From: Eric Biggers <ebiggers@kernel.org>
To: syzbot <syzbot+6a6bca8169ffda8ce77b@syzkaller.appspotmail.com>
Cc: bp@alien8.de, davem@davemloft.net, elver@google.com,
herbert@gondor.apana.org.au, hpa@zytor.com,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
mingo@redhat.com, syzkaller-bugs@googlegroups.com,
tglx@linutronix.de, x86@kernel.org
Subject: Re: KCSAN: data-race in glue_cbc_decrypt_req_128bit / glue_cbc_decrypt_req_128bit
Date: Tue, 31 Mar 2020 13:27:06 -0700 [thread overview]
Message-ID: <20200331202706.GA127606@gmail.com> (raw)
In-Reply-To: <0000000000009d5cef05a22baa95@google.com>
On Tue, Mar 31, 2020 at 12:35:13PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: b12d66a6 mm, kcsan: Instrument SLAB free with ASSERT_EXCLU..
> git tree: https://github.com/google/ktsan.git kcsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=111f0865e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=10bc0131c4924ba9
> dashboard link: https://syzkaller.appspot.com/bug?extid=6a6bca8169ffda8ce77b
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6a6bca8169ffda8ce77b@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KCSAN: data-race in glue_cbc_decrypt_req_128bit / glue_cbc_decrypt_req_128bit
>
> write to 0xffff88809966e128 of 8 bytes by task 24119 on cpu 0:
> u128_xor include/crypto/b128ops.h:67 [inline]
> glue_cbc_decrypt_req_128bit+0x396/0x460 arch/x86/crypto/glue_helper.c:144
> cbc_decrypt+0x26/0x40 arch/x86/crypto/serpent_avx2_glue.c:152
> crypto_skcipher_decrypt+0x65/0x90 crypto/skcipher.c:652
> _skcipher_recvmsg crypto/algif_skcipher.c:142 [inline]
> skcipher_recvmsg+0x7fa/0x8c0 crypto/algif_skcipher.c:161
> skcipher_recvmsg_nokey+0x5e/0x80 crypto/algif_skcipher.c:279
> sock_recvmsg_nosec net/socket.c:886 [inline]
> sock_recvmsg net/socket.c:904 [inline]
> sock_recvmsg+0x92/0xb0 net/socket.c:900
> ____sys_recvmsg+0x167/0x3a0 net/socket.c:2566
> ___sys_recvmsg+0xb2/0x100 net/socket.c:2608
> __sys_recvmsg+0x9d/0x160 net/socket.c:2642
> __do_sys_recvmsg net/socket.c:2652 [inline]
> __se_sys_recvmsg net/socket.c:2649 [inline]
> __x64_sys_recvmsg+0x51/0x70 net/socket.c:2649
> do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> read to 0xffff88809966e128 of 8 bytes by task 24118 on cpu 1:
> u128_xor include/crypto/b128ops.h:67 [inline]
> glue_cbc_decrypt_req_128bit+0x37c/0x460 arch/x86/crypto/glue_helper.c:144
> cbc_decrypt+0x26/0x40 arch/x86/crypto/serpent_avx2_glue.c:152
> crypto_skcipher_decrypt+0x65/0x90 crypto/skcipher.c:652
> _skcipher_recvmsg crypto/algif_skcipher.c:142 [inline]
> skcipher_recvmsg+0x7fa/0x8c0 crypto/algif_skcipher.c:161
> skcipher_recvmsg_nokey+0x5e/0x80 crypto/algif_skcipher.c:279
> sock_recvmsg_nosec net/socket.c:886 [inline]
> sock_recvmsg net/socket.c:904 [inline]
> sock_recvmsg+0x92/0xb0 net/socket.c:900
> ____sys_recvmsg+0x167/0x3a0 net/socket.c:2566
> ___sys_recvmsg+0xb2/0x100 net/socket.c:2608
> __sys_recvmsg+0x9d/0x160 net/socket.c:2642
> __do_sys_recvmsg net/socket.c:2652 [inline]
> __se_sys_recvmsg net/socket.c:2649 [inline]
> __x64_sys_recvmsg+0x51/0x70 net/socket.c:2649
> do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 24118 Comm: syz-executor.1 Not tainted 5.6.0-rc1-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> ==================================================================
>
I think this is a problem for almost all the crypto code. Due to AF_ALG, both
the source and destination buffers can be userspace pages that were gotten with
get_user_pages(). Such pages can be concurrently modified, not just by the
kernel but also by userspace.
I'm not sure what can be done about this.
- Eric
next prev parent reply other threads:[~2020-03-31 20:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 19:35 KCSAN: data-race in glue_cbc_decrypt_req_128bit / glue_cbc_decrypt_req_128bit syzbot
2020-03-31 20:27 ` Eric Biggers [this message]
2020-04-01 7:04 ` Dmitry Vyukov
2020-04-01 10:24 ` Marco Elver
2020-04-01 16:20 ` Eric Biggers
2020-04-01 22:53 ` Herbert Xu
2020-04-14 17:49 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200331202706.GA127606@gmail.com \
--to=ebiggers@kernel.org \
--cc=bp@alien8.de \
--cc=davem@davemloft.net \
--cc=elver@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=syzbot+6a6bca8169ffda8ce77b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.