lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <415469.1686877408@warthog.procyon.org.uk>
Date: Fri, 16 Jun 2023 02:03:28 +0100
From: David Howells <dhowells@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: dhowells@...hat.com,
    syzbot <syzbot+13a08c0bf4d212766c3c@...kaller.appspotmail.com>,
    davem@...emloft.net, linux-crypto@...r.kernel.org,
    linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
    pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] general protection fault in shash_async_final

Hi Herbert,

Here's a slightly more comprehensive test program for the hashing code to
exercise some combinations of sendmsg, sendmsg+MSG_MORE and recvmsg.

David
---
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>

#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)

static int hashfd;
static unsigned char buf[1024], sbuf[1024];
static const unsigned char no_zeros[2]  = { 0xe3, 0xb0 };
static const unsigned char one_zero[2]  = { 0x6e, 0x34 };
static const unsigned char two_zeros[2] = { 0x96, 0xa2 };

static void do_send(unsigned int n, unsigned int flags)
{
	struct msghdr msg;
	struct iovec iov[1];
	int res;

	memset(&msg, 0, sizeof(msg));
	iov[0].iov_base = sbuf;
	iov[0].iov_len = n;
	msg.msg_iov = iov;
	msg.msg_iovlen = 1;
	res = sendmsg(hashfd, &msg, flags);
	OSERROR(res, "sendmsg");
}

static void do_recv(unsigned int ix, const unsigned char r[2])
{
	struct msghdr msg;
	struct iovec iov[1];
	int res, i;

	memset(&msg, 0, sizeof(msg));
	iov[0].iov_base = buf;
	iov[0].iov_len = sizeof(buf);
	msg.msg_iov = iov;
	msg.msg_iovlen = 1;
	res = recvmsg(hashfd, &msg, 0);
	OSERROR(res, "recvmsg");

	printf("%3u: ", ix);
	for (i = 0; i < res; i++)
		 printf("%02x", buf[i]);
	printf("\n");

	if (buf[0] != r[0] || buf[1] != r[1])
		 fprintf(stderr, "     ^ Bad result!\n");
}

int main(void)
{
	struct sockaddr_alg salg;
	int algfd, res;

	algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
	OSERROR(algfd, "socket");

	memset(&salg, 0, sizeof(salg));
	salg.salg_family = AF_ALG;
	strcpy(salg.salg_type, "hash");
	strcpy(salg.salg_name, "sha256");
	res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
	OSERROR(res, "bind/alg");

	hashfd = accept4(algfd, NULL, 0, 0);
	OSERROR(hashfd, "accept/alg");

	//res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
	//OSERROR(res, "setsockopt/ALG_SET_KEY");
	
	/* Test no send */
	do_recv(__LINE__, no_zeros);

	/* Test single send of 0 */
	do_send(0, 0);
	do_recv(__LINE__, no_zeros);

	do_send(0, MSG_MORE);
	do_recv(__LINE__, no_zeros);

	/* Test single send of 1 */
	do_send(1, 0);
	do_recv(__LINE__, one_zero);

	do_send(1, MSG_MORE);
	do_recv(__LINE__, one_zero);

	/* Test single send of 2 */
	do_send(2, 0);
	do_recv(__LINE__, two_zeros);

	do_send(2, MSG_MORE);
	do_recv(__LINE__, two_zeros);

	/* Test two sends of 1 */
	do_send(1, 0);
	do_send(1, 0);
	do_recv(__LINE__, one_zero);

	do_send(1, 0);
	do_send(1, MSG_MORE);
	do_recv(__LINE__, one_zero);

	do_send(1, MSG_MORE);
	do_send(1, 0);
	do_recv(__LINE__, two_zeros);

	do_send(1, MSG_MORE);
	do_send(1, MSG_MORE);
	do_recv(__LINE__, two_zeros);

	/* Test send of 0 then send of 2 */
	do_send(0, 0);
	do_send(2, 0);
	do_recv(__LINE__, two_zeros);

	do_send(0, 0);
	do_send(2, MSG_MORE);
	do_recv(__LINE__, two_zeros);

	do_send(0, MSG_MORE);
	do_send(2, 0);
	do_recv(__LINE__, two_zeros);

	do_send(0, MSG_MORE);
	do_send(2, MSG_MORE);
	do_recv(__LINE__, two_zeros);

	/* Test send of 2 then send of 0 */
	do_send(2, 0);
	do_send(0, 0);
	do_recv(__LINE__, no_zeros);

	do_send(2, 0);
	do_send(0, MSG_MORE);
	do_recv(__LINE__, no_zeros);

	do_send(2, MSG_MORE);
	do_send(0, 0);
	do_recv(__LINE__, two_zeros);

	do_send(2, MSG_MORE);
	do_send(0, MSG_MORE);
	do_recv(__LINE__, two_zeros);

	return 0;
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ