From: Harsh Jain Subject: Re: BUG: drbg: Added nodes from Stack Memory in link list Date: Mon, 8 May 2017 14:51:26 +0530 Message-ID: References: <11088841.2SosuHvOD7@tauon.chronox.de> <1775267.oRCpN7QUMS@tauon.chronox.de> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: linux-crypto@vger.kernel.org, Herbert Xu To: =?UTF-8?Q?Stephan_M=C3=BCller?= Return-path: Received: from mail-wm0-f49.google.com ([74.125.82.49]:37211 "EHLO mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751255AbdEHJV2 (ORCPT ); Mon, 8 May 2017 05:21:28 -0400 Received: by mail-wm0-f49.google.com with SMTP id m123so57641823wma.0 for ; Mon, 08 May 2017 02:21:28 -0700 (PDT) In-Reply-To: <1775267.oRCpN7QUMS@tauon.chronox.de> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Mon, May 8, 2017 at 2:00 PM, Stephan M=C3=BCller w= rote: > Am Montag, 8. Mai 2017, 08:30:13 CEST schrieb Harsh Jain: > > Hi Harsh, >> >> Confusing, I have to dig more for DRBG. Actually we observed following >> panic in Chcr (Chelsio) when drgb is enabled and Panic trace points >> some thing wrong >> with drgb modules. Any idea what are possible reason for this. > > Just to confirm: are you using the latest kernel? No, I tried on 4.9.13. Will let you know the behavior with latest kernel. The bug you are referring to > happens in the drbg_kcapi_sym_ctr called by the update operation to proce= ss > seed material. This function had a bug in it where I used stack buffer. T= his > is now repaced with heap buffer: > > 5102981212454998d549273ff9847f19e97a1794 > > I am yet wondering why a __list_add is called that causes the bug. In the= DRBG > code path seen below, I am not seeing any list_add calls. >> >> alg: No test for authenc(digest_null,rfc3686(ctr(aes))) >> (authenc(digest_null-generic,rfc3686-ctr-aes-chcr)) >> alg: No test for seqiv(authenc(digest_null,rfc3686(ctr(aes)))) >> (seqiv(authenc(digest_null-generic,rfc3686-ctr-aes-chcr))) >> alg: No test for fips(ansi_cprng) (fips_ansi_cprng) >> BUG: unable to handle kernel NULL pointer dereference at (null= ) >> IP: [] __list_add+0x26/0xd0 >> PGD 0 >> Oops: 0000 [#1] SMP >> Modules linked in: drbg(+) ansi_cprng seqiv xfrm6_mode_tunnel >> xfrm4_mode_tunnel xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4 >> af_key cbc ccm ctr ghash_generic gf128mul ghash_clmulni_intel cryptd >> gcm sha512_ssse3 sha512_generic chcr(OE) cxgb4(OE) authenc netconsole >> configfs xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 >> nf_nat_ipv4 nf_nat nf_conntrack ip_tables nfsd lockd grace nfs_acl >> auth_rpcgss sunrpc ipv6 crc_ccitt vfat fat joydev iTCO_wdt >> iTCO_vendor_support mxm_wmi pcspkr sg i2c_i801 i2c_smbus lpc_ich >> mfd_core shpchp xhci_pci xhci_hcd igb i2c_algo_bit i2c_core ptp >> pps_core ioatdma dca ipmi_si ipmi_msghandler wmi acpi_cpufreq acpi_pad >> dm_mod(E) ext4(E) mbcache(E) jbd2(E) sd_mod(E) ahci(E) libahci(E) >> [last unloaded: scsi_transport_fc] >> CPU: 9 PID: 3672 Comm: cryptomgr_test Tainted: G OE 4.9.13 #= 2 >> Hardware name: Supermicro X10DRi/X10DRi, BIOS 2.0 12/28/2015 >> task: ffff88103b418a00 task.stack: ffffc90008a7c000 >> RIP: 0010:[] [] __list_add+0x26/0xd= 0 >> RSP: 0018:ffffc90008a7f8c8 EFLAGS: 00010046 >> RAX: 0000000000000000 RBX: ffffc90008a7f920 RCX: 0000000000000001 >> RDX: ffff88103c8b5ef0 RSI: 0000000000000000 RDI: ffffc90008a7f920 >> RBP: ffffc90008a7f8f8 R08: 0000000000000000 R09: ffff8810053200b0 >> R10: ffff88103caf3100 R11: 0000000000000020 R12: ffff88103c8b5ef0 >> R13: 0000000000000000 R14: ffff88103b418a00 R15: 7fffffffffffffff >> FS: 0000000000000000(0000) GS:ffff88107f440000(0000) knlGS:000000000000= 0000 >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> CR2: 0000000000000000 CR3: 0000000001c07000 CR4: 00000000001406e0 >> Stack: >> ffffc90008a7f8e8 0000000000000246 ffff88103caf3040 ffff88103c8b5ee0 >> ffff88103c8b5ee8 ffffc90008a7f908 ffffc90008a7f968 ffffffff81654c02 >> 0000000000000001 ffff88103b418a00 ffffffff81097370 0000000000000000 >> Call Trace: >> [] wait_for_completion_interruptible+0xc2/0x130 >> [] ? try_to_wake_up+0x240/0x240 >> [] drbg_kcapi_sym_ctr+0xeb/0x150 [drbg] >> [] drbg_ctr_update+0x1b0/0x2a0 [drbg] >> [] drbg_seed+0x1a2/0x2e0 [drbg] >> [] ? drbg_init_sym_kernel+0x13f/0x200 [drbg] >> [] drbg_instantiate+0x52/0x1e0 [drbg] >> [] ? __kmalloc+0xee/0x1d0 >> [] ? crypto_create_tfm+0x3d/0xd0 >> [] drbg_kcapi_seed+0xcc/0x118 [drbg] >> [] ? crypto_create_tfm+0xa1/0xd0 >> [] crypto_rng_reset+0x5d/0x80 >> [] drbg_cavs_test+0xf7/0x370 >> [] ? dequeue_task_fair+0x68/0x420 >> [] ? pick_next_task_idle+0x45/0x50 >> [] alg_test_drbg+0x6b/0xa0 >> [] alg_test+0x145/0x350 >> [] ? cryptomgr_probe+0xd0/0xd0 >> [] ? cryptomgr_probe+0xd0/0xd0 >> [] cryptomgr_test+0x45/0x50 >> [] kthread+0xcd/0xf0 >> [] ? schedule_tail+0x1e/0xc0 >> [] ? __kthread_init_worker+0x40/0x40 >> [] ret_from_fork+0x22/0x30 >> Code: 00 00 00 00 00 55 48 89 e5 48 83 ec 30 48 89 5d e8 4c 89 65 f0 >> 48 89 fb 4c 89 6d f8 4c 8b 42 08 49 89 f5 49 89 d4 49 39 f0 75 31 <4d> >> 8b 45 00 4d 39 c4 75 6f 4c 39 e3 74 45 4c 39 eb 74 40 49 89 >> RIP [] __list_add+0x26/0xd0 >> RSP >> CR2: 0000000000000000 >> ---[ end trace fbf11c880e8c4c52 ]--- > > Ciao > Stephan