KASAN related bug in crypto/asymmetric_keys/public_key.c:96

[Peter Teoh]

I got the following dump during startup (4.11.0 stable):

[    1.353688] registered taskstats version 1
[    1.353974] Loading compiled-in X.509 certificates
[    1.354582] ------------[ cut here ]------------
[    1.354904] kernel BUG at crypto/asymmetric_keys/public_key.c:96!
[    1.355319] invalid opcode: 0000 [#1] SMP KASAN
[    1.355628] Modules linked in:
[    1.355843] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.11.0syz #10
[    1.356266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[    1.356901] task: ffff88006c538000 task.stack: ffff88006c540000
[    1.357308] RIP: 0010:public_key_verify_signature+0x772/0x9b0
[    1.357698] RSP: 0000:ffff88006c547840 EFLAGS: 00010297
[    1.358053] RAX: ffff88006c538000 RBX: ffff88006a46e9c0 RCX: 0000000000000005
[    1.358537] RDX: 0000000000000000 RSI: ffff88006a46e9c0 RDI: ffff88006a46de70
[    1.359013] RBP: ffff88006c547a18 R08: ffffed000d48dd93 R09: ffffed000d48dd93
[    1.359488] R10: 0000000000000000 R11: ffffed000d48dd94 R12: dffffc0000000000
[    1.359962] R13: ffff88006a46de70 R14: ffffffff82ba4440 R15: 1ffff1000d8a8f0e
[    1.360442] FS:  0000000000000000(0000) GS:ffff88006d000000(0000)
knlGS:0000000000000000
[    1.360986] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.361376] CR2: 0000000000000000 CR3: 000000000300d000 CR4: 00000000000006f0
[    1.361855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    1.362333] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    1.362914] Call Trace:
[    1.363092]  ? public_key_describe+0xd0/0xd0
[    1.363390]  ? kasan_slab_free+0x89/0xc0
[    1.363660]  ? crypto_larval_destroy+0x110/0x150
[    1.363977]  ? kfree+0x96/0x1b0
[    1.364195]  ? crypto_larval_destroy+0x110/0x150
[    1.364513]  ? crypto_larval_wait+0x1e0/0x1e0
[    1.364813]  ? crypto_larval_kill+0x16f/0x1d0
[    1.365113]  ? kasan_unpoison_shadow+0x35/0x50
[    1.365418]  ? kasan_kmalloc+0xad/0xe0
[    1.365678]  x509_check_for_self_signed+0x324/0x520
[    1.366012]  x509_cert_parse+0x4b6/0x670
[    1.366295]  x509_key_preparse+0x69/0x860
[    1.366573]  ? __printk_safe_exit+0xe/0x20
[    1.366856]  asymmetric_key_preparse+0xd3/0x1b0
[    1.367166]  ? memset+0x31/0x40
[    1.367385]  ? asymmetric_key_free_preparse+0x190/0x190
[    1.367743]  key_create_or_update+0x365/0xa00
[    1.368043]  ? key_type_lookup+0xe0/0xe0
[    1.368314]  ? vprintk_default+0x74/0xf0
[    1.368584]  ? vprintk_func+0x4c/0x90
[    1.368839]  ? printk+0xbe/0xf2
[    1.369059]  load_system_certificate_list+0x1ab/0x240
[    1.369402]  ? system_trusted_keyring_init+0x9d/0x9d
[    1.369755]  do_one_initcall+0xb9/0x280
[    1.370030]  ? initcall_blacklisted+0x1b0/0x1b0
[    1.370344]  ? parse_args+0x228/0xb60
[    1.370607]  kernel_init_freeable+0x528/0x612
[    1.370937]  ? start_kernel+0x70b/0x70b
[    1.371215]  ? compat_start_thread+0x80/0x80
[    1.371544]  ? rest_init+0xb0/0xb0
[    1.371805]  kernel_init+0x18/0x180
[    1.372055]  ? rest_init+0xb0/0xb0
[    1.372300]  ret_from_fork+0x2c/0x40
[    1.372610] Code: ff ff e8 52 8a 8a ff 48 8b bd 50 fe ff ff e8 66
77 b1 ff e9 58 fb ff ff e8 3c 8a 8a ff 0f 0b e8 35 8a 8a ff 0f 0b e8
2e 8a 8a ff <0f> 0b e8 27 8a 8a ff 0f 0b e8 20 8a 8a ff 41 bd f4 ff ff
ff e9
[    1.374192] RIP: public_key_verify_signature+0x772/0x9b0 RSP:
ffff88006c547840
[    1.374840] ---[ end trace 6fefa18a45f0fc9e ]---
[    1.375242] Kernel panic - not syncing: Fatal exception
[    1.375736] Kernel Offset: disabled
[    1.376026] ---[ end Kernel panic - not syncing: Fatal exception


Tracing into public_key.c:

 94         BUG_ON(!pkey);
 95         BUG_ON(!sig);
 96         BUG_ON(!sig->digest);
 97         BUG_ON(!sig->s);
 98

There is no check on the digest and length being zero anywhere.   And
not sure where is the right place to intialize if any.

Is this a bug?  Thanks.