Re: [syzbot] general protection fault in scatterwalk_copychunks (4)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+66e3ea42c4b176748b9c@syzkaller.appspotmail.com>
To: davem@davemloft.net, herbert@gondor.apana.org.au,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] general protection fault in scatterwalk_copychunks (4)
Date: Fri, 13 Aug 2021 03:03:26 -0700	[thread overview]
Message-ID: <00000000000066a78105c96df6a3@google.com> (raw)
In-Reply-To: <00000000000006e7be05bda1c084@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    f8fbb47c6e86 Merge branch 'for-v5.14' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11d1a779300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=171d57d5a48c8cad
dashboard link: https://syzkaller.appspot.com/bug?extid=66e3ea42c4b176748b9c
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13b8db9e300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16c21581300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+66e3ea42c4b176748b9c@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 58 Comm: kworker/u4:3 Not tainted 5.14.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: pencrypt_parallel padata_parallel_worker
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:68 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:88 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:77 [inline]
RIP: 0010:scatterwalk_copychunks+0x4db/0x6a0 crypto/scatterwalk.c:50
Code: ff df 80 3c 02 00 0f 85 b4 01 00 00 49 8d 44 24 08 4d 89 26 48 89 c2 48 89 44 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 77 01 00 00 48 b8 00 00 00 00
RSP: 0018:ffffc900011d7628 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff83d3dc23 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88801903a69b
R10: ffffffff83d3dbd3 R11: 0000000000086088 R12: 0000000000000000
R13: 0000000000000001 R14: ffffc900011d7888 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 000000001d355000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skcipher_next_slow crypto/skcipher.c:278 [inline]
 skcipher_walk_next+0x7af/0x1680 crypto/skcipher.c:363
 skcipher_walk_first+0xf8/0x3c0 crypto/skcipher.c:446
 skcipher_walk_aead_common+0x7a5/0xbc0 crypto/skcipher.c:539
 gcmaes_crypt_by_sg+0x31d/0x890 arch/x86/crypto/aesni-intel_glue.c:658
 gcmaes_encrypt+0xe2/0x230 arch/x86/crypto/aesni-intel_glue.c:722
 generic_gcmaes_encrypt+0x12e/0x190 arch/x86/crypto/aesni-intel_glue.c:1071
 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94
 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94
 pcrypt_aead_enc+0x13/0x70 crypto/pcrypt.c:82
 padata_parallel_worker+0x60/0xb0 kernel/padata.c:157
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0x85c/0x11f0 kernel/workqueue.c:2424
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace d7f7427ae496b704 ]---
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:68 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:88 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:77 [inline]
RIP: 0010:scatterwalk_copychunks+0x4db/0x6a0 crypto/scatterwalk.c:50
Code: ff df 80 3c 02 00 0f 85 b4 01 00 00 49 8d 44 24 08 4d 89 26 48 89 c2 48 89 44 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 77 01 00 00 48 b8 00 00 00 00
RSP: 0018:ffffc900011d7628 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff83d3dc23 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88801903a69b
R10: ffffffff83d3dbd3 R11: 0000000000086088 R12: 0000000000000000
R13: 0000000000000001 R14: ffffc900011d7888 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 000000000b68e000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	df 80 3c 02 00 0f    	filds  0xf00023c(%rax)
   6:	85 b4 01 00 00 49 8d 	test   %esi,-0x72b70000(%rcx,%rax,1)
   d:	44 24 08             	rex.R and $0x8,%al
  10:	4d 89 26             	mov    %r12,(%r14)
  13:	48 89 c2             	mov    %rax,%rdx
  16:	48 89 44 24 18       	mov    %rax,0x18(%rsp)
  1b:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  22:	fc ff df 
  25:	48 c1 ea 03          	shr    $0x3,%rdx
  29:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2d:	84 c0                	test   %al,%al
  2f:	74 08                	je     0x39
  31:	3c 03                	cmp    $0x3,%al
  33:	0f 8e 77 01 00 00    	jle    0x1b0
  39:	48                   	rex.W
  3a:	b8 00 00 00 00       	mov    $0x0,%eax

next prev parent reply	other threads:[~2021-08-13 10:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-16  6:48 [syzbot] general protection fault in scatterwalk_copychunks (4) syzbot
2021-08-13 10:03 ` syzbot [this message]
2021-08-14 13:07 ` syzbot
2023-10-12 21:25 ` [syzbot] [net] [crypto] " syzbot
2023-10-13  8:49   ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000066a78105c96df6a3@google.com \
    --to=syzbot+66e3ea42c4b176748b9c@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.