On 2023/06/29 6:03, Jakub Kicinski wrote: > On Wed, 28 Jun 2023 22:48:01 +0900 Tetsuo Handa wrote: >> syzbot is reporting uninit-value at aes_encrypt(), for block cipher assumes >> that bytes to encrypt/decrypt is multiple of block size for that cipher but >> tls_alloc_encrypted_msg() is not initializing padding bytes when >> required_size is not multiple of block cipher's block size. > > Sounds odd, so crypto layer reads beyond what we submitted as > the buffer? I don't think the buffer needs to be aligned, so > the missing bits may well fall into a different (unmapped?) page. Since passing __GFP_ZERO to skb_page_frag_refill() hides this problem, I think that crypto layer is reading up to block size when requested size is not multiple of block size. > > This needs more careful investigation. Always zeroing the input > is just covering up the real issue. Since block cipher needs to read up to block size, someone has to initialize padding bytes. I guess that crypto API caller is responsible for allocating and initializing padding bytes, otherwise such crypto API caller will fail to encrypt/decrypt last partial bytes which are not multiple of cipher's block size. Which function in this report is responsible for initializing padding bytes?
