Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp19862267rwd;
        Wed, 28 Jun 2023 15:45:26 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ7FeRs+oK2LYHPm7o1QsITpJcMD6tzKueeBHL5B5DP0HgO3ST+L2+8nAVE8mSW8vBtADi7t
X-Received: by 2002:a05:6a00:1ca6:b0:66f:3fc5:6167 with SMTP id y38-20020a056a001ca600b0066f3fc56167mr13708125pfw.1.1687992326394;
        Wed, 28 Jun 2023 15:45:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687992326; cv=none;
        d=google.com; s=arc-20160816;
        b=NVS1ho+z250Ulx4HKcV1B6S9x4/hxBeHKEeknq+uFNiSu6pMvqmEGSm5HP+brP6rw/
         7hod2GiOzTnuyq2+qRBEL70ezNHWMx4kAuQJJuarhK3KRhxWwxsoZlHOZ8LaALkBbDnL
         bnOvtG7OkqpvH8h+AdOtAy8oys1DSHLVI8Cs512MgnyO7e46jYyG6XNgBsPfH8uIpgA5
         Hd7R8A5l+veftszFDsvjGkjLF/TrCapFuTpMZ/RMjSyrWLd835tVKas9zeilmKYC8A+a
         gyMPCXEjzTLDKIr+3o8XpPvrrEavEq+sVgfqqOJXYRtxjaekOd2QGWlZ87MqKatsQYeC
         /TvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=K5WLflOIzA/CbnsYuG1CnlNhaTHqvWzWGwanAbN0bm4=;
        fh=5JCd4jQXTUzZ9bQhORC4j86vq1cXWIruREnvokbL25s=;
        b=c1LJDEIF93GDjRw9FfRMSIibQtI1SzkE030yGJbeCxGMdFu2UnnLhKJMzKcDKBQqjO
         NjunT2b3AcDjiBc19deYdr8A4tq1BaAvnPA1PpSkDkifku1nbAy2U57fuoWcKON2HHhn
         IDQvn2c5cftFZpRAiXG+ZyCXlekHKpXJwBps8wDDyfT3mQ1waiLP0pgFPFl1YqhaRg0W
         1i2SWDedE/XV4RIu3wUYnaDP8OD2NVqznP92U+1HbW0bJ9KLgXW1gMp3xsN0s1w/aeuB
         N5yiG63/+cme82eM7/9lr1fFky8tcmR/cr7Xtiz+2uixfJWVkgUYCeEeyRnx+lWxvtLI
         5nQg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id bv6-20020a056a00414600b006724753efd3si7435032pfb.195.2023.06.28.15.44.42;
        Wed, 28 Jun 2023 15:45:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229531AbjF1WPs (ORCPT <rfc822;proase2022@gmail.com> + 99 others);
        Wed, 28 Jun 2023 18:15:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43738 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231175AbjF1WPo (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 28 Jun 2023 18:15:44 -0400
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92AAB273B
        for <linux-crypto@vger.kernel.org>; Wed, 28 Jun 2023 15:15:27 -0700 (PDT)
Received: from fsav113.sakura.ne.jp (fsav113.sakura.ne.jp [27.133.134.240])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 35SMFPmr083961;
        Thu, 29 Jun 2023 07:15:25 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav113.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav113.sakura.ne.jp);
 Thu, 29 Jun 2023 07:15:25 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav113.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 35SMFORC083952
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
        Thu, 29 Jun 2023 07:15:25 +0900 (JST)
        (envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <ada9b995-8d67-0375-f153-b434d48bd253@I-love.SAKURA.ne.jp>
Date:   Thu, 29 Jun 2023 07:15:21 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
Subject: Re: [PATCH] net: tls: enable __GFP_ZERO upon tls_init()
Content-Language: en-US
To:     Jakub Kicinski <kuba@kernel.org>
Cc:     Boris Pismenny <borisp@nvidia.com>,
        John Fastabend <john.fastabend@gmail.com>, glider@google.com,
        herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        syzbot <syzbot+828dfc12440b4f6f305d@syzkaller.appspotmail.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Aviad Yehezkel <aviadye@nvidia.com>,
        Daniel Borkmann <daniel@iogearbox.net>, netdev@vger.kernel.org,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Paolo Abeni <pabeni@redhat.com>
References: <0000000000008a7ae505aef61db1@google.com>
 <20200911170150.GA889@sol.localdomain>
 <c16e9ab9-13e0-b911-e33a-c9ae81e93a8d@I-love.SAKURA.ne.jp>
 <20230628140317.756e61d3@kernel.org>
From:   Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
In-Reply-To: <20230628140317.756e61d3@kernel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On 2023/06/29 6:03, Jakub Kicinski wrote:
> On Wed, 28 Jun 2023 22:48:01 +0900 Tetsuo Handa wrote:
>> syzbot is reporting uninit-value at aes_encrypt(), for block cipher assumes
>> that bytes to encrypt/decrypt is multiple of block size for that cipher but
>> tls_alloc_encrypted_msg() is not initializing padding bytes when
>> required_size is not multiple of block cipher's block size.
> 
> Sounds odd, so crypto layer reads beyond what we submitted as 
> the buffer? I don't think the buffer needs to be aligned, so
> the missing bits may well fall into a different (unmapped?) page.

Since passing __GFP_ZERO to skb_page_frag_refill() hides this problem,
I think that crypto layer is reading up to block size when requested
size is not multiple of block size.

> 
> This needs more careful investigation. Always zeroing the input 
> is just covering up the real issue.

Since block cipher needs to read up to block size, someone has to initialize
padding bytes. I guess that crypto API caller is responsible for allocating
and initializing padding bytes, otherwise such crypto API caller will fail to
encrypt/decrypt last partial bytes which are not multiple of cipher's block
size.

Which function in this report is responsible for initializing padding bytes?