syzbot


KASAN: use-after-free Write in null_skcipher_crypt

Status: fixed on 2023/02/24 13:50
Subsystems: crypto
[Documentation on labels]
Reported-by: syzbot+d2c5e6980bfc84513464@syzkaller.appspotmail.com
Fix commit: ebe48d368e97 esp: Fix possible buffer overflow in ESP transformation
First crash: 1231d, last: 1028d
Cause bisection: introduced by (bisect log) :
commit 8d2cb3ad31181f050af4d46d6854cf332d1207a9
Author: Calvin Johnson <calvin.johnson@oss.nxp.com>
Date: Fri Jun 11 10:53:55 2021 +0000

  of: mdio: Refactor of_mdiobus_register_phy()

Crash: BUG: sleeping function called from invalid context in lock_sock_nested (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Write in null_skcipher_crypt 3 (4) 2021/08/24 10:48
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Write in null_skcipher_crypt 1 1069d 1069d 2/2 fixed on 2022/03/23 23:19
Last patch testing requests (2)
Created Duration User Patch Repo Result
2022/03/16 23:44 8m tadeusz.struk@linaro.org upstream OK
2021/08/21 08:10 10m chouhan.shreyansh630@gmail.com upstream report log
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2022/02/11 11:54 19m bisect fix upstream OK (0) job log log
2022/01/12 11:32 21m bisect fix upstream OK (0) job log log
2021/12/13 11:13 19m bisect fix upstream OK (0) job log log
2021/11/11 18:51 20m bisect fix upstream OK (0) job log log
2021/10/12 18:24 27m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: use-after-free in null_skcipher_crypt+0xa8/0x120 crypto/crypto_null.c:85
Write of size 4096 at addr ffff888074df8000 by task syz-executor157/3589

CPU: 1 PID: 3589 Comm: syz-executor157 Not tainted 5.17.0-rc6-syzkaller-00066-g5859a2b19911 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 null_skcipher_crypt+0xa8/0x120 crypto/crypto_null.c:85
 crypto_skcipher_encrypt+0xaa/0xf0 crypto/skcipher.c:630
 crypto_authenc_encrypt+0x3b4/0x510 crypto/authenc.c:222
 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94
 esp6_output_tail+0x777/0x1a90 net/ipv6/esp6.c:658
 esp6_output+0x4af/0x8a0 net/ipv6/esp6.c:734
 xfrm_output_one net/xfrm/xfrm_output.c:553 [inline]
 xfrm_output_resume+0x2a92/0x5ca0 net/xfrm/xfrm_output.c:588
 xfrm_output2 net/xfrm/xfrm_output.c:615 [inline]
 xfrm_output+0x2eb/0x1290 net/xfrm/xfrm_output.c:765
 __xfrm6_output+0x4bf/0x1080 net/ipv6/xfrm6_output.c:87
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 xfrm6_output+0x117/0x550 net/ipv6/xfrm6_output.c:92
 dst_output include/net/dst.h:451 [inline]
 ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:161
 ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1912
 ip6_push_pending_frames+0xdd/0x100 net/ipv6/ip6_output.c:1932
 rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
 rawv6_sendmsg+0x2b89/0x3b30 net/ipv6/raw.c:956
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f255dfc6559
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe53f07168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f255dfc6559
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004
RBP: 00007f255df8a540 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000e8 R11: 0000000000000246 R12: 00007f255df8a5d0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 3589:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:586 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x272/0x380 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306
 security_file_open+0x45/0xb0 security/security.c:1638
 do_dentry_open+0x358/0x1250 fs/open.c:811
 do_open fs/namei.c:3476 [inline]
 path_openat+0x1c9e/0x2940 fs/namei.c:3609
 do_filp_open+0x1aa/0x400 fs/namei.c:3636
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214
 do_sys_open fs/open.c:1230 [inline]
 __do_sys_openat fs/open.c:1246 [inline]
 __se_sys_openat fs/open.c:1241 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3589:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kfree+0xd0/0x390 mm/slub.c:4562
 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x272/0x380 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306
 security_file_open+0x45/0xb0 security/security.c:1638
 do_dentry_open+0x358/0x1250 fs/open.c:811
 do_open fs/namei.c:3476 [inline]
 path_openat+0x1c9e/0x2940 fs/namei.c:3609
 do_filp_open+0x1aa/0x400 fs/namei.c:3636
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214
 do_sys_open fs/open.c:1230 [inline]
 __do_sys_openat fs/open.c:1246 [inline]
 __se_sys_openat fs/open.c:1241 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888074df8000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes inside of
 4096-byte region [ffff888074df8000, ffff888074df9000)
The buggy address belongs to the page:
page:ffffea0001d37e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74df8
head:ffffea0001d37e00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c42140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2967, ts 17149793924, free_ts 17109961066
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0x27f/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 __kmalloc+0x372/0x450 mm/slub.c:4420
 kmalloc include/linux/slab.h:586 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1337
 vfs_getattr fs/stat.c:157 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:225
 vfs_fstatat fs/stat.c:243 [inline]
 __do_sys_newfstatat+0x96/0x120 fs/stat.c:412
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 __unfreeze_partials+0x320/0x340 mm/slub.c:2536
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x1b1/0x4b0 mm/slub.c:3243
 anon_vma_alloc mm/rmap.c:90 [inline]
 anon_vma_fork+0xed/0x630 mm/rmap.c:355
 dup_mmap kernel/fork.c:571 [inline]
 dup_mm+0xa07/0x13e0 kernel/fork.c:1451
 copy_mm kernel/fork.c:1503 [inline]
 copy_process+0x3cf7/0x7250 kernel/fork.c:2164
 kernel_clone+0xe7/0xab0 kernel/fork.c:2565
 __do_sys_clone+0xc8/0x110 kernel/fork.c:2682
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888074df7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888074df7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888074df8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888074df8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888074df8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/03/03 23:23 upstream 5859a2b19911 45a13a73 .config console log report syz C ci-upstream-kasan-gce-root KASAN: use-after-free Write in null_skcipher_crypt
2021/09/12 16:04 upstream 78e709522d2c 5ae8508a .config console log report syz C ci-upstream-kasan-gce KASAN: use-after-free Write in null_skcipher_crypt
2021/08/13 17:19 net-old a9a507013a6f 3fd2ea69 .config console log report syz C ci-upstream-net-this-kasan-gce KASAN: use-after-free Write in null_skcipher_crypt
* Struck through repros no longer work on HEAD.