Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2467846rwd; Fri, 16 Jun 2023 04:13:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ZXK3YR3bvTyLPA9bfRxAT0xBEryYcDW2vvV/InFl4fHvSw4C1hj/9qFb4K/XnvEONp2b+ X-Received: by 2002:a05:6830:6719:b0:6af:a1ed:3c9b with SMTP id cr25-20020a056830671900b006afa1ed3c9bmr2137077otb.0.1686914033848; Fri, 16 Jun 2023 04:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686914033; cv=none; d=google.com; s=arc-20160816; b=Ix2OxYA1Uv6ti4iy3jWLwbZ6qSmkaeT2q4YMtMYx1u2Ou/ttXuyuLfygQovvZoOVC6 6ykzdqxH8ie7k/zlQB7M5C9K849lmvKDBrvAOGp6J7GOnKJCvNPA2iBxrKJ3JE2zVf6Y e5odFii5x+bmENRBmHi80Lza0rMRt3EcJH7ITU7HMxLEusseQENczOQgvsAgY9b+BGl3 RyarlsMU6kW/QwDynAlcpryn5SOG9OU1xBMjH/OOBgijy54dX3utnjBrQSRhJMUjuI/G Q/m3C5jonK5k5uKtsLnlP9wL/KVyAHqlfJXHYw3R3omdAXsFvD6K8Hv77OXKvdEUrsCb aPEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=tEPfQW4D+3MytJOudITPih8466rLwbvUsVQBpiJ6Psc=; b=jaYSk0H6PJSmv4R1nVdEZJBv/QaHvIy14pYDtCofr5gzxaw7mGS2mWQTkvUIYy9vVc PmKbs+y7d76SeOFzX5x393jabp1QH59tAkG6O5hBZmbyj27GlPI0PDWqaeQqqCLufrOO YlGrz/5dYAxCvLIrmt5RFRZpWcsKDFlxE6tkfcCLYq0Z9GiIToHTJSwdEdl+6wlvXZGM xzTyq9crS6KhckQ3BC5dp/aIeRTBVzeGgo04PNJ0szB3PvdgI9CRZ61zg15zljFmEMzw TAYCETT+qYq36vK8yVjlGY2ucLXWpPz68dcjZmPy4AogGjpoUylvTY4/7O64oC6ATg+j +NQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g13-20020a63be4d000000b00544054a5f90si14492278pgo.555.2023.06.16.04.13.39; Fri, 16 Jun 2023 04:13:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345607AbjFPK7M (ORCPT + 99 others); Fri, 16 Jun 2023 06:59:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345512AbjFPK6i (ORCPT ); Fri, 16 Jun 2023 06:58:38 -0400 Received: from 167-179-156-38.a7b39c.syd.nbn.aussiebb.net (167-179-156-38.a7b39c.syd.nbn.aussiebb.net [167.179.156.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E855786AA; Fri, 16 Jun 2023 03:51:47 -0700 (PDT) Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1qA6gR-003lHK-Cz; Fri, 16 Jun 2023 18:28:00 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Fri, 16 Jun 2023 18:27:59 +0800 Date: Fri, 16 Jun 2023 18:27:59 +0800 From: Herbert Xu To: David Howells Cc: netdev@vger.kernel.org, syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jens Axboe , Matthew Wilcox , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next] crypto: Fix af_alg_sendmsg(MSG_SPLICE_PAGES) sglist limit Message-ID: References: <322883.1686863334@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <322883.1686863334@warthog.procyon.org.uk> X-Spam-Status: No, score=2.7 required=5.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2, PDS_RDNS_DYNAMIC_FP,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_PASS,TVD_RCVD_IP, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jun 15, 2023 at 10:08:54PM +0100, David Howells wrote: > When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as > the maximum number of elements that may be written to, but some of the > elements may already have been used (as recorded in sgl->cur), so > extract_iter_to_sg() may end up overrunning the scatterlist. > > Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur". > > Note: It probably makes sense in future to alter the behaviour of > extract_iter_to_sg() to stop if "sgtable->nents >= sg_max" instead, but > this is a smaller fix for now. > > The bug causes errors looking something like: > > BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatterlist.h:109 [inline] > BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlist.h:139 [inline] > BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c:1183 [inline] > BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c:1352 [inline] > BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib/scatterlist.c:1339 > > Fixes: bf63e250c4b1 ("crypto: af_alg: Support MSG_SPLICE_PAGES") > Reported-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com > Link: https://lore.kernel.org/r/000000000000b2585a05fdeb8379@google.com/ > Signed-off-by: David Howells > Tested-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com > cc: Herbert Xu > cc: "David S. Miller" > cc: Eric Dumazet > cc: Jakub Kicinski > cc: Paolo Abeni > cc: Jens Axboe > cc: Matthew Wilcox > cc: linux-crypto@vger.kernel.org > cc: netdev@vger.kernel.org > --- > crypto/af_alg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Acked-by: Herbert Xu Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt