syzbot


KASAN: slab-out-of-bounds Write in sha3_update

Status: closed as dup on 2017/11/28 21:35
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+738fe8ad300f43de6dd637f91d595f9fc0df79ba@syzkaller.appspotmail.com
First crash: 2572d, last: 2549d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: stack-out-of-bounds Write in sha3_update crypto C 5 2576d 2572d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Write in sha3_update (2) crypto C 49 2508d 2548d 4/28 fixed on 2018/02/01 10:32

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: slab-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
Write of size 192 at addr ffff8801cb8888bc by task syzkaller326690/3087

CPU: 0 PID: 3087 Comm: syzkaller326690 Not tainted 4.15.0-rc2+ #208
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 memcpy include/linux/string.h:341 [inline]
 sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
 crypto_shash_update+0xcb/0x220 crypto/shash.c:109
 hmac_update+0x7e/0xa0 crypto/hmac.c:122
 crypto_shash_update+0xcb/0x220 crypto/shash.c:109
 kdf_ctr security/keys/dh.c:181 [inline]
 keyctl_dh_compute_kdf security/keys/dh.c:226 [inline]
 __keyctl_dh_compute+0x16d8/0x1a00 security/keys/dh.c:398
 keyctl_dh_compute+0xac/0xf3 security/keys/dh.c:434
 SYSC_keyctl security/keys/keyctl.c:1745 [inline]
 SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43fe89
RSP: 002b:00007ffc460c3578 EFLAGS: 00000207 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe89
RDX: 00000000205cd000 RSI: 00000000204c8ff4 RDI: 0000000000000017
RBP: 00000000006ca018 R08: 0000000020550000 R09: 0000000000000000
R10: 0000000000000030 R11: 0000000000000207 R12: 00000000004017f0
R13: 0000000000401880 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3087:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3711 [inline]
 __kmalloc+0x162/0x760 mm/slab.c:3720
 kmalloc include/linux/slab.h:504 [inline]
 kdf_alloc security/keys/dh.c:111 [inline]
 __keyctl_dh_compute+0x2a1/0x1a00 security/keys/dh.c:288
 keyctl_dh_compute+0xac/0xf3 security/keys/dh.c:434
 SYSC_keyctl security/keys/keyctl.c:1745 [inline]
 SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
 entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 1627:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3491 [inline]
 kfree+0xca/0x250 mm/slab.c:3806
 kernfs_fop_release+0x13f/0x180 fs/kernfs/file.c:783
 __fput+0x333/0x7f0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
 entry_SYSCALL_64_fastpath+0x94/0x96

The buggy address belongs to the object at ffff8801cb8887c0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 252 bytes inside of
 512-byte region [ffff8801cb8887c0, ffff8801cb8889c0)
The buggy address belongs to the page:
page:00000000e263033c count:1 mapcount:0 mapping:00000000d07273f0 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801cb888040 0000000000000000 0000000100000006
raw: ffffea00072ee260 ffffea00072d1d60 ffff8801db000940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cb888800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cb888880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cb888900: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
                                              ^
 ffff8801cb888980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801cb888a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/05 17:59 upstream fd6d2e506ce6 de212f1a .config console log report syz C ci-upstream-kasan-gce
2017/12/03 06:16 upstream 2db767d9889c 48359b97 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/09 01:47 mmots 82bcf1def3b5 5ad0ce95 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/20 08:07 upstream 10a7e9d84915 2d836b1d .config console log report ci-upstream-kasan-gce
2017/12/19 10:37 upstream ace52288edf0 25793abb .config console log report ci-upstream-kasan-gce
2017/12/19 09:35 upstream ace52288edf0 1c4160ef .config console log report ci-upstream-kasan-gce
2017/12/13 02:07 upstream d39a01eff9af 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 03:39 upstream a638349bf6c2 da131727 .config console log report ci-upstream-kasan-gce
2017/12/11 03:04 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/20 10:32 upstream 10a7e9d84915 2d836b1d .config console log report ci-upstream-kasan-gce-386
2017/12/20 09:33 upstream 10a7e9d84915 2d836b1d .config console log report ci-upstream-kasan-gce-386
2017/12/13 00:25 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce-386
2017/12/10 04:34 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce-386
2017/11/29 05:17 upstream 43570f0383d6 34f2c233 .config console log report ci-upstream-kasan-gce-386
2017/11/28 06:53 upstream 4fbd8d194f06 ac93d7e1 .config console log report ci-upstream-kasan-gce-386
2017/12/06 03:11 net-next-old 81da3bf6e3f8 0796857b .config console log report ci-upstream-net-kasan-gce
2017/12/03 11:06 net-next-old 75d0de8c7e70 48359b97 .config console log report ci-upstream-net-kasan-gce
2017/12/21 04:28 linux-next 7dc9f647127d 90a46995 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.