Re: [syzbot] [ext4?] general protection fault in ext4_put_io_end_defer

From: Theodore Ts'o
Date: Wed Jun 28 2023 - 23:58:01 EST

Next message: Kemeng Shi: "[PATCH 02/13] ext4: add missed brelse in update_backups"
Previous message: Koba Ko: "Re: [PATCH] EDAC/i10nm: shift exponent is negative"
In reply to: syzbot: "[syzbot] [ext4?] general protection fault in ext4_put_io_end_defer"
Next in thread: Eric Biggers: "Re: [syzbot] [ext4?] general protection fault in ext4_put_io_end_defer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz set subsystems: crypto

On Sat, Jun 24, 2023 at 07:21:44PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: f7efed9f38f8 Add linux-next specific files for 20230616
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=152e89f3280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=60b1a32485a77c16
> dashboard link: https://syzkaller.appspot.com/bug?extid=94a8c779c6b238870393
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116af1eb280000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e22d2f280000

If you look at the reproducer, it's creating an AF_ALG (algorithm)
socket and messing with it. This is easier to see in the syz
reproducer, but you can see exactly what it's doing in the C
reproducer above:

# https://syzkaller.appspot.com/bug?id=4ee7656695de92cbd5820111379ae0698af0f475
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"threaded":true,"repeat":true,"procs":1,"slowdown":1,"sandbox":"none","sandbox_arg":0,"netdev":true,"binfmt_misc":true,"close_fds":true,"vhci":true,"ieee802154":true,"sysctl":true,"swap":true,"tmpdir":true}
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000280)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-256-generic\x00'}, 0x58)
r1 = accept4(r0, 0x0, 0x0, 0x0)
recvmmsg$unix(r1, &(0x7f0000003700)=[{{0x0, 0x700, 0x0}}], 0x600, 0x0, 0x0)
sendmsg$can_bcm(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x400c800)

(0x26 is 38, or AF_ALG)

>From looking at the stack trace, it looks like this is triggering a
coredump, which presumably is the ext4 write that triggers the GPF in
ext4_put_io_end_defer. But given that the syz and C reproducer isn't
doing anything ext4 related at all, and it's purely trying to use the
AF_ALG socket to calculate SHA3 in the kernel (and the greek chorus
cries out, "WHY?"[1]), I'm going to send this over to the crypto folks to
investigate.

Cheers,

- Ted

[1] TIL that AF_ALG exists. Inquiring minds want to know:
* Why do we expose the AF_ALG userspace interface?
* Who uses it?
* Why do they use it?
* Is there a CONFIG option to disable it in the name of decreasing
the attack surface of the kernel?
* If not, should we add one? :-)

Next message: Kemeng Shi: "[PATCH 02/13] ext4: add missed brelse in update_backups"
Previous message: Koba Ko: "Re: [PATCH] EDAC/i10nm: shift exponent is negative"
In reply to: syzbot: "[syzbot] [ext4?] general protection fault in ext4_put_io_end_defer"
Next in thread: Eric Biggers: "Re: [syzbot] [ext4?] general protection fault in ext4_put_io_end_defer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]