From patchwork Tue Nov 28 09:02:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10078987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 645C960353 for ; Tue, 28 Nov 2017 09:03:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F0EA291DB for ; Tue, 28 Nov 2017 09:03:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 43A6B291E2; Tue, 28 Nov 2017 09:03:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C34F6291DB for ; Tue, 28 Nov 2017 09:02:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751676AbdK1JC6 (ORCPT ); Tue, 28 Nov 2017 04:02:58 -0500 Received: from mail-pg0-f68.google.com ([74.125.83.68]:42357 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750907AbdK1JCz (ORCPT ); Tue, 28 Nov 2017 04:02:55 -0500 Received: by mail-pg0-f68.google.com with SMTP id j16so19984634pgn.9; Tue, 28 Nov 2017 01:02:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=dwjwRuILEonyaY/AsuvbdjwD1k2h15FJ8WxaLgwgTes=; b=B+7vyKF6/W8vxYWDXQe/1GW+pp+dQwLp2WBZHG1RBMLOUCfAOnxciFJ9TxQcPOiL2e 3QKbk4PJLyqO146qQl0mTVCnUXg1usP2aRjH3g0BnG05kr64wESuYM3GDA0pRRdbvX13 pOZPtzCe0oCpFOawHVZ85qhdJX0NKoDc/LW71bINK9tGBQk5XJPenB3j0/FM9miUVory Ue2cTRFGejEr18XslXMtNO74BpIy2yQ0cPh45X6NmaJXot9ozHhrC4q6EHhGyWU1Vzaz 3/1N5xtD0o1iTTbI3nsB4bAApkv80FLVzof5Dp3luCV+yzwvSEU33zoql+gv37vtIwoR XY4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=dwjwRuILEonyaY/AsuvbdjwD1k2h15FJ8WxaLgwgTes=; b=JWgOUXMS1V4Bzmz05pqoVToDdNnnAgf8qmGqY9APIDTghgbQdtS98Fr2LDnxAMhMvc pJThFzPx3ShtxXkAp4OCUFqOXe5pzBfzTmw+JQdZmPFMWic0tw1rAMRqScUgknzW/FgH BsBpK8UU9EHDfQlEsMDzn8BmZwawRuScH/XmzwbBCVvRMWecOLS+a83+bjo65u6xMWZW QErHRJamx3+wXBb5wyHNnNkGM6kL2dUn0oj6n0b6xe4/lY/LQrcXdV7Icj0pI1lCVMkJ Ia9B9alXwDTW3aKCaKMo1oRXQ+bILyB5oM06DVqFMbUOhzyp748Zng7KQKI/5coIPN89 l8zQ== X-Gm-Message-State: AJaThX4ClG+HAAfQ48bdcuC9NRx/aeGF7bdH36kJeuIDZWGSmnZJrWIy SSo57B6Mc0fBqBIlCbqZWsE= X-Google-Smtp-Source: AGs4zMaXvSNLKzRQ4AAssevDizjG2sEJutwiYqL+X22W4E8FCGkNIswXmW10zbN5RCpC/cm5wnELNg== X-Received: by 10.99.172.25 with SMTP id v25mr38880055pge.182.1511859774859; Tue, 28 Nov 2017 01:02:54 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id j6sm27070046pfg.85.2017.11.28.01.02.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 28 Nov 2017 01:02:54 -0800 (PST) Date: Tue, 28 Nov 2017 01:02:52 -0800 From: Eric Biggers To: syzbot Cc: davem@davemloft.net, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Stephan Mueller Subject: Re: general protection fault in af_alg_free_areq_sgls Message-ID: <20171128090252.GB23413@zzz.localdomain> References: <001a1140f578d9710d055efb76a9@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <001a1140f578d9710d055efb76a9@google.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Nov 27, 2017 at 10:56:47AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > b0a84f19a5161418d4360cd57603e94ed489915e > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > Unfortunately, I don't have any reproducer for this bug yet. > This was probably caused by taking the path where areq->tsgl could not be allocated. (syzkaller probably reached it after injecting a memory allocation failure.) The following should fix it: ---8<--- From 1a7a7f86f09c50652f1fff75b8d3a32712826b32 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 28 Nov 2017 00:46:24 -0800 Subject: [PATCH] crypto: af_alg - fix NULL pointer dereference in af_alg_free_areq_sgls() If allocating the ->tsgl member of 'struct af_alg_async_req' failed, during cleanup we dereferenced the NULL ->tsgl pointer in af_alg_free_areq_sgls(), because ->tsgl_entries was nonzero. Fix it by only freeing the ->tsgl list if it is non-NULL. This affected both algif_skcipher and algif_aead. Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") Reported-by: syzbot Cc: # v4.14+ Signed-off-by: Eric Biggers Reviewed-by: Stephan Mueller --- crypto/af_alg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 358749c38894..415a54ced4d6 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -672,14 +672,15 @@ void af_alg_free_areq_sgls(struct af_alg_async_req *areq) } tsgl = areq->tsgl; - for_each_sg(tsgl, sg, areq->tsgl_entries, i) { - if (!sg_page(sg)) - continue; - put_page(sg_page(sg)); - } + if (tsgl) { + for_each_sg(tsgl, sg, areq->tsgl_entries, i) { + if (!sg_page(sg)) + continue; + put_page(sg_page(sg)); + } - if (areq->tsgl && areq->tsgl_entries) sock_kfree_s(sk, tsgl, areq->tsgl_entries * sizeof(*tsgl)); + } } EXPORT_SYMBOL_GPL(af_alg_free_areq_sgls);