syzbot


KASAN: use-after-free Read in __crypto_xor

Status: fixed on 2022/03/08 16:11
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Fix commit: 68b6dea802ce crypto: pcrypt - Delay write to padata->info da353fac65fe net/tls: Fix flipped sign in tls_err_abort() calls
First crash: 1208d, last: 1144d
Cause bisection: introduced by (bisect log) :
commit 4611ce22468895acd61fee9ac1da810d60617d9a
Author: Daniel Jordan <daniel.m.jordan@oracle.com>
Date: Wed Jun 3 22:59:39 2020 +0000

  padata: allocate work structures for parallel jobs from a pool

Crash: no output from test machine (log)
Repro: C syz .config
  
Discussions (15)
Title Replies (including bot) Last reply
[PATCH 5.10 000/575] 5.10.80-rc1 review 595 (595) 2022/07/31 10:51
[PATCH 4.19 000/323] 4.19.218-rc1 review 339 (339) 2021/12/04 10:30
[PATCH 4.4 000/162] 4.4.293-rc1 review 168 (168) 2021/11/25 13:11
[PATCH 4.14 000/251] 4.14.256-rc1 review 262 (262) 2021/11/25 13:07
[PATCH 4.9 000/207] 4.9.291-rc1 review 216 (216) 2021/11/25 12:58
[PATCH 5.15 000/917] 5.15.3-rc1 review 945 (945) 2021/11/24 18:04
[PATCH 5.4 000/355] 5.4.160-rc1 review 373 (373) 2021/11/16 16:50
[PATCH 5.14 000/849] 5.14.19-rc1 review 859 (859) 2021/11/16 14:04
[PATCH 5.10 00/77] 5.10.77-rc1 review 99 (99) 2021/11/12 22:56
[PATCH 5.14 000/125] 5.14.16-rc1 review 130 (130) 2021/11/02 07:19
[PATCH 5.4 00/51] 5.4.157-rc1 review 55 (55) 2021/11/01 11:42
[PATCH] crypto: pcrypt - Delay write to padata->info 2 (2) 2021/10/29 13:12
[PATCH net v2 1/2] net/tls: Fix flipped sign in tls_err_abort() calls 3 (3) 2021/10/28 13:50
[PATCH] net/tls: Fix flipped sign in tls_err_abort() calls 3 (3) 2021/10/22 17:50
[syzbot] KASAN: use-after-free Read in __crypto_xor 1 (2) 2021/09/04 01:33
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2021/10/04 05:10 30m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __crypto_xor+0x376/0x410 crypto/algapi.c:1001
Read of size 8 at addr ffff888073b7e725 by task kworker/u4:1/10

CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: pencrypt_parallel padata_parallel_worker
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 __crypto_xor+0x376/0x410 crypto/algapi.c:1001
 crypto_xor include/crypto/algapi.h:160 [inline]
 crypto_ctr_crypt_segment crypto/ctr.c:60 [inline]
 crypto_ctr_crypt+0x256/0x550 crypto/ctr.c:114
 crypto_skcipher_encrypt+0xaa/0xf0 crypto/skcipher.c:630
 crypto_gcm_encrypt+0x38f/0x4b0 crypto/gcm.c:461
 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94
 pcrypt_aead_enc+0x13/0x70 crypto/pcrypt.c:82
 padata_parallel_worker+0x60/0xb0 kernel/padata.c:144
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2959 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972
 kmem_cache_zalloc include/linux/slab.h:711 [inline]
 lsm_file_alloc security/security.c:572 [inline]
 security_file_alloc+0x34/0x170 security/security.c:1515
 __alloc_file+0xd8/0x280 fs/file_table.c:106
 alloc_empty_file+0x6d/0x170 fs/file_table.c:150
 path_openat+0xe4/0x2740 fs/namei.c:3545
 do_filp_open+0x1aa/0x400 fs/namei.c:3586
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1200
 do_sys_open fs/open.c:1216 [inline]
 __do_sys_open fs/open.c:1224 [inline]
 __se_sys_open fs/open.c:1220 [inline]
 __x64_sys_open+0x119/0x1c0 fs/open.c:1220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888073b7e700
 which belongs to the cache lsm_file_cache of size 80
The buggy address is located 37 bytes inside of
 80-byte region [ffff888073b7e700, ffff888073b7e750)
The buggy address belongs to the page:
page:ffffea0001cedf80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888073b7ef50 pfn:0x73b7e
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001ce8c48 ffffea0001cb88c8 ffff888010dc6000
raw: ffff888073b7ef50 0000000000240005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 64591664193, free_ts 64586178118
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4168
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2291
 alloc_slab_page mm/slub.c:1691 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1831
 new_slab mm/slub.c:1894 [inline]
 new_slab_objects mm/slub.c:2640 [inline]
 ___slab_alloc+0x473/0x7b0 mm/slub.c:2803
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843
 slab_alloc_node mm/slub.c:2925 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2972
 kmem_cache_zalloc include/linux/slab.h:711 [inline]
 lsm_file_alloc security/security.c:572 [inline]
 security_file_alloc+0x34/0x170 security/security.c:1515
 __alloc_file+0xd8/0x280 fs/file_table.c:106
 alloc_empty_file+0x6d/0x170 fs/file_table.c:150
 path_openat+0xe4/0x2740 fs/namei.c:3545
 do_filp_open+0x1aa/0x400 fs/namei.c:3586
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1200
 do_sys_open fs/open.c:1216 [inline]
 __do_sys_open fs/open.c:1224 [inline]
 __se_sys_open fs/open.c:1220 [inline]
 __x64_sys_open+0x119/0x1c0 fs/open.c:1220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3411
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2959 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:138
 getname_flags+0x9a/0xe0 include/linux/audit.h:319
 user_path_at_empty+0x2b/0x90 fs/namei.c:2801
 user_path_at include/linux/namei.h:57 [inline]
 vfs_statx+0x142/0x390 fs/stat.c:221
 vfs_fstatat fs/stat.c:243 [inline]
 vfs_lstat include/linux/fs.h:3351 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:398
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888073b7e600: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fc fc
 ffff888073b7e680: fc fc fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888073b7e700: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
                               ^
 ffff888073b7e780: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
 ffff888073b7e800: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb
==================================================================

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/09/04 05:01 upstream 7cca308cfdc0 d236a457 .config console log report syz C ci-upstream-kasan-gce KASAN: use-after-free Read in __crypto_xor
2021/08/01 01:37 net-next-old 3e12361b6d23 6c236867 .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __crypto_xor
2021/08/12 12:08 upstream 1746f4db5135 6972b106 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __crypto_xor
2021/08/07 15:12 upstream c9194f32bfd9 6972b106 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __crypto_xor
2021/08/07 01:53 upstream 894d6f401b21 6972b106 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __crypto_xor
2021/08/05 21:34 upstream 902e7f373fff d2d6e680 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __crypto_xor
2021/08/01 21:22 upstream d4affd6b6e81 6c236867 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __crypto_xor
2021/08/01 00:07 upstream f3438b4c4e69 6c236867 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __crypto_xor
2021/08/04 16:30 linux-next 8d4b477da1a8 b97d64c9 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __crypto_xor
* Struck through repros no longer work on HEAD.