AF_ALG: register completely initialized request in list

Message ID	3337259.MW9pfDCdka@positron.chronox.de (mailing list archive)
State	Changes Requested
Delegated to:	Herbert Xu
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Stephan =?ISO-8859-1?Q?M=FCller?= <smueller@chronox.de> To: syzbot <syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com> Cc: davem@davemloft.net, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] AF_ALG: register completely initialized request in list Date: Sun, 08 Apr 2018 19:57:12 +0200 Message-ID: <3337259.MW9pfDCdka@positron.chronox.de> In-Reply-To: <00000000000092ad87056950ef9e@google.com> References: <00000000000092ad87056950ef9e@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk

Stephan Mueller April 8, 2018, 5:57 p.m. UTC

Hi,

May I ask to check whether this patch fixes the issue? I cannot re-create
the issue with the reproducter. Yet, as far as I understand, you try to
induce errors which shall validate whether the error code paths are correct.

The fix below should ensure this now.

Thanks a lot.

---8<---

From 8f083e7b0684a9f91c186d7b46eec34e439689c3 Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Sun, 8 Apr 2018 19:53:59 +0200
Subject: [PATCH] AF_ALG: Initialize sg_num_bytes in error code path

The RX SGL in processing is already registered with the RX SGL tracking
list to support proper cleanup. The cleanup code path uses the
sg_num_bytes variable which must therefore be always initialized, even
in the error code path.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com
---
 crypto/af_alg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Dmitry Vyukov April 9, 2018, 7:51 a.m. UTC | #1

On Sun, Apr 8, 2018 at 7:57 PM, Stephan Müller <smueller@chronox.de> wrote:
> Hi,
>
> May I ask to check whether this patch fixes the issue? I cannot re-create
> the issue with the reproducter. Yet, as far as I understand, you try to
> induce errors which shall validate whether the error code paths are correct.

You can ask syzbot to test by replying to its report email with a test
command, see:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

Note that all testing of KMSAN bugs needs to go to KMSAN tree, for details see:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs




> The fix below should ensure this now.
>
> Thanks a lot.
>
> ---8<---
>
> From 8f083e7b0684a9f91c186d7b46eec34e439689c3 Mon Sep 17 00:00:00 2001
> From: Stephan Mueller <smueller@chronox.de>
> Date: Sun, 8 Apr 2018 19:53:59 +0200
> Subject: [PATCH] AF_ALG: Initialize sg_num_bytes in error code path
>
> The RX SGL in processing is already registered with the RX SGL tracking
> list to support proper cleanup. The cleanup code path uses the
> sg_num_bytes variable which must therefore be always initialized, even
> in the error code path.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com
> ---
>  crypto/af_alg.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/af_alg.c b/crypto/af_alg.c
> index c49766b03165..0d555c072669 100644
> --- a/crypto/af_alg.c
> +++ b/crypto/af_alg.c
> @@ -1156,8 +1156,10 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
>
>                 /* make one iovec available as scatterlist */
>                 err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen);
> -               if (err < 0)
> +               if (err < 0) {
> +                       rsgl->sg_num_bytes = 0;
>                         return err;
> +               }
>
>                 /* chain the new scatterlist with previous one */
>                 if (areq->last_rsgl)
> --
> 2.14.3
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/3337259.MW9pfDCdka%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.

Stephan Mueller April 9, 2018, 7:54 a.m. UTC | #2

Am Montag, 9. April 2018, 09:51:13 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> You can ask syzbot to test by replying to its report email with a test
> command, see:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication
> -with-syzbot
> 
> Note that all testing of KMSAN bugs needs to go to KMSAN tree, for details
> see:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs

Thank you. I will resend the patch later today with the proper tags.

Ciao
Stephan

Eric Biggers July 4, 2018, 11:37 p.m. UTC | #3

On Mon, Apr 09, 2018 at 09:54:12AM +0200, Stephan Mueller wrote:
> Am Montag, 9. April 2018, 09:51:13 CEST schrieb Dmitry Vyukov:
> 
> Hi Dmitry,
> 
> > You can ask syzbot to test by replying to its report email with a test
> > command, see:
> > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication
> > -with-syzbot
> > 
> > Note that all testing of KMSAN bugs needs to go to KMSAN tree, for details
> > see:
> > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs
> 
> Thank you. I will resend the patch later today with the proper tags.
> 
> Ciao
> Stephan

Hi Stephan, it seems you never sent your patch out.

- Eric

Stephan Mueller July 5, 2018, 7:49 a.m. UTC | #4

Am Donnerstag, 5. Juli 2018, 01:37:57 CEST schrieb Eric Biggers:

Hi Eric,

> On Mon, Apr 09, 2018 at 09:54:12AM +0200, Stephan Mueller wrote:
> > Am Montag, 9. April 2018, 09:51:13 CEST schrieb Dmitry Vyukov:
> > 
> > Hi Dmitry,
> > 
> > > You can ask syzbot to test by replying to its report email with a test
> > > command, see:
> > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communica
> > > tion -with-syzbot
> > > 
> > > Note that all testing of KMSAN bugs needs to go to KMSAN tree, for
> > > details
> > > see:
> > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bug
> > > s
> > 
> > Thank you. I will resend the patch later today with the proper tags.
> > 
> > Ciao
> > Stephan
> 
> Hi Stephan, it seems you never sent your patch out.

Thank you for pointing this one out. At the time, I was searching for how I 
can refer to the syzbot KMSAN branch that was used to produce the bug report. 
I only see guidance on how to point to the Linux kernel tree.

Do you have a hint how to point to a different syzbot tree?

Ciao
Stephan

Dmitry Vyukov July 5, 2018, 8:43 a.m. UTC | #5

On Thu, Jul 5, 2018 at 9:49 AM, Stephan Müller <smueller@chronox.de> wrote:
> Am Donnerstag, 5. Juli 2018, 01:37:57 CEST schrieb Eric Biggers:
>
> Hi Eric,
>
>> On Mon, Apr 09, 2018 at 09:54:12AM +0200, Stephan Mueller wrote:
>> > Am Montag, 9. April 2018, 09:51:13 CEST schrieb Dmitry Vyukov:
>> >
>> > Hi Dmitry,
>> >
>> > > You can ask syzbot to test by replying to its report email with a test
>> > > command, see:
>> > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communica
>> > > tion -with-syzbot
>> > >
>> > > Note that all testing of KMSAN bugs needs to go to KMSAN tree, for
>> > > details
>> > > see:
>> > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bug
>> > > s
>> >
>> > Thank you. I will resend the patch later today with the proper tags.
>> >
>> > Ciao
>> > Stephan
>>
>> Hi Stephan, it seems you never sent your patch out.
>
> Thank you for pointing this one out. At the time, I was searching for how I
> can refer to the syzbot KMSAN branch that was used to produce the bug report.
> I only see guidance on how to point to the Linux kernel tree.
>
> Do you have a hint how to point to a different syzbot tree?

Hi Stephan,

The general info about patch testing is here:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Some additional KMSAN-specific info is at the bottom of the page:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs

In sort, you issue test command against
https://github.com/google/kmsan.git master and attach the patch.
The git tree/branch are also referenced in the syzbot report:
https://groups.google.com/forum/#!msg/syzkaller-bugs/nCuxVFfvc0I/zE1-hC3lCAAJ

Where did you see instructions mentioning Linus tree? I don't see we
ever refer to that tree in the instructions.

Thanks

AF_ALG: register completely initialized request in list

Commit Message

Comments

Patch