Re: GPF in gf128mul_64k_bbe

From: Stephan Mueller
Date: Mon Dec 21 2015 - 17:50:54 EST

Next message: Ming Lei: "Re: IO errors after "block: remove bio_get_nr_vecs()""
Previous message: Andy Lutomirski: "Re: firmware_class warnings on resume"
In reply to: Stephan Mueller: "Re: GPF in gf128mul_64k_bbe"
Next in thread: Stephan Mueller: "Re: GPF in gf128mul_64k_bbe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Donnerstag, 17. Dezember 2015, 14:00:23 schrieb Dmitry Vyukov:

Hi Herbert,

After digging a bit here, I find the following:

- When using the test app on my system, I get a GPF in twofish, which means
that the problem is not tied to a particular cipher implementation.

- When analyzing gf128mul_64k_bbe, I see that the NULL pointer deference seems
to be triggered *after* the last operation in that function. Can it be that
there is some memory corruption in that function where the return pointer is
somehow overwritten?

> Hello,
>
> The following program causes GPF in gf128mul_64k_bbe:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <syscall.h>
> #include <string.h>
> #include <stdint.h>
>
> int main()
> {
> long r0 = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
> *(uint16_t*)0x20001000 = 0x26;
> memcpy((void*)0x20001002,
> "\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
> *(uint32_t*)0x20001010 = 0xf;
> *(uint32_t*)0x20001014 = 0x100;
> memcpy((void*)0x20001018,
> "\x6c\x72\x77\x28\x63\x61\x6d\x65\x6c\x6c\x69\x61\x29\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00", 64);
> long r7 = syscall(SYS_bind, r0, 0x20001000ul, 0x58ul, 0, 0, 0);
> long r8 = syscall(SYS_accept4, r0, 0x0ul, 0x200023fdul, 0x800ul, 0,
> 0); *(uint32_t*)0x20002000 = 0x12;
> *(uint32_t*)0x20002004 = 0x8;
> *(uint64_t*)0x20002008 = 0x0;
> *(uint16_t*)0x20002010 = 0x4d;
> long r13 = syscall(SYS_write, r8, 0x20002000ul, 0x12ul, 0, 0, 0);
> memcpy((void*)0x20000a56,
> "\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
> 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128);
> long r15 = syscall(SYS_recvfrom, r8, 0x20000000ul, 0xb6ul,
> 0x0ul, 0x20000a56ul, 0x80ul);
> return 0;
> }
>
>
> general protection fault: 0000 [#2] SMP KASAN
> Modules linked in:
> CPU: 0 PID: 6955 Comm: executor Not tainted 4.4.0-rc3+ #151
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88005fc88000 ti: ffff880062478000 task.ti: ffff880062478000 RIP:
> 0010:[<ffffffff82bf9609>]
> [<ffffffff82bf9609>] gf128mul_64k_bbe+0x89/0x3f0 crypto/gf128mul.c:379
> RSP: 0018:ffff88006247f720 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000000
> RDX: ffffed000c48fed1 RSI: 0000000000000000 RDI: ffffed000c48fedd
> RBP: ffff88006247f7e0 R08: ffff88003dfd1158 R09: 0000000000001000
> R10: 0000000000000010 R11: 1ffff100075eeb92 R12: ffff88006247fa00
> R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff1000c48feea
> FS: 00007f21e795f700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000020000a56 CR3: 0000000060c4b000 CR4: 00000000000006f0
> Stack:
> ffff88006247f8c0 ffff88006247f8b8 1ffff1000c48feea ffff88006247fa00
> ffff88006247f8a0 0000000000000000 0000000041b58ab3 ffffffff87ab3a79
> ffffffff82bf9580 ffffffff82bafa9b 0000000000000000 ffff88006247f7a0
> Call Trace:
> [<ffffffff82c04b9d>] lrw_crypt+0x29d/0xd20 crypto/lrw.c:248
> [<ffffffff812b838b>] lrw_decrypt+0xeb/0x140
> arch/x86/crypto/serpent_avx2_glue.c:270
> [<ffffffff82babe81>] async_decrypt+0x1c1/0x2c0 crypto/blkcipher.c:443
> [< inline >] crypto_ablkcipher_decrypt include/linux/crypto.h:921
> [< inline >] skcipher_recvmsg_sync crypto/algif_skcipher.c:676
> [<ffffffff82d2e7b9>] skcipher_recvmsg+0x1029/0x1f10
> crypto/algif_skcipher.c:706 [< inline >] sock_recvmsg_nosec
> net/socket.c:712
> [<ffffffff856b1c8a>] sock_recvmsg+0xaa/0xe0 net/socket.c:720
> [<ffffffff856b2424>] SYSC_recvfrom+0x1e4/0x370 net/socket.c:1707
> [<ffffffff856b7570>] SyS_recvfrom+0x40/0x50 net/socket.c:1681
> [<ffffffff86a89fb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> Code: 04 00 00 f4 f4 c7 40 08 f3 f3 f3 f3 e8 d1 e9 a0 fe 4d 85 f6 0f
> 84 f6 01 00 00 4c 89 f1 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 <80>
> 3c 01 00 0f 85 48 03 00 00 48 8b 5c 24 18 4d 8b 26 48 83 c3
> RIP [<ffffffff82bf9609>] gf128mul_64k_bbe+0x89/0x3f0 crypto/gf128mul.c:379
> RSP <ffff88006247f720>
> ---[ end trace 722d56533c7c99a7 ]---
>
>
> On upstream commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8 (Nov 29).
> --
> To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ming Lei: "Re: IO errors after "block: remove bio_get_nr_vecs()""
Previous message: Andy Lutomirski: "Re: firmware_class warnings on resume"
In reply to: Stephan Mueller: "Re: GPF in gf128mul_64k_bbe"
Next in thread: Stephan Mueller: "Re: GPF in gf128mul_64k_bbe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]