syzbot


KASAN: stack-out-of-bounds Read in crypto_chacha20_crypt

Status: closed as dup on 2017/11/29 08:58
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+f219f03f68409928407df625142fb818c077d0ae@syzkaller.appspotmail.com
First crash: 2588d, last: 2553d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
general protection fault in crypto_chacha20_crypt crypto C 2374 2553d 2584d

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in __le32_to_cpup include/uapi/linux/byteorder/little_endian.h:58 [inline]
BUG: KASAN: stack-out-of-bounds in le32_to_cpuvp crypto/chacha20_generic.c:19 [inline]
BUG: KASAN: stack-out-of-bounds in crypto_chacha20_init crypto/chacha20_generic.c:58 [inline]
BUG: KASAN: stack-out-of-bounds in crypto_chacha20_crypt+0xb1a/0xc00 crypto/chacha20_generic.c:91
Read of size 4 at addr ffff8801d9cb7260 by task kworker/0:1/23

CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 4.15.0-rc4+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: crypto cryptd_queue_worker
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __le32_to_cpup include/uapi/linux/byteorder/little_endian.h:58 [inline]
 le32_to_cpuvp crypto/chacha20_generic.c:19 [inline]
 crypto_chacha20_init crypto/chacha20_generic.c:58 [inline]
 crypto_chacha20_crypt+0xb1a/0xc00 crypto/chacha20_generic.c:91
 chacha20_simd+0xe4/0x410 arch/x86/crypto/chacha20_glue.c:78
 crypto_skcipher_decrypt include/crypto/skcipher.h:463 [inline]
 cryptd_skcipher_decrypt+0x2ed/0x5c0 crypto/cryptd.c:523
 cryptd_queue_worker+0xff/0x1b0 crypto/cryptd.c:190
 process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
 worker_thread+0x223/0x1990 kernel/workqueue.c:2246
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515

The buggy address belongs to the page:
page:000000003c4c0371 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0007672de0 ffffea0007672de0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d9cb7100: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
 ffff8801d9cb7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
>ffff8801d9cb7200: f2 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
                                                       ^
 ffff8801d9cb7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d9cb7300: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 f2
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 23 Comm: kworker/0:1 Tainted: G    B            4.15.0-rc4+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: crypto cryptd_queue_worker
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 kasan_end_report+0x50/0x50 mm/kasan/report.c:176
 kasan_report_error mm/kasan/report.c:356 [inline]
 kasan_report+0x144/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __le32_to_cpup include/uapi/linux/byteorder/little_endian.h:58 [inline]
 le32_to_cpuvp crypto/chacha20_generic.c:19 [inline]
 crypto_chacha20_init crypto/chacha20_generic.c:58 [inline]
 crypto_chacha20_crypt+0xb1a/0xc00 crypto/chacha20_generic.c:91
 chacha20_simd+0xe4/0x410 arch/x86/crypto/chacha20_glue.c:78
 crypto_skcipher_decrypt include/crypto/skcipher.h:463 [inline]
 cryptd_skcipher_decrypt+0x2ed/0x5c0 crypto/cryptd.c:523
 cryptd_queue_worker+0xff/0x1b0 crypto/cryptd.c:190
 process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
 worker_thread+0x223/0x1990 kernel/workqueue.c:2246
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:515
CPU: 1 PID: 15003 Comm: syz-executor4 Tainted: G    B            4.15.0-rc4+ #230
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:421 [inline]
 slab_alloc mm/slab.c:3368 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3542
 kmem_cache_zalloc include/linux/slab.h:678 [inline]
 cred_alloc_blank+0x67/0x140 kernel/cred.c:211
 keyctl_session_to_parent+0xa3/0xac0 security/keys/keyctl.c:1512
 SYSC_keyctl security/keys/keyctl.c:1719 [inline]
 SyS_keyctl+0xe1/0x2c0 security/keys/keyctl.c:1637
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a09
RSP: 002b:00007efe47ed2c58 EFLAGS: 00000212 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 00007efe47ed2aa0 RCX: 0000000000452a09
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000012
RBP: 00007efe47ed2a90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b75bb
R13: 00007efe47ed2bc8 R14: 00000000004b75bb R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (644):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/20 13:54 upstream 10a7e9d84915 90a46995 .config console log report ci-upstream-kasan-gce
2017/12/20 12:44 upstream 10a7e9d84915 2d836b1d .config console log report ci-upstream-kasan-gce
2017/12/29 18:12 net-next-old d367341b25bd 7d240098 .config console log report ci-upstream-net-kasan-gce
2017/12/29 12:39 net-next-old d367341b25bd 7d240098 .config console log report ci-upstream-net-kasan-gce
2017/12/28 17:44 net-next-old 836df24a7062 7d240098 .config console log report ci-upstream-net-kasan-gce
2017/12/28 10:56 net-next-old 55b07a65e15b 7d240098 .config console log report ci-upstream-net-kasan-gce
2017/12/26 11:03 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/25 04:03 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/25 03:52 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/25 01:35 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/24 14:35 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/23 22:57 net-next-old fba961ab29e5 73aba437 .config console log report ci-upstream-net-kasan-gce
2017/12/21 05:14 net-next-old 8f36e0006543 90a46995 .config console log report ci-upstream-net-kasan-gce
2017/12/20 15:48 net-next-old f39a5c01c3d2 90a46995 .config console log report ci-upstream-net-kasan-gce
2017/12/20 13:54 net-next-old f39a5c01c3d2 90a46995 .config console log report ci-upstream-net-kasan-gce
2017/12/18 14:42 net-next-old c30abd5e40dd 1c4160ef .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:51 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:47 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:46 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:42 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:35 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:33 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:26 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:25 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:25 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:20 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:20 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:09 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 13:09 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 12:52 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 12:52 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 12:38 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 12:35 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 12:11 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:52 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:52 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:38 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:38 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:29 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
2017/12/18 11:19 net-next-old c30abd5e40dd d5beb42a .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.