[PATCH] crypto: af_alg/hash: Fix uninit-value access in af_alg_free_sg()

From: Shigeru Yoshida
Date: Mon Dec 11 2023 - 09:02:54 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.15 09/19] nouveau/tu102: flush all pdbs on vmm flush"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH v4 3/4] clk: mediatek: Add pcw_chg_shift control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

KMSAN reported the following uninit-value access issue:

=====================================================
BUG: KMSAN: uninit-value in af_alg_free_sg+0x1c1/0x270 crypto/af_alg.c:547
af_alg_free_sg+0x1c1/0x270 crypto/af_alg.c:547
hash_sendmsg+0x188f/0x1ce0 crypto/algif_hash.c:172
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x997/0xd60 net/socket.c:2584
___sys_sendmsg+0x271/0x3b0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x5d5/0x9b0 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x118/0x410 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
sock_kmalloc+0x104/0x1a0 net/core/sock.c:2681
hash_accept_parent_nokey crypto/algif_hash.c:418 [inline]
hash_accept_parent+0xbc/0x470 crypto/algif_hash.c:445
af_alg_accept+0x1d8/0x810 crypto/af_alg.c:439
hash_accept+0x368/0x800 crypto/algif_hash.c:254
do_accept+0x803/0xa70 net/socket.c:1927
__sys_accept4_file net/socket.c:1967 [inline]
__sys_accept4+0x170/0x340 net/socket.c:1997
__do_sys_accept4 net/socket.c:2008 [inline]
__se_sys_accept4 net/socket.c:2005 [inline]
__x64_sys_accept4+0xc0/0x150 net/socket.c:2005
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 0 PID: 14168 Comm: syz-executor.2 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================

In hash_sendmsg(), hash_alloc_result() may fail and return -ENOMEM if
sock_kmalloc() fails. In this case, hash_sendmsg() jumps to the unlock_free
label and calls af_alg_free_sg() with ctx->sgl.sgt.sgl uninitialized. This
causes the above uninit-value access issue for ctx->sgl.sgt.sgl.

This patch fixes this issue by initializing ctx->sgl.sgt.sgl when the
structure is allocated in hash_accept_parent_nokey().

Fixes: c662b043cdca ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES")
Signed-off-by: Shigeru Yoshida <syoshida@xxxxxxxxxx>
---
crypto/algif_hash.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index 82c44d4899b9..a51b58d36d60 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -419,6 +419,7 @@ static int hash_accept_parent_nokey(void *private, struct sock *sk)
if (!ctx)
return -ENOMEM;

+ ctx->sgl.sgt.sgl = NULL;
ctx->result = NULL;
ctx->len = len;
ctx->more = false;
--
2.41.0

Next message: Sasha Levin: "[PATCH AUTOSEL 5.15 09/19] nouveau/tu102: flush all pdbs on vmm flush"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH v4 3/4] clk: mediatek: Add pcw_chg_shift control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]