Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1000921ybh; Sat, 7 Mar 2020 16:20:18 -0800 (PST) X-Google-Smtp-Source: ADFU+vs3THC+k2kl0rOzzoe7mEsbukw8ffYo+rVdcLil9m807iPbjdDqBZ4IrRwvOykw1Yr0+bFu X-Received: by 2002:a05:6830:1e0d:: with SMTP id s13mr7781703otr.234.1583626818324; Sat, 07 Mar 2020 16:20:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583626818; cv=none; d=google.com; s=arc-20160816; b=hROIOyKXLJFUD/ivRo9c/HWD8ZVfV1kz0tKIVBYKWDrsJB93kN+TGr7jN8BzFjbddg M4viXj1X8Wphg5gvHbGj/xM+KryYQ9S7u8psYZqPZzBvMctJKYXEMZ2KxEo2bWT8CikI 9CkimjxGb89uj1c4CwgaGnTFMkIfGi1jTkD3QzEIZHOlGBr62BTD6zrv+L1oLfoungjm kfoSIuV9bE3x2IwnQ5WDPcBcPMTKcHapgiiPzaXF0IuZ7yNUzrm6Dv7xaTlC9i7lI9lt ziRBu1l124VAvJgLn8606tYAz5MjeRP6nvikbFp8pmSMqoj3Ul6ACSN1/E7xXlcfJR1a QTwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=uppBKa5T7RdM5QujrLi2p52ee8HNmzKgh51K+XRrd/I=; b=opTHHJA7FUUr0kiXyg7zUDAEegJD9YJb+wXBsUkmWIkWEtl2Eek39hYvZAUJf3ethR 8rUp1Hxk1Be//M44vDb9cU5BM0eHPppC7j3Vja8TVcF1nKluMC6yg1uCENMgOVCCwkH3 OFaWNSHIKg1glRSpMr9geBMhMKUirQFQnrDqF5N56aGUcydCcTnTOcpIPG6LN1+hVL82 DaP0zCLmcqSShlnuCqZ79tPoOCCfPnRrzMho2Jl/XQE4gXzWYGmrD80SH/0pRE7UFc9U pnhcpo4U3YingBWcpvkosgMwIRbYmNKa9mhU3TXnQvbKFABsLQDAIUyAAPf31/5Bt3r/ UiwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uOt4NJwx; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v15si4124076oth.307.2020.03.07.16.19.51; Sat, 07 Mar 2020 16:20:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uOt4NJwx; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726180AbgCHATr (ORCPT + 99 others); Sat, 7 Mar 2020 19:19:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:50188 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726138AbgCHATr (ORCPT ); Sat, 7 Mar 2020 19:19:47 -0500 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 87AD9206D5; Sun, 8 Mar 2020 00:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583626786; bh=VhVlmA3DQga8whdjad67k1pSSTvT73verQ6N+GbCugA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uOt4NJwxk4EdsVAl1sEK9XuUVA453aTRIw3z4SaWOQvinTdrrIVdzTbE5kKGuPVLD 2KADUGE9h6p+AMdsNTP98W7wwo/RY8b3ReCkNR+oS4OFuLm1SGPqdVyQ4TL0+0a0Sb +2G/W/9ehwcByKxbKFaktXr2C9f2/XR6br8Xb/Z8= Date: Sat, 7 Mar 2020 19:19:45 -0500 From: Sasha Levin To: yangerkun Cc: gregkh@linuxfoundation.org, herbert@gondor.apana.org.au, stable@vger.kernel.org, linux-crypto@vger.kernel.org Subject: Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async Message-ID: <20200308001945.GT21491@sasha-vm> References: <20200305085755.22730-1-yangerkun@huawei.com> <20200306133941.GQ21491@sasha-vm> <8bb5b0d7-4232-14cb-49c7-a3cc348645ae@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8bb5b0d7-4232-14cb-49c7-a3cc348645ae@huawei.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Sat, Mar 07, 2020 at 09:49:25AM +0800, yangerkun wrote: > > >On 2020/3/6 21:39, Sasha Levin wrote: >>On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote: >>>Nowdays, we trigger a oops: >>>... >>>kasan: GPF could be caused by NULL-ptr deref or user memory >>>accessgeneral protection fault: 0000 [#1] SMP KASAN >>>... >>>Call Trace: >>>[] skcipher_recvmsg_async+0x3f1/0x1400 >>>x86/../crypto/algif_skcipher.c:543 >>>[] skcipher_recvmsg+0x93/0x7f0 >>>x86/../crypto/algif_skcipher.c:723 >>>[] sock_recvmsg_nosec x86/../net/socket.c:702 [inline] >>>[] sock_recvmsg x86/../net/socket.c:710 [inline] >>>[] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705 >>>[] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787 >>>[] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520 >>>[] io_submit_one x86/../fs/aio.c:1630 [inline] >>>[] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688 >>>[] SYSC_io_submit x86/../fs/aio.c:1713 [inline] >>>[] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710 >>>[] tracesys_phase2+0x90/0x95 >>> >>>In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we >>>calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this, >>>the latter sg_init_table will trigger the bug. Fix it be use >>>ZERO_OF_NULL_PTR. >>> >>>This function was introduced with ' commit a596999b7ddf ("crypto: >>>algif - change algif_skcipher to be asynchronous")', and has been removed >>>with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory >>>management")'. >>> >>>Reported-by: Hulk Robot >>>Signed-off-by: yangerkun >>>--- >>>crypto/algif_skcipher.c | 2 +- >>>1 file changed, 1 insertion(+), 1 deletion(-) >>> >>>v1->v2: >>>update the commit message >>> >>>diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c >>>index d12782dc9683..9bd4691cc5c5 100644 >>>--- a/crypto/algif_skcipher.c >>>+++ b/crypto/algif_skcipher.c >>>@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct >>>socket *sock, struct msghdr *msg, >>>????lock_sock(sk); >>>????tx_nents = skcipher_all_sg_nents(ctx); >>>????sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); >>>-??? if (unlikely(!sreq->tsg)) >>>+??? if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg))) >> >>I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations >>that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is >>guaranteed to be more than 0, no? > >Actually, the size need to calloc is (tx_nents * sizeof(*sg)), and >tx_nents is 0. Makes sense. This is also needed on 4.9, right? -- Thanks, Sasha