From: syzbot <syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com>
To: catalin.marinas@arm.com, davem@davemloft.net,
herbert@gondor.apana.org.au,
linux-arm-kernel@lists.infradead.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, will@kernel.org
Subject: [syzbot] [arm?] [crypto?] KASAN: invalid-access Read in neon_aes_ctr_encrypt
Date: Fri, 16 Feb 2024 17:35:26 -0800 [thread overview]
Message-ID: <000000000000ff2c3f061189df71@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: c664e16bb1ba Merge tag 'docs-6.8-fixes2' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e83cc8180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4dde08ba7d52a4b
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fff792180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cbe4dc180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-c664e16b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/864da5a66121/vmlinux-c664e16b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/044de3e4ddc5/Image-c664e16b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: invalid-access in neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
Read at addr fcff000006797ff1 by task syz-executor675/3149
Pointer tag: [fc], memory tag: [fe]
CPU: 1 PID: 3149 Comm: syz-executor675 Not tainted 6.8.0-rc4-syzkaller-00005-gc664e16bb1ba #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:291
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x108/0x618 mm/kasan/report.c:488
kasan_report+0x88/0xac mm/kasan/report.c:601
report_tag_fault arch/arm64/mm/fault.c:334 [inline]
do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
__do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
do_bad_area arch/arm64/mm/fault.c:493 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:772
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:848
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593
neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
ctr_encrypt+0xfc/0x144 arch/arm64/crypto/aes-neonbs-glue.c:230
crypto_skcipher_decrypt+0x4c/0x60 crypto/skcipher.c:695
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0x39c/0x46c crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg net/socket.c:1068 [inline]
sock_recvmsg net/socket.c:1064 [inline]
sock_read_iter+0xec/0x118 net/socket.c:1138
call_read_iter include/linux/fs.h:2079 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x2cc/0x304 fs/read_write.c:476
ksys_read+0xe8/0x104 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__arm64_sys_read+0x1c/0x28 fs/read_write.c:627
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
The buggy address belongs to the physical page:
page:0000000060acabc6 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x46797
flags: 0x1ffc28000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xa)
page_type: 0xffffffff()
raw: 01ffc28000000000 fffffc0000168bc8 fffffc0000199e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000006797d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff000006797e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff000006797f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff000006798000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff000006798100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com>
To: catalin.marinas@arm.com, davem@davemloft.net,
herbert@gondor.apana.org.au,
linux-arm-kernel@lists.infradead.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, will@kernel.org
Subject: [syzbot] [arm?] [crypto?] KASAN: invalid-access Read in neon_aes_ctr_encrypt
Date: Fri, 16 Feb 2024 17:35:26 -0800 [thread overview]
Message-ID: <000000000000ff2c3f061189df71@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: c664e16bb1ba Merge tag 'docs-6.8-fixes2' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e83cc8180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4dde08ba7d52a4b
dashboard link: https://syzkaller.appspot.com/bug?extid=f1ceaa1a09ab891e1934
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13fff792180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15cbe4dc180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-c664e16b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/864da5a66121/vmlinux-c664e16b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/044de3e4ddc5/Image-c664e16b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: invalid-access in neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
Read at addr fcff000006797ff1 by task syz-executor675/3149
Pointer tag: [fc], memory tag: [fe]
CPU: 1 PID: 3149 Comm: syz-executor675 Not tainted 6.8.0-rc4-syzkaller-00005-gc664e16bb1ba #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:291
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x108/0x618 mm/kasan/report.c:488
kasan_report+0x88/0xac mm/kasan/report.c:601
report_tag_fault arch/arm64/mm/fault.c:334 [inline]
do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
__do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
do_bad_area arch/arm64/mm/fault.c:493 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:772
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:848
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593
neon_aes_ctr_encrypt+0x15c/0x1ec arch/arm64/crypto/aes-modes.S:599
ctr_encrypt+0xfc/0x144 arch/arm64/crypto/aes-neonbs-glue.c:230
crypto_skcipher_decrypt+0x4c/0x60 crypto/skcipher.c:695
_skcipher_recvmsg crypto/algif_skcipher.c:199 [inline]
skcipher_recvmsg+0x39c/0x46c crypto/algif_skcipher.c:221
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg net/socket.c:1068 [inline]
sock_recvmsg net/socket.c:1064 [inline]
sock_read_iter+0xec/0x118 net/socket.c:1138
call_read_iter include/linux/fs.h:2079 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x2cc/0x304 fs/read_write.c:476
ksys_read+0xe8/0x104 fs/read_write.c:619
__do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__arm64_sys_read+0x1c/0x28 fs/read_write.c:627
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x34/0xd8 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
The buggy address belongs to the physical page:
page:0000000060acabc6 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x46797
flags: 0x1ffc28000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xa)
page_type: 0xffffffff()
raw: 01ffc28000000000 fffffc0000168bc8 fffffc0000199e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000006797d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
ffff000006797e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff000006797f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffff000006798000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff000006798100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2024-02-17 1:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-17 1:35 syzbot [this message]
2024-02-17 1:35 ` [syzbot] [arm?] [crypto?] KASAN: invalid-access Read in neon_aes_ctr_encrypt syzbot
2024-02-17 14:34 ` Ard Biesheuvel
2024-02-17 14:34 ` Ard Biesheuvel
2024-02-17 15:01 ` syzbot
2024-02-17 15:01 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000ff2c3f061189df71@google.com \
--to=syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.