Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2539969rwd;
        Wed, 14 Jun 2023 04:29:09 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6O2gGYNrptHEk7JH4sNAjcQD/+W34gwFHSFNio+VWM7ZJDFV2pgH1ERRbwuMC1x/4YcnjP
X-Received: by 2002:a17:90b:4d8c:b0:256:ddf5:1eb6 with SMTP id oj12-20020a17090b4d8c00b00256ddf51eb6mr17330643pjb.2.1686742149389;
        Wed, 14 Jun 2023 04:29:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686742149; cv=none;
        d=google.com; s=arc-20160816;
        b=Q2eWxdlfAUGDvWme7Pz29oWwH5m3eqcbbcfY2TWQ/fZzcVqzEFwcwyzldeDzdn6rYO
         mfUthlA7Qug37U6rMKidvgXPDAso5q8xWkkpZO1w1TBJ2eFQgoU5qrrPjhHZ6XMGIZRn
         WR3JVtqPWFZV/nErXi52uI9dwVyWDuvpcDcaVh0ZSJIQKKJUy2Cq5dqrshtWmwPaYt0E
         FCLB9Hkr5KtSTn9UeGiPHOypBkph2LMd9Cgy32opTJCml2dN6inVB0DA+LovdGbe3Jeq
         Czccf14XXIz85VfHR3XcfkVQ2axfKvAz6fZ+yPHyQKhyHFm6I9Da0+ldZbWLPYs6JD/L
         sh0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:content-transfer-encoding
         :content-id:mime-version:subject:cc:to:references:in-reply-to:from
         :organization:dkim-signature;
        bh=XQW9t8cuqrwkY9pUeYFF63NpZzJyoEH492TVoQI3+po=;
        b=jQQYwtqlQEtjpyQICZSKIWLE8STcAZmfbTnAXiImU4jJBaAXR31uGT8DpDzvjGgA9z
         LJ5qutfTainaKx8dXDZ2mcDatO7g1L9K1XiXGXNrSsTTW8Yy01fvE1na2uyJwWlFikVP
         KhZ06CuERY4xhqQ8+2VmYXc8mEIIXDvk+pYKcRpfFVZXagArDHaiyloaOhzVaNf8qNVP
         es03i1hUIH+vBYEhZTk3rcIL8JeDqzb1KnHejNlj4uzP3RBA1l8XTz1MkTRYQEgH4L5A
         pHP0HoMVQ30tzVboQGlB6/T9aXpreYwvvx+keULa8oUoNSY6kLYba7KnPkEsYpTCz2aK
         KBxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=AfB9Wt4I;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id om11-20020a17090b3a8b00b0025677f1197asi12823456pjb.12.2023.06.14.04.28.49;
        Wed, 14 Jun 2023 04:29:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=AfB9Wt4I;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234968AbjFNL0G (ORCPT <rfc822;proase2022@gmail.com> + 99 others);
        Wed, 14 Jun 2023 07:26:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43550 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231313AbjFNL0F (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 14 Jun 2023 07:26:05 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22B3EE55
        for <linux-crypto@vger.kernel.org>; Wed, 14 Jun 2023 04:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1686741922;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=XQW9t8cuqrwkY9pUeYFF63NpZzJyoEH492TVoQI3+po=;
        b=AfB9Wt4IRErf3mj0L0L/3jaXymdds4koUaOLq5a40bORy9gu4wgu8kjKmlbzy2RkqoU1rM
        Wm+H9FQhC9T88UkQXi/VCvtaIoUQE8Xw6w7/pg0TVw9ySLbBYT2cJpqrpKAlrg14TWodi2
        blgWKT50ekoUf1dseLtKaDQ8f6d5Sm8=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-18-DM96FWN-P7SlKHJzKITofw-1; Wed, 14 Jun 2023 07:25:19 -0400
X-MC-Unique: DM96FWN-P7SlKHJzKITofw-1
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A24FB85A58A;
        Wed, 14 Jun 2023 11:25:18 +0000 (UTC)
Received: from warthog.procyon.org.uk (unknown [10.42.28.67])
        by smtp.corp.redhat.com (Postfix) with ESMTP id A0F64492CA6;
        Wed, 14 Jun 2023 11:25:15 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From:   David Howells <dhowells@redhat.com>
In-Reply-To: <000000000000b928f705fdeb873a@google.com>
References: <000000000000b928f705fdeb873a@google.com>
To:     syzbot <syzbot+13a08c0bf4d212766c3c@syzkaller.appspotmail.com>
Cc:     dhowells@redhat.com, davem@davemloft.net,
        herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [crypto?] general protection fault in shash_async_final
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1433014.1686741914.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: quoted-printable
Date:   Wed, 14 Jun 2023 12:25:14 +0100
Message-ID: <1433015.1686741914@warthog.procyon.org.uk>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Here's a reduced testcase for this.  The key seems to be passing MSG_MORE =
to
sendmsg() and then not following up with more data before calling recvmsg(=
).
Apart from not oopsing, I wonder what the behaviour should be here?  Shoul=
d
recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the
existing operation?

David
---
// https://syzkaller.appspot.com/bug?id=3Df5d9d503fe959e3b605abdaeedb39b07=
2556281a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>

#define OSERROR(R, S) do { if ((long)(R) =3D=3D -1L) { perror((S)); exit(1=
); } } while(0)

int main(void)
{
	struct sockaddr_alg salg;
	struct msghdr msg;
	int algfd, hashfd, res;

	algfd =3D socket(AF_ALG, SOCK_SEQPACKET, 0);
	OSERROR(algfd, "socket");

	memset(&salg, 0, sizeof(salg));
	salg.salg_family =3D AF_ALG;
	strcpy(salg.salg_type, "hash");
	strcpy(salg.salg_name, "digest_null-generic");
	res =3D bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
	OSERROR(res, "bind/alg");

	hashfd =3D accept4(algfd, NULL, 0, 0);
	OSERROR(hashfd, "accept/alg");

	res =3D setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
	OSERROR(res, "setsockopt/ALG_SET_KEY");

	memset(&msg, 0, sizeof(msg));
	res =3D sendmsg(hashfd, &msg, MSG_MORE);
	OSERROR(res, "sendmsg");

	res =3D recvmsg(hashfd, &msg, 0);
	OSERROR(res, "recvmsg");
	return 0;
}