Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp824532rwd; Thu, 15 Jun 2023 02:33:09 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ63Tno4hLdqctz7hE1INALPiRuhUtpEabO7AiqPAKHtW3qM2B8F02HRlR84oPohOgQOdoX9 X-Received: by 2002:a17:903:18b:b0:1af:a349:3f31 with SMTP id z11-20020a170903018b00b001afa3493f31mr20934356plg.3.1686821589411; Thu, 15 Jun 2023 02:33:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686821589; cv=none; d=google.com; s=arc-20160816; b=SHQSIgBuEmCbbVQvpv7sTPfwpdWzRudR1HUYwVbOkeCsQU1pSV0P7xUePGTm3ALYw9 7JhQy8A8mqgcA8iJ71tVg4PZPJJ6UjfiMb+/YxiLLaIOcXaFPJTZ8dfIYdEbakHiNr/u oDg9NF6YSWgmaLUYSq6sL3GP1jKWxgB2DnEqFuFCeEXOCokD9Mj4BBf+ThO8Lt8o9xnO iu9j87EIWORoPr/QZZpwmvFMr3BlgeN3mFRRYGGXbxifyefNFWHUxaJcWs+HFv4d44n1 q0qqAcY1dny12FopTETzqdwi7X65LyobtRr11WsAra1iaaB6sTaJhi0NTjH53IJEppxH Kxxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=XGW2foqljuu0mo0celKH/bIlIyj1KIFycnCt8zAbQRA=; b=OScQjbI+D70ax+lmUGqHGvT8a3T5Odu86w9hqUyd7J078cqIaIOTKQtHNMSqR3BGaN 36JDVi+tK4Het7E9D6uL7zaarzSFa4vX71GazKNjmASr0Pa5BKUXhpAI0biPer7W4i78 rOLcmgXZGRhoJYk3KD0+p7acAbSOJd7JM0CUbTIuvkqFL9gPft59bcOxnYB8aqsc5YG7 G0RO18+thGVJl8qCWDneX/Itc3wZiQd2wwAswwT1cM5IEW5KnLHdo/KDRiBSzAjijATV Ilq06CMyyuOZk9WY0AaKnIPz1oFRfQ50cDO1lIzDPr/fDVfEh5/nbw/xAihopji7iHsH x05A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r12-20020a170902c60c00b001b51c68c828si543341plr.211.2023.06.15.02.32.53; Thu, 15 Jun 2023 02:33:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240631AbjFOJ2w (ORCPT + 99 others); Thu, 15 Jun 2023 05:28:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243272AbjFOJ21 (ORCPT ); Thu, 15 Jun 2023 05:28:27 -0400 Received: from 167-179-156-38.a7b39c.syd.nbn.aussiebb.net (167-179-156-38.a7b39c.syd.nbn.aussiebb.net [167.179.156.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 352311BD2; Thu, 15 Jun 2023 02:28:26 -0700 (PDT) Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1q9jGq-003GV3-LL; Thu, 15 Jun 2023 17:28:01 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Thu, 15 Jun 2023 17:28:00 +0800 Date: Thu, 15 Jun 2023 17:28:00 +0800 From: Herbert Xu To: David Howells Cc: netdev@vger.kernel.org, syzbot+13a08c0bf4d212766c3c@syzkaller.appspotmail.com, syzbot+14234ccf6d0ef629ec1a@syzkaller.appspotmail.com, syzbot+4e2e47f32607d0f72d43@syzkaller.appspotmail.com, syzbot+472626bb5e7c59fb768f@syzkaller.appspotmail.com, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jens Axboe , Matthew Wilcox , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next] crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE) Message-ID: References: <1679829.1686785273@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1679829.1686785273@warthog.procyon.org.uk> X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2, PDS_RDNS_DYNAMIC_FP,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_PASS,TVD_RCVD_IP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jun 15, 2023 at 12:27:53AM +0100, David Howells wrote: > > If an AF_ALG socket bound to a hashing algorithm is sent a zero-length > message with MSG_MORE set and then recvmsg() is called without first > sending another message without MSG_MORE set to end the operation, an oops > will occur because the crypto context and result doesn't now get set up in > advance because hash_sendmsg() now defers that as long as possible in the > hope that it can use crypto_ahash_digest() - and then because the message > is zero-length, it the data wrangling loop is skipped. > > Fix this by always making a pass of the loop, even in the case that no data > is provided to the sendmsg(). > > Fix also extract_iter_to_sg() to handle a zero-length iterator by returning > 0 immediately. > > Whilst we're at it, remove the code to create a kvmalloc'd scatterlist if > we get more than ALG_MAX_PAGES - this shouldn't happen. I don't think this is right. If it's a zero-length message with MSG_MORE set, it should be ignored until a recvmsg(2) call is made. In any case, this patch doesn't fix all the syzbot reports. We need to think about reverting this change if it can't be fixed in time. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt