Re: [syzbot] [crypto?] KASAN: slab-out-of-bounds Read in extract_iter_to_sg

[David Howells]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main


diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 38d2265c77fd..e97abe6055a1 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4333,8 +4333,7 @@ static void *smb2_get_aead_req(struct crypto_aead *tfm, struct smb_rqst *rqst,
 		}
 		sgtable.orig_nents = sgtable.nents;
 
-		rc = extract_iter_to_sg(iter, count, &sgtable,
-					num_sgs - sgtable.nents, 0);
+		rc = extract_iter_to_sg(iter, count, &sgtable, num_sgs, 0);
 		iov_iter_revert(iter, rc);
 		sgtable.orig_nents = sgtable.nents;
 	}
diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index e97d7060329e..6fd20bfc01a4 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1120,7 +1120,8 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
 	pages -= sg_max;
 
 	do {
-		res = iov_iter_extract_pages(iter, &pages, maxsize, sg_max,
+		res = iov_iter_extract_pages(iter, &pages, maxsize,
+					     sg_max - sgtable->nents,
 					     extraction_flags, &off);
 		if (res < 0)
 			goto failed;
@@ -1129,7 +1130,6 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
 		maxsize -= len;
 		ret += len;
 		npages = DIV_ROUND_UP(off + len, PAGE_SIZE);
-		sg_max -= npages;
 
 		for (; npages > 0; npages--) {
 			struct page *page = *pages;
@@ -1142,7 +1142,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
 			len -= seg;
 			off = 0;
 		}
-	} while (maxsize > 0 && sg_max > 0);
+	} while (maxsize > 0 && sgtable->nents < sg_max);
 
 	return ret;
 
@@ -1183,11 +1183,10 @@ static ssize_t extract_bvec_to_sg(struct iov_iter *iter,
 		sg_set_page(sg, bv[i].bv_page, len, off);
 		sgtable->nents++;
 		sg++;
-		sg_max--;
 
 		ret += len;
 		maxsize -= len;
-		if (maxsize <= 0 || sg_max == 0)
+		if (maxsize <= 0 || sgtable->nents >= sg_max)
 			break;
 		start = 0;
 	}
@@ -1242,14 +1241,13 @@ static ssize_t extract_kvec_to_sg(struct iov_iter *iter,
 			sg_set_page(sg, page, len, off);
 			sgtable->nents++;
 			sg++;
-			sg_max--;
 
 			len -= seg;
 			kaddr += PAGE_SIZE;
 			off = 0;
-		} while (len > 0 && sg_max > 0);
+		} while (len > 0 && sgtable->nents < sg_max);
 
-		if (maxsize <= 0 || sg_max == 0)
+		if (maxsize <= 0 || sgtable->nents >= sg_max)
 			break;
 		start = 0;
 	}
@@ -1294,11 +1292,10 @@ static ssize_t extract_xarray_to_sg(struct iov_iter *iter,
 		sg_set_page(sg, folio_page(folio, 0), len, offset);
 		sgtable->nents++;
 		sg++;
-		sg_max--;
 
 		maxsize -= len;
 		ret += len;
-		if (maxsize <= 0 || sg_max == 0)
+		if (maxsize <= 0 || sgtable->nents >= sg_max)
 			break;
 	}
 
@@ -1318,7 +1315,8 @@ static ssize_t extract_xarray_to_sg(struct iov_iter *iter,
  *
  * Extract the page fragments from the given amount of the source iterator and
  * add them to a scatterlist that refers to all of those bits, to a maximum
- * addition of @sg_max elements.
+ * addition of @sg_max elements.  @sgtable->nents indicates how many of the
+ * elements are already used.
  *
  * The pages referred to by UBUF- and IOVEC-type iterators are extracted and
  * pinned; BVEC-, KVEC- and XARRAY-type are extracted but aren't pinned; PIPE-
@@ -1343,6 +1341,11 @@ ssize_t extract_iter_to_sg(struct iov_iter *iter, size_t maxsize,
 	if (maxsize == 0)
 		return 0;
 
+	if (WARN_ON_ONCE(sg_max == 0))
+		return -EIO;
+	if (WARN_ON_ONCE(sgtable->nents >= sg_max))
+		return -EIO;
+
 	switch (iov_iter_type(iter)) {
 	case ITER_UBUF:
 	case ITER_IOVEC: