crypto: slab-out-of-bounds in skcipher_recvmsg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

The following program causes slab-out-of-bounds in skcipher_recvmsg:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

#ifndef SYS_userfaultfd
#define SYS_userfaultfd 323
#endif

long r[72];

void *thr(void *arg)
{
        switch ((long)arg) {
        case 0:
                r[0] = syscall(SYS_mmap, 0x20000000ul, 0x28000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 1:
                r[1] = syscall(SYS_userfaultfd, 0x80000ul, 0, 0, 0, 0, 0);
                break;
        case 2:
                r[2] = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
                break;
        case 3:
                *(uint16_t*)0x2000c8ab = (uint16_t)0x26;
                memcpy((void*)0x2000c8ad,
"\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
                *(uint32_t*)0x2000c8bb = (uint32_t)0x8;
                *(uint32_t*)0x2000c8bf = (uint32_t)0xb;
                memcpy((void*)0x2000c8c3,
"\x6c\x72\x77\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
64);
                r[8] = syscall(SYS_bind, r[2], 0x2000c8abul, 0x58ul, 0, 0, 0);
                break;
        case 4:
                memcpy((void*)0x20013fea,
"\xdc\x4f\x77\x67\x54\xf2\x63\xd1\xbe\x5c\x6b\x02\xa6\x65\xeb\xc1\x0f\x74\xbd\xea\x88\x2e",
22);
                r[10] = syscall(SYS_setsockopt, r[2], 0x117ul, 0x1ul,
0x20013feaul, 0x16ul, 0);
                break;
        case 5:
                r[11] = syscall(SYS_accept4, r[2], 0x0ul,
0x2001f000ul, 0x80800ul, 0, 0);
                break;
        case 6:
                r[12] = syscall(SYS_dup3, r[11], r[1], 0x80000ul, 0, 0, 0);
                break;
        case 7:
                *(uint32_t*)0x20027fe2 = (uint32_t)0x20;
                *(uint32_t*)0x20027fe6 = (uint32_t)0x3;
                *(uint64_t*)0x20027fea = (uint64_t)0x0;
                *(uint64_t*)0x20027ff2 = (uint64_t)0x9;
                *(uint32_t*)0x20027ffa = (uint32_t)0x5;
                r[18] = syscall(SYS_write, r[12], 0x20027fe2ul,
0x20ul, 0, 0, 0);
                break;
        case 8:
                r[19] = syscall(SYS_mmap, 0x20028000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 9:
                r[20] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 10:
                r[21] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 11:
                r[22] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 12:
                r[23] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 13:
                r[24] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 14:
                r[25] = syscall(SYS_mmap, 0x20029000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 15:
                *(uint64_t*)0x200290fc = (uint64_t)0x20029000;
                *(uint32_t*)0x20029104 = (uint32_t)0x80;
                *(uint64_t*)0x2002910c = (uint64_t)0x200298fa;
                *(uint64_t*)0x20029114 = (uint64_t)0x4;
                *(uint64_t*)0x2002911c = (uint64_t)0x20029000;
                *(uint64_t*)0x20029124 = (uint64_t)0x14;
                *(uint32_t*)0x2002912c = (uint32_t)0x6;
                *(uint64_t*)0x200298fa = (uint64_t)0x20029f85;
                *(uint64_t*)0x20029902 = (uint64_t)0xd4;
                *(uint64_t*)0x2002990a = (uint64_t)0x20029ff4;
                *(uint64_t*)0x20029912 = (uint64_t)0x21;
                *(uint64_t*)0x2002991a = (uint64_t)0x20029e5e;
                *(uint64_t*)0x20029922 = (uint64_t)0xcd;
                *(uint64_t*)0x2002992a = (uint64_t)0x20029ff5;
                *(uint64_t*)0x20029932 = (uint64_t)0x38;
                r[41] = syscall(SYS_recvmsg, r[12], 0x200290fcul,
0x40010102ul, 0, 0, 0);
                break;
        case 16:
                *(uint64_t*)0x20028000 = (uint64_t)0x200116d7;
                *(uint32_t*)0x20028008 = (uint32_t)0x1c;
                *(uint64_t*)0x20028010 = (uint64_t)0x20028767;
                *(uint64_t*)0x20028018 = (uint64_t)0x1;
                *(uint64_t*)0x20028020 = (uint64_t)0x20028eba;
                *(uint64_t*)0x20028028 = (uint64_t)0x2;
                *(uint32_t*)0x20028030 = (uint32_t)0x804;
                memcpy((void*)0x200116d7,
"\x0a\x00\xab\x08\xcb\xc6\x9d\xd5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x9f\x5e\x4b\x81",
28);
                *(uint64_t*)0x20028767 = (uint64_t)0x20028f0f;
                *(uint64_t*)0x2002876f = (uint64_t)0x89;
                memcpy((void*)0x20028f0f,
"\xe2\xce\x66\x53\xea\xa6\x66\x67\x2d\x07\xd0\x6f\xdc\x69\x19\x2f\xd3\x37\x4a\x0a\xcf\xb9\x85\x4b\xcc\x47\x33\x46\x6e\x96\x1b\x3e\x2a\xc3\x8a\x61\xf8\x37\x1c\xcf\x4c\x6e\xdb\x93\xd1\xf6\x93\x38\x9a\x16\xa7\x8b\x3d\x21\x4f\x48\xe0\x8a\x0d\x34\x83\x2a\x17\xe0\xc3\x9f\xa9\xca\x5f\x9b\x9c\xc8\x5b\x33\x8b\x7d\xc8\xf8\xb8\x70\xc5\x01\x18\xe2\xc9\x19\xdd\x38\x22\x50\x09\x00\x2a\x3e\x38\x87\xcb\x48\x4e\x05\x2d\x6f\xc0\x90\xe7\x94\x15\xdf\x0e\xd4\x6d\xeb\x42\x73\x6d\x51\x87\x46\xad\x1c\x95\x4e\x96\x96\x31\x0b\x7f\xdc\x47\x04\xe9\xc3\x84\x01\xeb\x9c\xb8",
137);
                *(uint64_t*)0x20028eba = (uint64_t)0x15;
                *(uint32_t*)0x20028ec2 = (uint32_t)0xfffffffffffffff9;
                *(uint32_t*)0x20028ec6 = (uint32_t)0x13a9fde2;
                *(uint8_t*)0x20028eca = (uint8_t)0x3;
                *(uint8_t*)0x20028ecb = (uint8_t)0x9;
                *(uint8_t*)0x20028ecc = (uint8_t)0x2;
                *(uint8_t*)0x20028ecd = (uint8_t)0x2;
                *(uint8_t*)0x20028ece = (uint8_t)0xffffffffffffffff;
                *(uint64_t*)0x20028ecf = (uint64_t)0x13;
                *(uint32_t*)0x20028ed7 = (uint32_t)0x9;
                *(uint32_t*)0x20028edb = (uint32_t)0x5;
                *(uint8_t*)0x20028edf = (uint8_t)0x1;
                *(uint8_t*)0x20028ee0 = (uint8_t)0x1;
                *(uint8_t*)0x20028ee1 = (uint8_t)0x69f3;
                r[67] = syscall(SYS_sendmsg, r[12], 0x20028000ul,
0x5ul, 0, 0, 0);
                break;
        case 17:
                r[68] = syscall(SYS_fcntl, r[11], 0x2ul, 0x1ul, 0, 0, 0);
                break;
        case 18:
                r[69] = syscall(SYS_mmap, 0x2002a000ul, 0x1000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
                break;
        case 19:
                *(uint32_t*)0x2002affd = (uint32_t)0x5;
                r[71] = syscall(SYS_setsockopt, r[11], 0x0ul, 0xaul,
0x2002affdul, 0x4ul, 0);
                break;
        }
        return 0;
}

int main()
{
        long i;
        pthread_t th[20];

        memset(r, -1, sizeof(r));
        for (i = 0; i < 20; i++) {
                pthread_create(&th[i], 0, thr, (void*)i);
                usleep(10000);
        }
        for (i = 0; i < 20; i++) {
                pthread_create(&th[i], 0, thr, (void*)i);
                if (i%2==0)
                        usleep(10000);
        }
        usleep(100000);
        return 0;
}


==================================================================
BUG: KASAN: slab-out-of-bounds in skcipher_recvmsg+0x1894/0x1c00 at
addr ffff8800619033a4
Read of size 4 by task syz-executor/7411
=============================================================================
BUG kmalloc-4096 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in sock_kmalloc+0x7f/0xc0 age=21 cpu=2 pid=7411
[<      none      >] ___slab_alloc+0x486/0x4e0 mm/slub.c:2468
[<      none      >] __slab_alloc+0x66/0xc0 mm/slub.c:2497
[<     inline     >] slab_alloc_node mm/slub.c:2560
[<     inline     >] slab_alloc mm/slub.c:2602
[<      none      >] __kmalloc+0x2b9/0x350 mm/slub.c:3562
[<     inline     >] kmalloc include/linux/slab.h:463
[<      none      >] sock_kmalloc+0x7f/0xc0 net/core/sock.c:1792
[<      none      >] skcipher_alloc_sgl+0x234/0x2f0 crypto/algif_skcipher.c:143
[<      none      >] skcipher_sendmsg+0x5ff/0x1040 crypto/algif_skcipher.c:389
[<     inline     >] sock_sendmsg_nosec net/socket.c:611
[<      none      >] sock_sendmsg+0xca/0x110 net/socket.c:621
[<      none      >] sock_write_iter+0x216/0x3a0 net/socket.c:820
[<     inline     >] new_sync_write fs/read_write.c:517
[<      none      >] __vfs_write+0x302/0x480 fs/read_write.c:530
[<      none      >] vfs_write+0x167/0x4a0 fs/read_write.c:577
[<     inline     >] SYSC_write fs/read_write.c:624
[<      none      >] SyS_write+0x111/0x220 fs/read_write.c:616
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Slab 0xffffea0001864000 objects=7 used=7 fp=0x          (null)
flags=0x5fffc0000004080
INFO: Object 0xffff8800619023b0 @offset=9136 fp=0xffff880062e31d88
CPU: 2 PID: 7411 Comm: syz-executor Tainted: G    B           4.4.0+ #254
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880033bdf910 ffffffff82925f7d ffff88003e806a00
 ffff8800619023b0 ffff880061900000 ffff880033bdf940 ffffffff81741284
 ffff88003e806a00 ffffea0001864000 ffff8800619023b0 ffff8800619023b0

Call Trace:
 [<ffffffff8174a79e>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
 [<     inline     >] skcipher_recvmsg_sync crypto/algif_skcipher.c:654
 [<ffffffff8286a6c4>] skcipher_recvmsg+0x1894/0x1c00 crypto/algif_skcipher.c:710
 [<     inline     >] sock_recvmsg_nosec net/socket.c:713
 [<ffffffff85103560>] sock_recvmsg+0xa0/0xc0 net/socket.c:721
 [<ffffffff85106329>] ___sys_recvmsg+0x259/0x540 net/socket.c:2100
 [<ffffffff851084fe>] __sys_recvmsg+0xce/0x170 net/socket.c:2146
 [<     inline     >] SYSC_recvmsg net/socket.c:2158
 [<ffffffff851085cd>] SyS_recvmsg+0x2d/0x50 net/socket.c:2153
 [<ffffffff8626c436>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

Memory state around the buggy address:
 ffff880061903280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880061903300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff880061903380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff880061903400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880061903480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


On commit 67990608c8b95d2b8ccc29932376ae73d5818727 (Jan 12) + a bunch
of unmerged patches form Herbert:
https://gist.githubusercontent.com/dvyukov/7d4eca91f086d7042379/raw/a69956bc779ed112aab671e4e6375fd5595c0548/gistfile1.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux