On Fri, Jun 30, 2023 at 12:18 PM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Fri, 30 Jun 2023 at 12:11, Alexander Potapenko <glider@xxxxxxxxxx> wrote: > > > > On Fri, Jun 30, 2023 at 12:02 PM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > > > On Fri, 30 Jun 2023 at 11:53, Tetsuo Handa > > > <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On 2023/06/30 18:36, Ard Biesheuvel wrote: > > > > > Why are you sending this now? > > > > > > > > Just because this is currently top crasher and I can reproduce locally. > > > > > > > > > Do you have a reproducer for this issue? > > > > > > > > Yes. https://syzkaller.appspot.com/text?tag=ReproC&x=12931621900000 works. > > > > > > > > > > Could you please share your kernel config and the resulting kernel log > > > when running the reproducer? I'll try to reproduce locally as well, > > > and see if I can figure out what is going on in the crypto layer > > > > The config together with the repro is available at > > https://syzkaller.appspot.com/bug?extid=828dfc12440b4f6f305d, see the > > latest row of the "Crashes" table that contains a C repro. > > Could you explain why that bug contains ~50 reports that seem entirely > unrelated? These are some unfortunate effects of syzbot trying to deduplicate bugs. There's a tradeoff between reporting every single crash separately and grouping together those that have e.g. the same origin. Applying this algorithm transitively results in bigger clusters containing unwanted reports. We'll look closer. > AIUI, this actual issue has not been reproduced since > 2020?? Oh, sorry, I misread the table and misinformed you. The topmost row of the table is indeed the _oldest_ one. Another manifestation of the bug was on 2023/05/23 (https://syzkaller.appspot.com/text?tag=CrashReport&x=146f66b1280000) > > > Config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=ee5f7a0b2e48ed66 > > Report: https://syzkaller.appspot.com/text?tag=CrashReport&x=1325260d900000 > > Syz repro: https://syzkaller.appspot.com/text?tag=ReproSyz&x=11af973e900000 > > C repro: https://syzkaller.appspot.com/text?tag=ReproC&x=163a1e45900000 > > > > The bug is reproducible for me locally as well (and Tetsuo's patch > > makes it disappear, although I have no opinion on its correctness). > > What I'd like to do is run a kernel plus initrd locally in OVMF and > reproduce the issue - can I do that without all the syzkaller > machinery? You can build the kernel from the config linked above, that's what I did to reproduce it locally. As for initrd, there are disk images attached to the reports, will that help? E.g. $ wget https://storage.googleapis.com/syzbot-assets/79bb4ff7cc58/disk-f93f2fed.raw.xz $ unxz disk-f93f2fed.raw.xz $ qemu-system-x86_64 -smp 2,sockets=2,cores=1 -m 4G -drive file=disk-f93f2fed.raw -snapshot -nographic -enable-kvm lets me boot syzkaller with the disk/kernel from that report of 2023/05/23. Adding "-net user,hostfwd=tcp::10022-:22 -net nic,model=e1000" I am also able to SSH into the machine (there's no password): $ ssh -o "StrictHostKeyChecking no" -p 10022 root@localhost Then the repro can be downloaded and executed: $ wget "https://syzkaller.appspot.com/text?tag=ReproC&x=163a1e45900000"; -O t.c $ gcc t.c -static -o t $ scp -o "StrictHostKeyChecking no" -P 10022 t root@localhost: $ ssh -o "StrictHostKeyChecking no" -p 10022 root@localhost ./t Within a couple minutes the kernel crashes with the report: [ 151.522472][ T5865] ===================================================== [ 151.523843][ T5865] BUG: KMSAN: uninit-value in aes_encrypt+0x15cc/0x1db0 [ 151.525120][ T5865] aes_encrypt+0x15cc/0x1db0 [ 151.526113][ T5865] aesti_encrypt+0x7d/0xf0 [ 151.527057][ T5865] crypto_cipher_encrypt_one+0x112/0x200 [ 151.528224][ T5865] crypto_cbcmac_digest_update+0x301/0x4b0 The vmlinux binary (also available at the syzbot page) can be used to symbolize this report, but perhaps at this point you'd love to switch to your own kernel. -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
