syzbot


KASAN: slab-out-of-bounds Write in sha3_final

Status: closed as dup on 2017/11/28 19:13
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+264771bd693024ccca21958c9ccaacfc20852fe8@syzkaller.appspotmail.com
First crash: 2401d, last: 2401d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: stack-out-of-bounds Write in sha3_update crypto C 5 2402d 2398d

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memset include/linux/string.h:326 [inline]
BUG: KASAN: slab-out-of-bounds in sha3_final+0xeb/0x2e0 crypto/sha3_generic.c:173
Write of size 4294967223 at addr ffff8801cc82b719 by task syzkaller968605/3074

CPU: 0 PID: 3074 Comm: syzkaller968605 Not tainted 4.14.0+ #192
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
 memset+0x23/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:326 [inline]
 sha3_final+0xeb/0x2e0 crypto/sha3_generic.c:173
 crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
 hmac_final+0x16c/0x2b0 crypto/hmac.c:135
 crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
 hmac_final+0x16c/0x2b0 crypto/hmac.c:135
 crypto_shash_final+0xd3/0x1f0 crypto/shash.c:144
 shash_async_final+0x35/0x40 crypto/shash.c:241
 crypto_ahash_op+0xbc/0x140 crypto/ahash.c:354
 crypto_ahash_final+0x57/0x70 crypto/ahash.c:359
 hash_sendmsg+0x686/0x9c0 crypto/algif_hash.c:131
 sock_sendmsg_nosec net/socket.c:632 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:642
 ___sys_sendmsg+0x322/0x8a0 net/socket.c:2048
 __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
 SYSC_sendmmsg net/socket.c:2169 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2164
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x445aa9
RSP: 002b:00007f1ed9ee8dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445aa9
RDX: 0000000000000005 RSI: 00000000209fe000 RDI: 0000000000000005
RBP: 0000000000000086 R08: 00007f1ed9ee9700 R09: 00007f1ed9ee9700
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc4936159f R14: 00007f1ed9ee99c0 R15: 0000000000000000

Allocated by task 3073:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3711 [inline]
 __kmalloc+0x162/0x760 mm/slab.c:3720
 kmalloc include/linux/slab.h:504 [inline]
 sock_kmalloc+0x112/0x190 net/core/sock.c:1979
 hash_accept_parent_nokey+0x76/0x320 crypto/algif_hash.c:470
 hash_accept_parent+0x9a/0xd0 crypto/algif_hash.c:497
 af_alg_accept+0x125/0x670 crypto/af_alg.c:294
 alg_accept+0x46/0x60 crypto/af_alg.c:330
 SYSC_accept4+0x384/0x850 net/socket.c:1573
 SyS_accept4 net/socket.c:1523 [inline]
 SYSC_accept net/socket.c:1607 [inline]
 SyS_accept+0x26/0x30 net/socket.c:1604
 entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801cc82b200
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1305 bytes inside of
 2048-byte region [ffff8801cc82b200, ffff8801cc82ba00)
The buggy address belongs to the page:
page:ffffea0007320a80 count:1 mapcount:0 mapping:ffff8801cc82a100 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801cc82a100 0000000000000000 0000000100000003
raw: ffffea00073220a0 ffff8801db001950 ffff8801db000c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cc82b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cc82b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cc82b700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
                                                       ^
 ffff8801cc82b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801cc82b800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/11/24 17:44 net-next-old 1d3b78bbc6e9 deb5f6ae .config console log report syz C ci-upstream-kasan-gce
2017/11/24 19:07 net-next-old 0c86a6bd85ff ddf7b3e0 .config console log report syz C ci-upstream-net-kasan-gce
2017/11/24 18:14 mmots 1ea8d039f9ed deb5f6ae .config console log report syz C ci-upstream-mmots-kasan-gce
2017/11/24 17:46 linux-next 6fc478f80f68 4bd70f88 .config console log report syz C ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.