Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From:   David Howells <dhowells@redhat.com>
In-Reply-To: <1657853.1686757902@warthog.procyon.org.uk>
References: <1657853.1686757902@warthog.procyon.org.uk> <000000000000b2585a05fdeb8379@google.com>
Cc:     dhowells@redhat.com,
        syzbot <syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com>,
        davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [crypto?] KASAN: slab-out-of-bounds Read in extract_iter_to_sg
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <262281.1686860686.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: quoted-printable
Date:   Thu, 15 Jun 2023 21:24:46 +0100
Message-ID: <262282.1686860686@warthog.procyon.org.uk>
To:     unlisted-recipients:; (no To-header on input)
Precedence: bulk

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.g=
it main

    crypto: Fix af_alg_sendmsg(MSG_SPLICE_PAGES) sglist limit
    =

    When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_EN=
TS as
    the maximum number of elements that may be written to, but some of the
    elements may already have been used (as recorded in sgl->cur), so
    extract_iter_to_sg() may end up overrunning the scatterlist.
    =

    Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur".
    =

    Note: It probably makes sense in future to alter the behaviour of
    extract_iter_to_sg() to stop if "sgtable->nents >=3D sg_max" instead, =
but
    this is a smaller fix for now.
    =

    The bug causes errors looking something like:
    =

    BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatter=
list.h:109 [inline]
    BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlis=
t.h:139 [inline]
    BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c=
:1183 [inline]
    BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c=
:1352 [inline]
    BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib=
/scatterlist.c:1339
    =

    Fixes: bf63e250c4b1 ("crypto: af_alg: Support MSG_SPLICE_PAGES")
    Reported-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: Herbert Xu <herbert@gondor.apana.org.au>
    cc: "David S. Miller" <davem@davemloft.net>
    cc: Eric Dumazet <edumazet@google.com>
    cc: Jakub Kicinski <kuba@kernel.org>
    cc: Paolo Abeni <pabeni@redhat.com>
    cc: Jens Axboe <axboe@kernel.dk>
    cc: Matthew Wilcox <willy@infradead.org>
    cc: linux-crypto@vger.kernel.org
    cc: netdev@vger.kernel.org

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 7d4b6016b83d..cdb1dcc5dd1a 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1043,7 +1043,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghd=
r *msg, size_t size,
 			};
 =

 			plen =3D extract_iter_to_sg(&msg->msg_iter, len, &sgtable,
-						  MAX_SGL_ENTS, 0);
+						  MAX_SGL_ENTS - sgl->cur, 0);
 			if (plen < 0) {
 				err =3D plen;
 				goto unlock;