Re: [syzbot] [crypto?] general protection fault in shash_async_final

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Here's a reduced testcase for this.  The key seems to be passing MSG_MORE to
sendmsg() and then not following up with more data before calling recvmsg().
Apart from not oopsing, I wonder what the behaviour should be here?  Should
recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the
existing operation?

David
---
// https://syzkaller.appspot.com/bug?id=f5d9d503fe959e3b605abdaeedb39b072556281a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>

#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)

int main(void)
{
	struct sockaddr_alg salg;
	struct msghdr msg;
	int algfd, hashfd, res;

	algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
	OSERROR(algfd, "socket");

	memset(&salg, 0, sizeof(salg));
	salg.salg_family = AF_ALG;
	strcpy(salg.salg_type, "hash");
	strcpy(salg.salg_name, "digest_null-generic");
	res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
	OSERROR(res, "bind/alg");

	hashfd = accept4(algfd, NULL, 0, 0);
	OSERROR(hashfd, "accept/alg");

	res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
	OSERROR(res, "setsockopt/ALG_SET_KEY");

	memset(&msg, 0, sizeof(msg));
	res = sendmsg(hashfd, &msg, MSG_MORE);
	OSERROR(res, "sendmsg");

	res = recvmsg(hashfd, &msg, 0);
	OSERROR(res, "recvmsg");
	return 0;
}





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux