syzbot


memory leak in mpihelp_mul_karatsuba_case

Status: fixed on 2019/07/29 13:39
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
Fix commit: c8ea9fce2baf lib/mpi: Fix karactx leak in mpi_powm
First crash: 1797d, last: 1794d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 3.16 00/87] 3.16.75-rc1 review 99 (99) 2019/11/19 14:49
[PATCH 5.1 00/96] 5.1.17-stable review 115 (115) 2019/07/15 20:07
[PATCH 4.19 00/90] 4.19.58-stable review 99 (99) 2019/07/10 06:13
[PATCH 4.14 00/56] 4.14.133-stable review 64 (64) 2019/07/10 06:12
[PATCH 4.9 000/102] 4.9.185-stable review 108 (108) 2019/07/10 06:11
[PATCH 4.4 00/73] 4.4.185-stable review 79 (79) 2019/07/10 06:10
memory leak in mpihelp_mul_karatsuba_case 2 (3) 2019/06/24 21:17

Sample crash report:
0000 RSI: 0000000020000080 RDI: 0000000000000017
BUG: memory leak
unreferenced object 0xffff88811c4b1400 (size 512):
  comm "syz-executor765", pid 7133, jiffies 4294943913 (age 14.040s)
  hex dump (first 32 bytes):
    1c 45 69 bb 4f 09 f4 e3 8f c9 b7 46 c2 d4 28 de  .Ei.O......F..(.
    e9 01 76 58 fb db b0 91 87 3e 2e 7d 7a 9c a9 b6  ..vX.....>.}z...
  backtrace:
    [<000000007ecc32d9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000007ecc32d9>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000007ecc32d9>] slab_alloc mm/slab.c:3326 [inline]
    [<000000007ecc32d9>] __do_kmalloc mm/slab.c:3658 [inline]
    [<000000007ecc32d9>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [<000000008b197994>] kmalloc include/linux/slab.h:552 [inline]
    [<000000008b197994>] mpi_alloc_limb_space+0x29/0x50 lib/mpi/mpiutil.c:64
    [<000000008342a526>] mpihelp_mul_karatsuba_case+0x394/0x460 lib/mpi/mpih-mul.c:346
    [<000000003d2eb57d>] mpi_powm+0x7b0/0xdd0 lib/mpi/mpi-pow.c:225
    [<0000000098565971>] _compute_val crypto/dh.c:39 [inline]
    [<0000000098565971>] dh_compute_value+0x160/0x220 crypto/dh.c:178
    [<00000000609c67dd>] crypto_kpp_generate_public_key include/crypto/kpp.h:315 [inline]
    [<00000000609c67dd>] __keyctl_dh_compute+0x447/0x970 security/keys/dh.c:367
    [<000000008b5a252c>] keyctl_dh_compute+0x67/0xa6 security/keys/dh.c:422
    [<00000000af10be04>] __do_sys_keyctl security/keys/keyctl.c:1737 [inline]
    [<00000000af10be04>] __se_sys_keyctl security/keys/keyctl.c:1633 [inline]
    [<00000000af10be04>] __x64_sys_keyctl+0xa5/0x330 security/keys/keyctl.c:1633
    [<000000005e7bac68>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<00000000efdd5413>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811c47ec00 (size 512):
  comm "syz-executor765", pid 7134, jiffies 4294944502 (age 8.150s)
  hex dump (first 32 bytes):
    1c 45 69 bb 4f 09 f4 e3 8f c9 b7 46 c2 d4 28 de  .Ei.O......F..(.
    e9 01 76 58 fb db b0 91 87 3e 2e 7d 7a 9c a9 b6  ..vX.....>.}z...
  backtrace:
    [<000000007ecc32d9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000007ecc32d9>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000007ecc32d9>] slab_alloc mm/slab.c:3326 [inline]
    [<000000007ecc32d9>] __do_kmalloc mm/slab.c:3658 [inline]
    [<000000007ecc32d9>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [<000000008b197994>] kmalloc include/linux/slab.h:552 [inline]
    [<000000008b197994>] mpi_alloc_limb_space+0x29/0x50 lib/mpi/mpiutil.c:64
    [<00000000dbececb1>] mpihelp_mul_karatsuba_case+0x67/0x460 lib/mpi/mpih-mul.c:331
    [<000000003d2eb57d>] mpi_powm+0x7b0/0xdd0 lib/mpi/mpi-pow.c:225
    [<0000000098565971>] _compute_val crypto/dh.c:39 [inline]
    [<0000000098565971>] dh_compute_value+0x160/0x220 crypto/dh.c:178
    [<00000000609c67dd>] crypto_kpp_generate_public_key include/crypto/kpp.h:315 [inline]
    [<00000000609c67dd>] __keyctl_dh_compute+0x447/0x970 security/keys/dh.c:367
    [<000000008b5a252c>] keyctl_dh_compute+0x67/0xa6 security/keys/dh.c:422
    [<00000000af10be04>] __do_sys_keyctl security/keys/keyctl.c:1737 [inline]
    [<00000000af10be04>] __se_sys_keyctl security/keys/keyctl.c:1633 [inline]
    [<00000000af10be04>] __x64_sys_keyctl+0xa5/0x330 security/keys/keyctl.c:1633
    [<000000005e7bac68>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<00000000efdd5413>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811c47e200 (size 512):
  comm "syz-executor765", pid 7134, jiffies 4294944502 (age 8.150s)
  hex dump (first 32 bytes):
    1c 45 69 bb 4f 09 f4 e3 8f c9 b7 46 c2 d4 28 de  .Ei.O......F..(.
    e9 01 76 58 fb db b0 91 87 3e 2e 7d 7a 9c a9 b6  ..vX.....>.}z...
  backtrace:
    [<000000007ecc32d9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000007ecc32d9>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000007ecc32d9>] slab_alloc mm/slab.c:3326 [inline]
    [<000000007ecc32d9>] __do_kmalloc mm/slab.c:3658 [inline]
    [<000000007ecc32d9>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [<000000008b197994>] kmalloc include/linux/slab.h:552 [inline]
    [<000000008b197994>] mpi_alloc_limb_space+0x29/0x50 lib/mpi/mpiutil.c:64
    [<000000008342a526>] mpihelp_mul_karatsuba_case+0x394/0x460 lib/mpi/mpih-mul.c:346
    [<000000003d2eb57d>] mpi_powm+0x7b0/0xdd0 lib/mpi/mpi-pow.c:225
    [<0000000098565971>] _compute_val crypto/dh.c:39 [inline]
    [<0000000098565971>] dh_compute_value+0x160/0x220 crypto/dh.c:178
    [<00000000609c67dd>] crypto_kpp_generate_public_key include/crypto/kpp.h:315 [inline]
    [<00000000609c67dd>] __keyctl_dh_compute+0x447/0x970 security/keys/dh.c:367
    [<000000008b5a252c>] keyctl_dh_compute+0x67/0xa6 security/keys/dh.c:422
    [<00000000af10be04>] __do_sys_keyctl security/keys/keyctl.c:1737 [inline]
    [<00000000af10be04>] __se_sys_keyctl security/keys/keyctl.c:1633 [inline]
    [<00000000af10be04>] __x64_sys_keyctl+0xa5/0x330 security/keys/keyctl.c:1633
    [<000000005e7bac68>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<00000000efdd5413>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/24 21:46 upstream 241e39004581 472f0082 .config console log report syz C ci-upstream-gce-leak
2019/06/21 15:19 upstream abf02e2964b3 34bf9440 .config console log report syz C ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.