From: syzbot <syzbot+e37eedd918576774ec80@syzkaller.appspotmail.com>
To: davem@davemloft.net, herbert@gondor.apana.org.au,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [crypto?] KASAN: wild-memory-access Read in __sha512_update
Date: Mon, 08 Sep 2025 03:31:27 -0700 [thread overview]
Message-ID: <68beb07f.050a0220.192772.086a.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 4ac65880ebca Add linux-next specific files for 20250904
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11136312580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1220fefb3f11f346
dashboard link: https://syzkaller.appspot.com/bug?extid=e37eedd918576774ec80
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15136312580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e23e62580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/17aafe2d8f53/disk-4ac65880.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/09caead80fb0/vmlinux-4ac65880.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b33c041f8dc2/bzImage-4ac65880.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e37eedd918576774ec80@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: wild-memory-access in __sha512_update+0x10d/0x1d0 lib/crypto/sha512.c:175
Read of size 2 at addr 0005088000000000 by task syz.0.17/6022
CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
kasan_report+0x118/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
__sha512_update+0x10d/0x1d0 lib/crypto/sha512.c:175
sha512_update include/crypto/sha2.h:734 [inline]
crypto_sha512_update+0x27/0x40 crypto/sha512.c:151
crypto_shash_update include/crypto/hash.h:1006 [inline]
shash_ahash_update+0x213/0x2f0 crypto/ahash.c:178
hash_sendmsg+0x96b/0x11d0 crypto/algif_hash.c:149
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
____sys_sendmsg+0x52d/0x830 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmmsg+0x227/0x430 net/socket.c:2757
__do_sys_sendmmsg net/socket.c:2784 [inline]
__se_sys_sendmmsg net/socket.c:2781 [inline]
__x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2781
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e1df8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd2b583528 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f9e1e1c5fa0 RCX: 00007f9e1df8ebe9
RDX: 0000000000000001 RSI: 0000200000000640 RDI: 0000000000000004
RBP: 00007f9e1e011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e1e1c5fa0 R14: 00007f9e1e1c5fa0 R15: 0000000000000004
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-09-08 10:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-08 10:31 syzbot [this message]
2025-09-08 12:02 ` [syzbot] [crypto?] KASAN: wild-memory-access Read in __sha512_update Edward Adam Davis
2025-09-08 12:55 ` syzbot
2025-09-08 18:46 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68beb07f.050a0220.192772.086a.GAE@google.com \
--to=syzbot+e37eedd918576774ec80@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.