Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3076854rdb; Tue, 26 Dec 2023 15:30:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IF6rM+qH3uEtNtn4crsTkYKGxwjRfRl4h4vJnij9TZNOpc4f0wQtykXI9b17EdeN9abRVHi X-Received: by 2002:a05:6830:1212:b0:6db:b7c0:4c36 with SMTP id r18-20020a056830121200b006dbb7c04c36mr6459877otp.27.1703633410108; Tue, 26 Dec 2023 15:30:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703633410; cv=none; d=google.com; s=arc-20160816; b=Rqv3kzBQwsRrGgyKI0I6aWqsfjdz8Yre6Y+2P8MKUK6bT0hv8VT4YqNeGi82Z+5NBl mA8662Up2sVpOlE1uO+qSR22FGqS7oelI3V6AfhroQbwrcnN+tCWK2sCtAJQK0QuEBMS eS52GCvSRm9g1/awIBc86pzZomM6npoXOQHW2a+7QugB0R7ToLXIYIEd7Er5BjsgjSFG j6sqpwPJPrRVeLoPFg2GTBi8KS2qZ5jyVt0mQJ5Z2b0FRNRYwo5XhPXQUiGmq2my1aRj wydKm+VAuPTqJ2rp23FPhac1PLLfaP42q/ka2U98PW++nAL4liU3UxfC+rGygd+OfSPD +ufA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=QO5yVeb/W2AAZrHty34ZSslDMXRI+Lv9O6EzJlwb+g4=; fh=yehmFZ9yk2S+C2VsqwYQ4jLj4cOBnbe24/gm5Bv7IVM=; b=SkOhaGbfT5dPkzCgtX/Y70JpGZg8ujjzeXxp4yrW7XUJhJ6VW5hbPqF3NEKtQzVTSw iSw5wkC5MuX3VBw3cye7aEJfY0bDO+eqLzpwb4L1hZ2Y544RPB8MHMYItU+J50j3a9u5 A0cVGBZWe0YY1ZWAaUbisT9kD5K6h4oD3PRome2Trb6dFojFgW5l6g2oNDXb3YnjsPof f9w7x9Y3JhWwY59hlO7p8cD4DtL0uF1l2Uzxq9asoMirqMGKQ7GuzIPtdFpC/NEt8Fe4 5ZQHwnK55R71j8hVqMKNXn+9v1A2dPsEPR9Be5IfYEGMa06pz/zKFPptM5zvZ3eJxyR/ RrAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LPyX7EMP; spf=pass (google.com: domain of linux-crypto+bounces-1049-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1049-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id q24-20020a631f58000000b005be1ee5b9dfsi1247999pgm.454.2023.12.26.15.30.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Dec 2023 15:30:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto+bounces-1049-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LPyX7EMP; spf=pass (google.com: domain of linux-crypto+bounces-1049-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1049-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 88FBE2831EF for ; Tue, 26 Dec 2023 23:30:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F1C6B568A; Tue, 26 Dec 2023 23:30:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="LPyX7EMP" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA2F25681 for ; Tue, 26 Dec 2023 23:30:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3502EC433C7 for ; Tue, 26 Dec 2023 23:30:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1703633406; bh=O9IaDrxHq9SjvzKERZJT4A7J8GqGRiJcTzkr1ij/nJM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=LPyX7EMPgofZzYLBSwcDOAdWq6dC+dm+CYrdkg0HL9abqKq4zHVuOR2xxRoyxMPfr 4CSf3J87S3MqMOypqlEXJoDr4tuxb/AKwid76f/fb5s2i8JxHnVaDJXUqDEZFeSmhP 9973nOe+ny0uPiCeg/4n92Jnk6IRDzYceMaZP5hsMbfp3DKDfCRBm394z8+Fm7HFsu KQTh0m//YC2fc5477O5n2I0CNYXJSj7CxpPB1M2sIm90UGjFuxrEnCw5iqb35SnsCb lTXtsW9zqNZXk7Id5QGV99QSDXUgpNLXDhAUZvHd43z7rqV/L0SMiMx8o+vDzTbTby JYONeNjn56M+w== Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-28c0565df34so1242762a91.0 for ; Tue, 26 Dec 2023 15:30:06 -0800 (PST) X-Gm-Message-State: AOJu0YzkARb5kfj7zZbfD7Tbu88mhUCn8QC5pXtOePEHPxRE1Glqd5Pd zcl0SaXMHuuY36JoK1CwbFOrVRg6zNltVkcL3cQ+B86gayn1 X-Received: by 2002:a17:90a:d711:b0:28c:8910:d45d with SMTP id y17-20020a17090ad71100b0028c8910d45dmr321101pju.17.1703633405585; Tue, 26 Dec 2023 15:30:05 -0800 (PST) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <0000000000000b05cd060d6b5511@google.com> In-Reply-To: From: Chris Li Date: Tue, 26 Dec 2023 15:29:54 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [syzbot] [crypto?] general protection fault in scatterwalk_copychunks (5) To: Nhat Pham Cc: syzbot , akpm@linux-foundation.org, davem@davemloft.net, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, yosryahmed@google.com, zhouchengming@bytedance.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Nhat, On Tue, Dec 26, 2023 at 3:11=E2=80=AFPM Nhat Pham wrote= : > > The decompressed output can be bigger than input. However, here we > > specify the output size limit to be one page. The decompressor should > > not output more than the 1 page of the dst buffer. > > > > I did check the lzo1x_decompress_safe() function. > > I think you meant lzo1x_1_do_compress() right? This error happens on > the zswap_store() path, so it is a compression bug. Ah, my bad. I don't know why I am looking at the decompression rather than compression. Thanks for catching that. > > > It is supposed to use the NEED_OP(x) check before it stores the output= buffer. > > I can't seem to find any check in compression code. But that function > is 300 LoC, with no comment :) It seems the compression side does not have a safe version of the function which respects the output buffer size. I agree with you there seems to be no check on the output buffer size before writing to the output buffer. The "size_t *out_len" seems to work as an output only pointer. It does not respect the output size limit. The only place use the output_len is at lzo1x_compress.c:298 *out_len =3D op - out; So confirm it is output only :-( > > > However I do find one place that seems to be missing that check, at > > least it is not obvious to me how that check is effective. I will > > paste it here let other experts take a look as well: > > Line 228: > > > > if (op - m_pos >=3D 8) { > > unsigned char *oe =3D op + t; > > if (likely(HAVE_OP(t + 15))) { > > do { > > COPY8(op, m_pos); > > op +=3D 8; > > m_pos +=3D 8; > > COPY8(op, m_pos); > > op +=3D 8; > > m_pos +=3D 8; > > } while (op < oe); > > op =3D oe; > > if (HAVE_IP(6)) { > > state =3D next; > > COPY4(op, ip); <=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D This COPY4 does not have > > obvious NEED_OP() check. As far as I can tell, this output is not > > converted by the above HAVE_OP(t + 15)) check, which means to protect > > the unaligned two 8 byte stores inside the "do while" loops. > > op +=3D next; > > ip +=3D next; > > continue; > > } > > } else { > > NEED_OP(t); > > do { > > *op++ =3D *m_pos++; > > } while (op < oe); > > } > > } else > > > > > > > > > > Not 100% sure about linux kernel's implementation though. I'm no > > > compression expert :) > > > > Me neither. Anyway, if it is a decompression issue. For this bug, it > > is good to have some debug print assert to check that after > > decompression, the *dlen is not bigger than the original output > > length. If it does blow over the decompression buffer, it is a bug > > that needs to be fixed in the decompression function side, not the > > zswap code. > > But regardless, I agree. We should enforce the condition that the > output should not exceed the given buffer's size, and gracefully fails > if it does (i.e returns an interpretable error code as opposed to just > walking off the cliff like this). Again, sorry I was looking at the decompression side rather than the compression side. The compression side does not even offer a safe version of the compression function. That seems to be dangerous. It seems for now we should make the zswap roll back to 2 page buffer until we have a safe way to do compression without overwriting the output buffers. > > I imagine that many compression use-cases are best-effort > optimization, i.e it's fine to fail. zswap is exactly this - do your > best to compress the data, but if it's too incompressible, failure is > acceptable (we have plenty of fallback options - swapping, keeping the > page in memory, etc.). > > Furthermore, this is a bit of a leaky abstraction - currently there's > no contract on how much bigger can the "compressed" output be with > respect to the input. It's compression algorithm-dependent, which > defeats the point of the abstraction. In zswap case, 2 * PAGE_SIZE is > just a rule of thumb - now imagine we use a compression algorithm that > behaves super well in most of the cases, but would output 3 * > PAGE_SIZE in some edge cases. This will still break the code. Better > to give the caller the ability to bound the output size, and > gracefully fail if that bound cannot be respected for a particular > input. Agree. Chris