Herbert -
Following commit 493b2ed3f7603a15ff738553384d5a4510ffeb95, there is a NULL
dereference crash in algif_hash when recv() is called twice like this:
send(sk, data, len, MSG_MORE);
recv(sk, hash1, len, 0);
recv(sk, hash2, len, 0);
In 4.8 and earlier, the two recvs return identical data. In 4.9-rc5, the
second recv triggers this:
[ 53.041287] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[ 53.042048] IP: [<ffffffffa73fdfb3>] shash_ahash_digest+0x23/0x130
(shash_ahash_digest+0x23 corresponds to the second line of the function,
which accesses sg->offset)
[ 53.042572] PGD 131f74067 [ 53.042796] PUD 13140f067
PMD 0 [ 53.043093]
[ 53.043236] Oops: 0000 [#1] SMP
[ 53.043511] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_raw ip6table_security ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle iptable_raw iptable_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep snd_seq ppdev snd_seq_device snd_pcm joydev snd_timer virtio_balloon snd pcspkr acpi_cpufreq tpm_tis parport_pc parport tpm_tis_core tpm i2c_piix4 soundcore qemu_fw_cfg nfsd auth_rpcgss nfs_acl lockd grace sunrpc virtio_net virtio_blk virtio_console qxl drm_kms_helper ttm ata_generic crc32c_intel drm virtio_pci serio_raw floppy virtio_ring pata_acpi virtio
[ 53.050799] CPU: 0 PID: 1069 Comm: test-checksum Not tainted 4.9.0-rc5+ #75
[ 53.051393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
[ 53.052131] task: ffff8d2d72430000 task.stack: ffff95b280fe4000
[ 53.052622] RIP: 0010:[<ffffffffa73fdfb3>] [<ffffffffa73fdfb3>] shash_ahash_digest+0x23/0x130
[ 53.053363] RSP: 0018:ffff95b280fe7d40 EFLAGS: 00010246
[ 53.053827] RAX: 0000000000001000 RBX: ffff8d2d71c8bbf8 RCX: 0000000000000000
[ 53.054424] RDX: 0000000000000000 RSI: ffff8d2d71c8bbf8 RDI: ffff8d2d71c8bba8
[ 53.055014] RBP: ffff95b280fe7d60 R08: 00000000001ddb00 R09: ffff8d2d71f03810
[ 53.055603] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa73fe0c0
[ 53.056210] R13: ffff8d2d71c8bba8 R14: ffff95b280fe7e30 R15: 0000000000000000
[ 53.056822] FS: 00007f91f1138700(0000) GS:ffff8d2d7b200000(0000) knlGS:0000000000000000
[ 53.057502] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.058004] CR2: 0000000000000010 CR3: 000000013149e000 CR4: 00000000003406f0
[ 53.058616] Stack:
[ 53.058796] ffff8d2d71c8bba8 ffffffffa73fe0c0 ffff8d2d71c8d000 ffff95b280fe7e30
[ 53.059473] ffff95b280fe7d70 ffffffffa73fe0e4 ffff95b280fe7d98 ffffffffa73fd4c9
[ 53.060153] ffff8d2d71c8b800 ffff8d2d71c8b800 0000000000000010 ffff95b280fe7da8
[ 53.060831] Call Trace:
[ 53.061051] [<ffffffffa73fe0c0>] ? shash_ahash_digest+0x130/0x130
[ 53.061601] [<ffffffffa73fe0e4>] shash_async_digest+0x24/0x30
[ 53.062119] [<ffffffffa73fd4c9>] crypto_ahash_op+0x29/0x70
[ 53.062621] [<ffffffffa73fd566>] crypto_ahash_digest+0x16/0x20
[ 53.063149] [<ffffffffa7415519>] hash_recvmsg+0x1a9/0x1d0
[ 53.063655] [<ffffffffa777180d>] sock_recvmsg+0x3d/0x50
[ 53.064129] [<ffffffffa7771a4d>] SYSC_recvfrom+0xdd/0x160
[ 53.064786] [<ffffffffa70d3339>] ? task_work_run+0x99/0xc0
[ 53.065501] [<ffffffffa710db55>] ? trace_hardirqs_on_caller+0xf5/0x1b0
[ 53.066313] [<ffffffffa700301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 53.067069] [<ffffffffa777318e>] SyS_recvfrom+0xe/0x10
[ 53.067706] [<ffffffffa78f1101>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 53.068476] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 b8 00 10 00 00 48 89 e5 41 56 41 55 41 54 53 49 89 fd 48 8b 4f 38 41 8b 55 30 48 89 f3 <8b> 79 10 29 f8 39 41 14 0f 46 41 14 39 c2 72 3a 48 8b 06 48 89
[ 53.071995] RIP [<ffffffffa73fdfb3>] shash_ahash_digest+0x23/0x130
[ 53.072800] RSP <ffff95b280fe7d40>
[ 53.073259] CR2: 0000000000000010
[ 53.073700] ---[ end trace 6249058719c9daea ]---
If I revert 493b2ed3f7603a15ff738553384d5a4510ffeb95, there is no crash.
Regards,
--
Mat Martineau
Intel OTC
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html