, davem@...emloft.net,
herbert@...dor.apana.org.au, kuba@...nel.org,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] KASAN: slab-out-of-bounds Read in extract_iter_to_sg
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 38d2265c77fd..e97abe6055a1 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4333,8 +4333,7 @@ static void *smb2_get_aead_req(struct crypto_aead *tfm, struct smb_rqst *rqst,
}
sgtable.orig_nents = sgtable.nents;
- rc = extract_iter_to_sg(iter, count, &sgtable,
- num_sgs - sgtable.nents, 0);
+ rc = extract_iter_to_sg(iter, count, &sgtable, num_sgs, 0);
iov_iter_revert(iter, rc);
sgtable.orig_nents = sgtable.nents;
}
diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index e97d7060329e..6fd20bfc01a4 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1120,7 +1120,8 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
pages -= sg_max;
do {
- res = iov_iter_extract_pages(iter, &pages, maxsize, sg_max,
+ res = iov_iter_extract_pages(iter, &pages, maxsize,
+ sg_max - sgtable->nents,
extraction_flags, &off);
if (res < 0)
goto failed;
@@ -1129,7 +1130,6 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
maxsize -= len;
ret += len;
npages = DIV_ROUND_UP(off + len, PAGE_SIZE);
- sg_max -= npages;
for (; npages > 0; npages--) {
struct page *page = *pages;
@@ -1142,7 +1142,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
len -= seg;
off = 0;
}
- } while (maxsize > 0 && sg_max > 0);
+ } while (maxsize > 0 && sgtable->nents < sg_max);
return ret;
@@ -1183,11 +1183,10 @@ static ssize_t extract_bvec_to_sg(struct iov_iter *iter,
sg_set_page(sg, bv[i].bv_page, len, off);
sgtable->nents++;
sg++;
- sg_max--;
ret += len;
maxsize -= len;
- if (maxsize <= 0 || sg_max == 0)
+ if (maxsize <= 0 || sgtable->nents >= sg_max)
break;
start = 0;
}
@@ -1242,14 +1241,13 @@ static ssize_t extract_kvec_to_sg(struct iov_iter *iter,
sg_set_page(sg, page, len, off);
sgtable->nents++;
sg++;
- sg_max--;
len -= seg;
kaddr += PAGE_SIZE;
off = 0;
- } while (len > 0 && sg_max > 0);
+ } while (len > 0 && sgtable->nents < sg_max);
- if (maxsize <= 0 || sg_max == 0)
+ if (maxsize <= 0 || sgtable->nents >= sg_max)
break;
start = 0;
}
@@ -1294,11 +1292,10 @@ static ssize_t extract_xarray_to_sg(struct iov_iter *iter,
sg_set_page(sg, folio_page(folio, 0), len, offset);
sgtable->nents++;
sg++;
- sg_max--;
maxsize -= len;
ret += len;
- if (maxsize <= 0 || sg_max == 0)
+ if (maxsize <= 0 || sgtable->nents >= sg_max)
break;
}
@@ -1318,7 +1315,8 @@ static ssize_t extract_xarray_to_sg(struct iov_iter *iter,
*
* Extract the page fragments from the given amount of the source iterator and
* add them to a scatterlist that refers to all of those bits, to a maximum
- * addition of @sg_max elements.
+ * addition of @sg_max elements. @sgtable->nents indicates how many of the
+ * elements are already used.
*
* The pages referred to by UBUF- and IOVEC-type iterators are extracted and
* pinned; BVEC-, KVEC- and XARRAY-type are extracted but aren't pinned; PIPE-
@@ -1343,6 +1341,11 @@ ssize_t extract_iter_to_sg(struct iov_iter *iter, size_t maxsize,
if (maxsize == 0)
return 0;
+ if (WARN_ON_ONCE(sg_max == 0))
+ return -EIO;
+ if (WARN_ON_ONCE(sgtable->nents >= sg_max))
+ return -EIO;
+
switch (iov_iter_type(iter)) {
case ITER_UBUF:
case ITER_IOVEC:
Powered by blists - more mailing lists