Re: [syzbot] [crypto?] general protection fault in shash_async_final
From: David Howells
Date: Wed Jun 14 2023 - 07:26:11 EST
Here's a reduced testcase for this. The key seems to be passing MSG_MORE to
sendmsg() and then not following up with more data before calling recvmsg().
Apart from not oopsing, I wonder what the behaviour should be here? Should
recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the
existing operation?
David
---
// https://syzkaller.appspot.com/bug?id=f5d9d503fe959e3b605abdaeedb39b072556281a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>
#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)
int main(void)
{
struct sockaddr_alg salg;
struct msghdr msg;
int algfd, hashfd, res;
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
OSERROR(algfd, "socket");
memset(&salg, 0, sizeof(salg));
salg.salg_family = AF_ALG;
strcpy(salg.salg_type, "hash");
strcpy(salg.salg_name, "digest_null-generic");
res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
OSERROR(res, "bind/alg");
hashfd = accept4(algfd, NULL, 0, 0);
OSERROR(hashfd, "accept/alg");
res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
OSERROR(res, "setsockopt/ALG_SET_KEY");
memset(&msg, 0, sizeof(msg));
res = sendmsg(hashfd, &msg, MSG_MORE);
OSERROR(res, "sendmsg");
res = recvmsg(hashfd, &msg, 0);
OSERROR(res, "recvmsg");
return 0;
}