Re: WARNING in kmem_cache_free

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 12:26 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote:
>> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
>>> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
>>> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
>>> > Unfortunately, I don't have any reproducer for this crash yet.
>>>
>>> Interesting type of bug, I think we see this for the first time.
>>
>> Can you focus syzbot to try to find a reproducer?  This seems to be
>> produced by calling mount() with a pathname that's somewhere between,
>> say, 3950 & 4100 bytes long from a compat 32-bit task.
>
>
> Something in the log definitely triggers a very bad heap corruption.
>
> This can be reproduced following instructions at:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>
> and then running:
> ./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt
>
> where log.txt comes from "Raw console output" link.
>
> Note that you need to build syzkaller with 'make TARGETARCH=386' and
> the use bin/linux_386/syz-executor.
>
> While running it I got:
> BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70
> block/blk-core.c:769
> https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt
>
> Then kernel BUG at mm/slab.c:4407!
> https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt
>
> And then BUG: unable to handle kernel paging request at ffffebe000000020
> https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt
>
> One interesting thing is that if I run the log once and it does not
> crash, then when I try to start binary again I am getting:
> [  456.837870] Invalid argument reading file caps for /root/syz-executor
> The binary somehow becomes broken on disk...
>
> I guess syzbot did find a reproducer in this log, but did not
> attribute it to this bug as it causes crashes all over the place.



Running syz-repro utility on this log, I think I've found the guilty guy:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt

It crashes as:
BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
and:
BUG: unable to handle kernel paging request at ffffebe000000020
and with other indications of badly corrupted heap.

This points to crypto/drbg.c, so +crypto maintainers.

Re: WARNING in kmem_cache_free

[Stephan Müller]

Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> 
> Running syz-repro utility on this log, I think I've found the guilty guy:
> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
> 

I am unable to reproduce it with the code. I am using the current 
cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel 
config or a pointer of the used tree?

> It crashes as:
> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
> and:
> BUG: unable to handle kernel paging request at ffffebe000000020
> and with other indications of badly corrupted heap.
> 
> This points to crypto/drbg.c, so +crypto maintainers.


Ciao
Stephan

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 5:31 PM, Stephan Müller <smueller@chronox.de> wrote:
> Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>>
>> Running syz-repro utility on this log, I think I've found the guilty guy:
>> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
>> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
>>
>
> I am unable to reproduce it with the code. I am using the current
> cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel
> config or a pointer of the used tree?

Hi,

Here is config and kernel commit:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
You can also find compiler and image here if necessary:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md

And note that the program needs to be compiled with -m32. The bugs is
probably not-compat specific, but the program injects fault into a
particular malloc invocation and maybe malloc numbering is affected by
compat path.


>> It crashes as:
>> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
>> and:
>> BUG: unable to handle kernel paging request at ffffebe000000020
>> and with other indications of badly corrupted heap.
>>
>> This points to crypto/drbg.c, so +crypto maintainers.
>
>
> Ciao
> Stephan
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/4564679.HlOejCIXXz%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.

[PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Müller]

Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
> 
> Hi,
> 
> Here is config and kernel commit:
> https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
> You can also find compiler and image here if necessary:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
> 
> And note that the program needs to be compiled with -m32. The bugs is
> probably not-compat specific, but the program injects fault into a
> particular malloc invocation and maybe malloc numbering is affected by
> compat path.

I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon.

Can you please check whether the attached patch fixes the issue?

Thanks

---8<---

In the error code path, the uninstantiation must be guarded by a lock to
ensure that the modification of the context is fully atomic.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzkaller
---
 crypto/drbg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
 	return ret;
 
 free_everything:
-	mutex_unlock(&drbg->drbg_mutex);
 	drbg_uninstantiate(drbg);
+	mutex_unlock(&drbg->drbg_mutex);
 	return ret;
 }
 
-- 
2.14.3

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Theodore Y. Ts'o]

On Sun, Apr 08, 2018 at 09:07:03PM +0200, Stephan Müller wrote:
> Can you please check whether the attached patch fixes the issue?
> 

Stephan,

FYI, if you incude in your e-mail "#syz test <GIT URL> <BRANCH>" as
the first line of your patch and the syzbot e-mail is cc'ed, the
syzbot will automatically apply the patch in the e-mail against the
git tree/branch specified in the "#syz test" line, and then try to see
if the problem it discovered still reproduces --- and then send you
e-mail one way or another.

So the syzbot will run while the patch goes through the normal e-mail
review process, which is kind of neat.  :-)

Cheers,

					- Ted

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:

Hi Theodore,
> 
> So the syzbot will run while the patch goes through the normal e-mail
> review process, which is kind of neat.  :-)

Thank you very much for the hint. That is a neat feature indeed.

As I came late to the party and I missed the original mails, I am wondering 
about which GIT repo was used and which branch of it. With that, I would be 
happy to resubmit with the test line.

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:
>
> Hi Theodore,
>>
>> So the syzbot will run while the patch goes through the normal e-mail
>> review process, which is kind of neat.  :-)
>
> Thank you very much for the hint. That is a neat feature indeed.
>
> As I came late to the party and I missed the original mails, I am wondering
> about which GIT repo was used and which branch of it. With that, I would be
> happy to resubmit with the test line.

All syzbot reported bugs are available here:
https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
and here:
https://syzkaller.appspot.com/

But unfortunately testing won't work in this case, because I manually
extracted a reproducer and syzbot does not know about it. This bug
seems to lead to assorted silent heap corruptions and different
manifestations each time, so it's difficult for syzbot to attribute a
reproducer to the bug. When we debug it, it would be nice to
understand why the heap corruption is silent and is not detected by
KASAN and anything else, to prevent such unpleasant cases in future.

I've tested it manually, but unfortunately kernel still crashed within a minute:

$ git status
HEAD detached at f2d285669aae
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

modified:   crypto/drbg.c

$ git diff
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state
*drbg, struct drbg_string *pers,
        return ret;

 free_everything:
-       mutex_unlock(&drbg->drbg_mutex);
        drbg_uninstantiate(drbg);
+       mutex_unlock(&drbg->drbg_mutex);
        return ret;
 }

# ./a.out
...
[  183.647874] FAULT_INJECTION: forcing a failure.
[  183.647874] name failslab, interval 1, probability 0, space 0, times 0
[  183.648287] Call Trace:
[  183.648297]  dump_stack+0x1b9/0x29f
[  183.648306]  ? arch_local_irq_restore+0x52/0x52
[  183.648318]  ? __save_stack_trace+0x7e/0xd0
[  183.651848]  should_fail.cold.4+0xa/0x1a
[  183.652411]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.653138]  ? kasan_kmalloc+0xc4/0xe0
[  183.653694]  ? __kmalloc+0x14e/0x760
[  183.654206]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.654798]  ? crypto_rng_reset+0x7c/0x130
[  183.655379]  ? rng_setkey+0x25/0x30
[  183.655882]  ? alg_setsockopt+0x306/0x3b0
[  183.656450]  ? graph_lock+0x170/0x170
[  183.656975]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.657606]  ? find_held_lock+0x36/0x1c0
[  183.658164]  ? __lock_is_held+0xb5/0x140
[  183.658728]  ? check_same_owner+0x320/0x320
[  183.659321]  ? rcu_note_context_switch+0x710/0x710
[  183.660000]  should_failslab+0x124/0x180
[  183.660561]  __kmalloc+0x2c8/0x760
[  183.661046]  ? graph_lock+0x170/0x170
[  183.661569]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.662161]  drbg_kcapi_seed+0x882/0x12e0
[  183.662731]  ? drbg_seed+0x10a0/0x10a0
[  183.663267]  ? lock_downgrade+0x8e0/0x8e0
[  183.663833]  ? lock_acquire+0x1dc/0x520
[  183.664385]  ? lock_release+0xa10/0xa10
[  183.664934]  ? check_same_owner+0x320/0x320
[  183.665530]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.666292]  ? __check_object_size+0x95/0x5d9
[  183.666904]  ? sock_kmalloc+0x14e/0x1d0
[  183.667444]  ? mark_held_locks+0xc9/0x160
[  183.668020]  ? __might_sleep+0x95/0x190
[  183.668567]  crypto_rng_reset+0x7c/0x130
[  183.669124]  rng_setkey+0x25/0x30
[  183.669598]  ? rng_sock_destruct+0x90/0x90
[  183.670176]  alg_setsockopt+0x306/0x3b0
[  183.670724]  __compat_sys_setsockopt+0x315/0x7c0
[  183.671375]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.672057]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.672813]  ? ksys_write+0x1a6/0x250
[  183.673333]  ? SyS_read+0x30/0x30
[  183.673811]  compat_SyS_setsockopt+0x34/0x50
[  183.674416]  ? scm_detach_fds_compat+0x440/0x440
[  183.675079]  do_fast_syscall_32+0x41f/0x10dc
[  183.675725]  ? do_page_fault+0xee/0x8a7
[  183.676284]  ? do_int80_syscall_32+0xa70/0xa70
[  183.676925]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.677590]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.678348]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.679026]  ? sysret32_from_system_call+0x5/0x3c
[  183.679694]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.680380]  entry_SYSENTER_compat+0x70/0x7f
[  183.681000] RIP: 0023:0xf7f0ecb9
[  183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[  183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4
[  183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.689764] BUG: unable to handle kernel
[  183.689776] Call Trace:
[  183.689782] NULL pointer dereference
[  183.690367]  dump_stack+0x1b9/0x29f
[  183.690709]  at 0000000000000106
[  183.691237]  ? arch_local_irq_restore+0x52/0x52
[  183.691721] PGD 64a50067
[  183.692164]  should_fail.cold.4+0xa/0x1a
[  183.692747] P4D 64a50067
[  183.693110]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.693620] PUD 61a17067
[  183.693981]  ? graph_lock+0x170/0x170
[  183.694622] PMD 0
[  183.694980]  ? find_held_lock+0x36/0x1c0
[  183.695766]  ? __lock_is_held+0xb5/0x140
[  183.696285] Oops: 0000 [#1] SMP KASAN
[  183.696852]  ? check_same_owner+0x320/0x320
[  183.697337] Modules linked in:
[  183.697962]  ? rcu_note_context_switch+0x710/0x710
[  183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4
[  183.698436]  ? drbg_init_hash_kernel+0x300/0x300
[  183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.699942]  should_failslab+0x124/0x180
[  183.700559] RIP: 0010:qlist_free_all+0x37/0x160
[  183.701763]  __kmalloc+0x2c8/0x760
[  183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246
[  183.702976]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000
[  183.704205]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282
[  183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006
[  183.705824]  drbg_kcapi_seed+0x776/0x12e0
[  183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0
[  183.707382]  ? drbg_seed+0x10a0/0x10a0
[  183.708311] FS:  0000000000000000(0000) GS:ffff88006c900000(0063)
knlGS:0000000009fbd840
[  183.708839]  ? lock_downgrade+0x8e0/0x8e0
[  183.709760] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  183.710760]  ? lock_acquire+0x1dc/0x520
[  183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0
[  183.711257] Call Trace:
[  183.712390]  ? lock_release+0xa10/0xa10
[  183.712922]  quarantine_reduce+0x141/0x170
[  183.713733]  ? check_same_owner+0x320/0x320
[  183.714246]  kasan_kmalloc+0x99/0xe0
[  183.715244]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.715586]  kasan_slab_alloc+0x12/0x20
[  183.716143]  ? __check_object_size+0x95/0x5d9
[  183.716683]  kmem_cache_alloc_node+0x131/0x780
[  183.717282]  ? sock_kmalloc+0x14e/0x1d0
[  183.717760]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.718520]  ? mark_held_locks+0xc9/0x160
[  183.719029]  ? do_raw_spin_trylock+0x1b0/0x1b0
[  183.719654]  ? __might_sleep+0x95/0x190
[  183.720280]  copy_process.part.39+0x16c4/0x6ee0
[  183.720828]  crypto_rng_reset+0x7c/0x130
[  183.721434]  ? trace_hardirqs_on+0xd/0x10
[  183.722007]  rng_setkey+0x25/0x30
[  183.722596]  ? debug_object_active_state+0x2e7/0x4e0
[  183.723145]  ? rng_sock_destruct+0x90/0x90
[  183.723745]  ? kasan_check_read+0x11/0x20
[  183.724308]  alg_setsockopt+0x306/0x3b0
[  183.724845]  ? rcu_is_watching+0x85/0x140
[  183.725324]  __compat_sys_setsockopt+0x315/0x7c0
[  183.725972]  ? rcu_bh_force_quiescent_state+0x20/0x20
[  183.726560]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.727091]  ? __call_rcu.constprop.68+0x396/0xbb0
[  183.727643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.728173]  ? __cleanup_sighand+0x70/0x70
[  183.728827]  ? ksys_write+0x1a6/0x250
[  183.729485]  ? note_gp_changes+0x540/0x540
[  183.730161]  ? SyS_read+0x30/0x30
[  183.730797]  ? lock_downgrade+0x8e0/0x8e0
[  183.731558]  compat_SyS_setsockopt+0x34/0x50
[  183.732109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  183.732636]  ? scm_detach_fds_compat+0x440/0x440
[  183.733180]  ? tty_kref_put.part.14+0x81/0x250
[  183.733657]  do_fast_syscall_32+0x41f/0x10dc
[  183.734190]  ? __cleanup_sighand+0x58/0x70
[  183.734798]  ? do_page_fault+0xee/0x8a7
[  183.735505]  ? do_raw_write_trylock+0x1b0/0x1b0
[  183.736162]  ? do_int80_syscall_32+0xa70/0xa70
[  183.736745]  ? print_usage_bug+0xc0/0xc0
[  183.737367]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.737907]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.738459]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.739057]  ? call_rcu_sched+0x12/0x20
[  183.739700]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.740220]  ? release_task.part.15+0xf70/0x1b90
[  183.740882]  ? sysret32_from_system_call+0x5/0x3c
[  183.741522]  ? __lock_acquire+0x7f5/0x5130
[  183.742290]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.742798]  ? rcu_is_watching+0x85/0x140
[  183.743480]  entry_SYSENTER_compat+0x70/0x7f
[  183.744099]  ? find_held_lock+0x36/0x1c0
[  183.744769] RIP: 0023:0xf7f0ecb9
[  183.745327]  ? debug_check_no_locks_freed+0x310/0x310
[  183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[  183.746525]  ? lock_downgrade+0x8e0/0x8e0
[  183.747126]  ORIG_RAX: 000000000000016e
[  183.747653]  ? find_held_lock+0x36/0x1c0
[  183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.748800]  ? print_usage_bug+0xc0/0xc0
[  183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.750087]  ? lock_downgrade+0x8e0/0x8e0
[  183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.751152]  ? lock_downgrade+0x8e0/0x8e0
[  183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4
[  183.752693]  ? __lock_acquire+0x7f5/0x5130
[  183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.754595]  ? graph_lock+0x170/0x170
[  183.755167] Call Trace:
[  183.756102]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.756639]  dump_stack+0x1b9/0x29f
[  183.757562]  ? debug_check_no_locks_freed+0x310/0x310
[  183.758333]  ? arch_local_irq_restore+0x52/0x52
[  183.758872]  ? find_held_lock+0x36/0x1c0
[  183.759218] FAULT_INJECTION: forcing a failure.
[  183.759218] name failslab, interval 1, probability 0, space 0, times 0
[  183.759966]  ? __save_stack_trace+0x7e/0xd0
[  183.760453]  ? lock_downgrade+0x8e0/0x8e0
[  183.760788]  should_fail.cold.4+0xa/0x1a
[  183.761427]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.761933]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.762593]  ? do_raw_spin_trylock+0x1b0/0x1b0
[  183.763216]  ? kasan_kmalloc+0xc4/0xe0
[  183.763742]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[  183.765288]  ? __kmalloc+0x14e/0x760
[  183.765844]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.766423]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.766945]  ? trace_hardirqs_on+0xd/0x10
[  183.767556]  ? crypto_rng_reset+0x7c/0x130
[  183.768227]  ? graph_lock+0x170/0x170
[  183.768845]  ? rng_setkey+0x25/0x30
[  183.769368]  ? add_wait_queue+0x2a0/0x2a0
[  183.770026]  ? alg_setsockopt+0x306/0x3b0
[  183.770501]  ? kasan_check_write+0x14/0x20
[  183.771198]  ? graph_lock+0x170/0x170
[  183.771758]  ? do_raw_read_lock+0x3f/0x80
[  183.772336]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.772887]  _do_fork+0x291/0x12a0
[  183.773416]  ? find_held_lock+0x36/0x1c0
[  183.773881]  ? fork_idle+0x1a0/0x1a0
[  183.774458]  ? __lock_is_held+0xb5/0x140
[  183.774989]  ? lock_release+0xa10/0xa10
[  183.775581]  ? check_same_owner+0x320/0x320
[  183.776070]  ? check_same_owner+0x320/0x320
[  183.776650]  ? rcu_note_context_switch+0x710/0x710
[  183.777234]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  183.777725]  should_failslab+0x124/0x180
[  183.778246]  ? put_pid.part.2+0x1bc/0x230
[  183.778792]  __kmalloc+0x2c8/0x760
[  183.779311]  ? __might_sleep+0x95/0x190
[  183.779871]  ? graph_lock+0x170/0x170
[  183.780426]  ? __might_fault+0x1a3/0x1e0
[  183.781007]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.781643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.782423]  drbg_kcapi_seed+0x882/0x12e0
[  183.782942]  ? kernel_wait4+0x2d8/0x3d0
[  183.783520]  ? drbg_seed+0x10a0/0x10a0
[  183.783980]  ? SyS_waitid+0x40/0x40
[  183.784539]  ? lock_downgrade+0x8e0/0x8e0
[  183.785026]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.785596]  ? lock_acquire+0x1dc/0x520
[  183.786146]  ? task_stopped_code+0x190/0x190
[  183.786922]  ? lock_release+0xa10/0xa10
[  183.787451]  compat_SyS_x86_clone+0x37/0x50
[  183.788020]  ? check_same_owner+0x320/0x320
[  183.788517]  ? compat_SyS_x86_fallocate+0x60/0x60
[  183.789028]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.789556]  do_fast_syscall_32+0x41f/0x10dc
[  183.790334]  ? __check_object_size+0x95/0x5d9
[  183.790841]  ? do_page_fault+0xee/0x8a7
[  183.791460]  ? sock_kmalloc+0x14e/0x1d0
[  183.791971]  ? do_int80_syscall_32+0xa70/0xa70
[  183.792583]  ? mark_held_locks+0xc9/0x160
[  183.793137]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.793820]  ? __might_sleep+0x95/0x190
[  183.794528]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.795147]  crypto_rng_reset+0x7c/0x130
[  183.795737]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.796291]  rng_setkey+0x25/0x30
[  183.796803]  ? sysret32_from_system_call+0x5/0x3c
[  183.797442]  ? rng_sock_destruct+0x90/0x90
[  183.797997]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.798658]  alg_setsockopt+0x306/0x3b0
[  183.799166]  entry_SYSENTER_compat+0x70/0x7f
[  183.799971]  __compat_sys_setsockopt+0x315/0x7c0
[  183.800486] RIP: 0023:0xf7f0ecb9
[  183.801190]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246
[  183.802312]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.802850]  ORIG_RAX: 0000000000000078
[  183.803534]  ? ksys_write+0x1a6/0x250
[  183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
[  183.804693]  ? SyS_read+0x30/0x30
[  183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8
[  183.805768]  compat_SyS_setsockopt+0x34/0x50
[  183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000
[  183.807154]  ? scm_detach_fds_compat+0x440/0x440
[  183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.808421]  do_fast_syscall_32+0x41f/0x10dc
[  183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.808905] Code:
[  183.809928]  ? do_page_fault+0xee/0x8a7
[  183.810365] 55
[  183.811385]  ? do_int80_syscall_32+0xa70/0xa70
[  183.811949] 48
[  183.812992]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.813590] 89
[  183.814630]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.815191] e5
[  183.816214]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.816487] 41
[  183.817066]  ? sysret32_from_system_call+0x5/0x3c
[  183.817313] 57
[  183.817958]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.818200] 49
[  183.818869]  entry_SYSENTER_compat+0x70/0x7f
[  183.819109] c7
[  183.819894] RIP: 0023:0xf7f0ecb9
[  183.820135] c7
[  183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[  183.821065] a0
[  183.821738]  ORIG_RAX: 000000000000016e
[  183.821984] 72
[  183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.822900] b1
[  183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.823760] 88
[  183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.824492] 41
[  183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4
[  183.825490] 56
[  183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.826204] FAULT_INJECTION: forcing a failure.
[  183.826204] name failslab, interval 1, probability 0, space 0, times 0
[  183.826315] 41
[  183.827333] Call Trace:
[  183.827583] 55
[  183.828608]  dump_stack+0x1b9/0x29f
[  183.828844] 41
[  183.829864]  ? arch_local_irq_restore+0x52/0x52
[  183.830780] 54
[  183.831054]  ? __save_stack_trace+0x7e/0xd0
[  183.831979] 49
[  183.832860]  should_fail.cold.4+0xa/0x1a
[  183.833097] 89
[  183.834277]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.835690] f4
[  183.835964]  ? kasan_kmalloc+0xc4/0xe0
[  183.836300] 53
[  183.836568]  ? __kmalloc+0x14e/0x760
[  183.836577]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.837061] 48
[  183.837329]  ? crypto_rng_reset+0x7c/0x130
[  183.837338]  ? rng_setkey+0x25/0x30
[  183.837931] 83
[  183.838200]  ? alg_setsockopt+0x306/0x3b0
[  183.838748] ec
[  183.839015]  ? __compat_sys_setsockopt+0x315/0x7c0
[  183.839026]  ? do_fast_syscall_32+0x41f/0x10dc
[  183.839536] 10
[  183.839814]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.840457] 48
[  183.840728]  ? check_same_owner+0x320/0x320
[  183.841224] 89
[  183.841495]  ? kasan_check_write+0x14/0x20
[  183.841969] 7d
[  183.842572]  ? kasan_unpoison_shadow+0x35/0x50
[  183.842811] c8
[  183.843405]  ? lock_acquire+0x1dc/0x520
[  183.843867] 4d
[  183.844142]  ? fs_reclaim_acquire+0x20/0x20
[  183.844665] 89
[  183.844935]  ? lock_downgrade+0x8e0/0x8e0
[  183.845555] e5
[  183.846234]  ? lock_release+0xa10/0xa10
[  183.846474] 4d
[  183.847130]  ? drbg_init_sym_kernel+0x516/0x74a
[  183.847139]  ? check_same_owner+0x320/0x320
[  183.847380] 85
[  183.847991]  ? rcu_note_context_switch+0x710/0x710
[  183.848229] e4
[  183.848824]  should_failslab+0x124/0x180
[  183.849063] 0f
[  183.849707]  __kmalloc+0x2c8/0x760
[  183.849946] 84
[  183.850505]  ? lock_acquire+0x1dc/0x520
[  183.850744] c8
[  183.851350]  ? __fget+0x3e3/0x650
[  183.851593] 00
[  183.852177]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.852416] 00
[  183.852972]  drbg_kcapi_seed+0x882/0x12e0
[  183.853213] 00
[  183.853867]  ? drbg_seed+0x10a0/0x10a0
[  183.854414] <49>
[  183.854688]  ? lock_acquire+0x1dc/0x520
[  183.855313] 63
[  183.855591]  ? __might_fault+0x12b/0x1e0
[  183.856105] 95
[  183.856375]  ? lock_downgrade+0x8e0/0x8e0
[  183.856821] fc
[  183.857090]  ? lock_acquire+0x1dc/0x520
[  183.857590] 00
[  183.857858]  ? lock_release+0xa10/0xa10
[  183.858319] 00
[  183.858589]  ? check_same_owner+0x320/0x320
[  183.859131] 00
[  183.859401]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.859928] 4c
[  183.860200]  ? __check_object_size+0x95/0x5d9
[  183.860689] 8b
[  183.860983]  ? sock_kmalloc+0x14e/0x1d0
[  183.861482] 30
[  183.861748]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.861758]  ? __might_sleep+0x95/0x190
[  183.862269] 48
[  183.862539]  crypto_rng_reset+0x7c/0x130
[  183.863079] 29
[  183.863348]  rng_setkey+0x25/0x30
[  183.863878] d0
[  183.864150]  ? rng_sock_destruct+0x90/0x90
[  183.864654] 49
[  183.864924]  alg_setsockopt+0x306/0x3b0
[  183.865488] 83
[  183.865758]  __compat_sys_setsockopt+0x315/0x7c0
[  183.866488] 3f
[  183.866758]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.867324] 00
[  183.867598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.868098] 48
[  183.868369]  ? ksys_write+0x1a6/0x250
[  183.868941] 89
[  183.869500]  ? SyS_read+0x30/0x30
[  183.869740] c6
[  183.870312]  compat_SyS_setsockopt+0x34/0x50
[  183.870551] 0f
[  183.871043]  ? scm_detach_fds_compat+0x440/0x440
[  183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050
[  183.871893]  do_fast_syscall_32+0x41f/0x10dc
[  183.872134] CR2: 0000000000000106
[  183.872695]  ? do_page_fault+0xee/0x8a7
[  183.872988] ---[ end trace 0fa4e77a7b3c174f ]---
[  183.873604]  ? do_int80_syscall_32+0xa70/0xa70
[  183.873611]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.873622]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.873871] Kernel panic - not syncing: Fatal exception
[  183.874560]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.885552]  ? prepare_exit_to_usermode+0x390/0x390
[  183.886255]  ? prepare_exit_to_usermode+0x285/0x390
[  183.886953]  ? perf_trace_sys_enter+0xaf0/0xaf0
[  183.887609]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.888289]  entry_SYSENTER_compat+0x70/0x7f
[  183.888906] RIP: 0023:0xf7f0ecb9
[  183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[  183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.895514] Kernel Offset: disabled
[  183.896034] Rebooting in 86400 seconds..

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Mon, Apr 9, 2018 at 9:57 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote:
>> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:
>>
>> Hi Theodore,
>>>
>>> So the syzbot will run while the patch goes through the normal e-mail
>>> review process, which is kind of neat.  :-)
>>
>> Thank you very much for the hint. That is a neat feature indeed.
>>
>> As I came late to the party and I missed the original mails, I am wondering
>> about which GIT repo was used and which branch of it. With that, I would be
>> happy to resubmit with the test line.
>
> All syzbot reported bugs are available here:
> https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
> and here:
> https://syzkaller.appspot.com/
>
> But unfortunately testing won't work in this case, because I manually
> extracted a reproducer and syzbot does not know about it. This bug
> seems to lead to assorted silent heap corruptions and different
> manifestations each time, so it's difficult for syzbot to attribute a
> reproducer to the bug. When we debug it, it would be nice to
> understand why the heap corruption is silent and is not detected by
> KASAN and anything else, to prevent such unpleasant cases in future.
>
> I've tested it manually, but unfortunately kernel still crashed within a minute:

Stephan,

Do you have any hypothesis as to why this is not detected by KASAN and
causes silent corruptions?
We generally try to understand such cases and improve KASAN so that it
catches such cases more reliably and they do not cause splashes of
random crashes on syzbot.

Thanks



> $ git status
> HEAD detached at f2d285669aae
> Changes not staged for commit:
>   (use "git add <file>..." to update what will be committed)
>   (use "git checkout -- <file>..." to discard changes in working directory)
>
> modified:   crypto/drbg.c
>
> $ git diff
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..68c1949a253f 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state
> *drbg, struct drbg_string *pers,
>         return ret;
>
>  free_everything:
> -       mutex_unlock(&drbg->drbg_mutex);
>         drbg_uninstantiate(drbg);
> +       mutex_unlock(&drbg->drbg_mutex);
>         return ret;
>  }
>
> # ./a.out
> ...
> [  183.647874] FAULT_INJECTION: forcing a failure.
> [  183.647874] name failslab, interval 1, probability 0, space 0, times 0
> [  183.648287] Call Trace:
> [  183.648297]  dump_stack+0x1b9/0x29f
> [  183.648306]  ? arch_local_irq_restore+0x52/0x52
> [  183.648318]  ? __save_stack_trace+0x7e/0xd0
> [  183.651848]  should_fail.cold.4+0xa/0x1a
> [  183.652411]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.653138]  ? kasan_kmalloc+0xc4/0xe0
> [  183.653694]  ? __kmalloc+0x14e/0x760
> [  183.654206]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.654798]  ? crypto_rng_reset+0x7c/0x130
> [  183.655379]  ? rng_setkey+0x25/0x30
> [  183.655882]  ? alg_setsockopt+0x306/0x3b0
> [  183.656450]  ? graph_lock+0x170/0x170
> [  183.656975]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.657606]  ? find_held_lock+0x36/0x1c0
> [  183.658164]  ? __lock_is_held+0xb5/0x140
> [  183.658728]  ? check_same_owner+0x320/0x320
> [  183.659321]  ? rcu_note_context_switch+0x710/0x710
> [  183.660000]  should_failslab+0x124/0x180
> [  183.660561]  __kmalloc+0x2c8/0x760
> [  183.661046]  ? graph_lock+0x170/0x170
> [  183.661569]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.662161]  drbg_kcapi_seed+0x882/0x12e0
> [  183.662731]  ? drbg_seed+0x10a0/0x10a0
> [  183.663267]  ? lock_downgrade+0x8e0/0x8e0
> [  183.663833]  ? lock_acquire+0x1dc/0x520
> [  183.664385]  ? lock_release+0xa10/0xa10
> [  183.664934]  ? check_same_owner+0x320/0x320
> [  183.665530]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.666292]  ? __check_object_size+0x95/0x5d9
> [  183.666904]  ? sock_kmalloc+0x14e/0x1d0
> [  183.667444]  ? mark_held_locks+0xc9/0x160
> [  183.668020]  ? __might_sleep+0x95/0x190
> [  183.668567]  crypto_rng_reset+0x7c/0x130
> [  183.669124]  rng_setkey+0x25/0x30
> [  183.669598]  ? rng_sock_destruct+0x90/0x90
> [  183.670176]  alg_setsockopt+0x306/0x3b0
> [  183.670724]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.671375]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.672057]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.672813]  ? ksys_write+0x1a6/0x250
> [  183.673333]  ? SyS_read+0x30/0x30
> [  183.673811]  compat_SyS_setsockopt+0x34/0x50
> [  183.674416]  ? scm_detach_fds_compat+0x440/0x440
> [  183.675079]  do_fast_syscall_32+0x41f/0x10dc
> [  183.675725]  ? do_page_fault+0xee/0x8a7
> [  183.676284]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.676925]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.677590]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.678348]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.679026]  ? sysret32_from_system_call+0x5/0x3c
> [  183.679694]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.680380]  entry_SYSENTER_compat+0x70/0x7f
> [  183.681000] RIP: 0023:0xf7f0ecb9
> [  183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
> 000000000000016e
> [  183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4
> [  183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.689764] BUG: unable to handle kernel
> [  183.689776] Call Trace:
> [  183.689782] NULL pointer dereference
> [  183.690367]  dump_stack+0x1b9/0x29f
> [  183.690709]  at 0000000000000106
> [  183.691237]  ? arch_local_irq_restore+0x52/0x52
> [  183.691721] PGD 64a50067
> [  183.692164]  should_fail.cold.4+0xa/0x1a
> [  183.692747] P4D 64a50067
> [  183.693110]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.693620] PUD 61a17067
> [  183.693981]  ? graph_lock+0x170/0x170
> [  183.694622] PMD 0
> [  183.694980]  ? find_held_lock+0x36/0x1c0
> [  183.695766]  ? __lock_is_held+0xb5/0x140
> [  183.696285] Oops: 0000 [#1] SMP KASAN
> [  183.696852]  ? check_same_owner+0x320/0x320
> [  183.697337] Modules linked in:
> [  183.697962]  ? rcu_note_context_switch+0x710/0x710
> [  183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4
> [  183.698436]  ? drbg_init_hash_kernel+0x300/0x300
> [  183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.699942]  should_failslab+0x124/0x180
> [  183.700559] RIP: 0010:qlist_free_all+0x37/0x160
> [  183.701763]  __kmalloc+0x2c8/0x760
> [  183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246
> [  183.702976]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000
> [  183.704205]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282
> [  183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006
> [  183.705824]  drbg_kcapi_seed+0x776/0x12e0
> [  183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0
> [  183.707382]  ? drbg_seed+0x10a0/0x10a0
> [  183.708311] FS:  0000000000000000(0000) GS:ffff88006c900000(0063)
> knlGS:0000000009fbd840
> [  183.708839]  ? lock_downgrade+0x8e0/0x8e0
> [  183.709760] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> [  183.710760]  ? lock_acquire+0x1dc/0x520
> [  183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0
> [  183.711257] Call Trace:
> [  183.712390]  ? lock_release+0xa10/0xa10
> [  183.712922]  quarantine_reduce+0x141/0x170
> [  183.713733]  ? check_same_owner+0x320/0x320
> [  183.714246]  kasan_kmalloc+0x99/0xe0
> [  183.715244]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.715586]  kasan_slab_alloc+0x12/0x20
> [  183.716143]  ? __check_object_size+0x95/0x5d9
> [  183.716683]  kmem_cache_alloc_node+0x131/0x780
> [  183.717282]  ? sock_kmalloc+0x14e/0x1d0
> [  183.717760]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.718520]  ? mark_held_locks+0xc9/0x160
> [  183.719029]  ? do_raw_spin_trylock+0x1b0/0x1b0
> [  183.719654]  ? __might_sleep+0x95/0x190
> [  183.720280]  copy_process.part.39+0x16c4/0x6ee0
> [  183.720828]  crypto_rng_reset+0x7c/0x130
> [  183.721434]  ? trace_hardirqs_on+0xd/0x10
> [  183.722007]  rng_setkey+0x25/0x30
> [  183.722596]  ? debug_object_active_state+0x2e7/0x4e0
> [  183.723145]  ? rng_sock_destruct+0x90/0x90
> [  183.723745]  ? kasan_check_read+0x11/0x20
> [  183.724308]  alg_setsockopt+0x306/0x3b0
> [  183.724845]  ? rcu_is_watching+0x85/0x140
> [  183.725324]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.725972]  ? rcu_bh_force_quiescent_state+0x20/0x20
> [  183.726560]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.727091]  ? __call_rcu.constprop.68+0x396/0xbb0
> [  183.727643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.728173]  ? __cleanup_sighand+0x70/0x70
> [  183.728827]  ? ksys_write+0x1a6/0x250
> [  183.729485]  ? note_gp_changes+0x540/0x540
> [  183.730161]  ? SyS_read+0x30/0x30
> [  183.730797]  ? lock_downgrade+0x8e0/0x8e0
> [  183.731558]  compat_SyS_setsockopt+0x34/0x50
> [  183.732109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
> [  183.732636]  ? scm_detach_fds_compat+0x440/0x440
> [  183.733180]  ? tty_kref_put.part.14+0x81/0x250
> [  183.733657]  do_fast_syscall_32+0x41f/0x10dc
> [  183.734190]  ? __cleanup_sighand+0x58/0x70
> [  183.734798]  ? do_page_fault+0xee/0x8a7
> [  183.735505]  ? do_raw_write_trylock+0x1b0/0x1b0
> [  183.736162]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.736745]  ? print_usage_bug+0xc0/0xc0
> [  183.737367]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.737907]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.738459]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.739057]  ? call_rcu_sched+0x12/0x20
> [  183.739700]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.740220]  ? release_task.part.15+0xf70/0x1b90
> [  183.740882]  ? sysret32_from_system_call+0x5/0x3c
> [  183.741522]  ? __lock_acquire+0x7f5/0x5130
> [  183.742290]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.742798]  ? rcu_is_watching+0x85/0x140
> [  183.743480]  entry_SYSENTER_compat+0x70/0x7f
> [  183.744099]  ? find_held_lock+0x36/0x1c0
> [  183.744769] RIP: 0023:0xf7f0ecb9
> [  183.745327]  ? debug_check_no_locks_freed+0x310/0x310
> [  183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
> [  183.746525]  ? lock_downgrade+0x8e0/0x8e0
> [  183.747126]  ORIG_RAX: 000000000000016e
> [  183.747653]  ? find_held_lock+0x36/0x1c0
> [  183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.748800]  ? print_usage_bug+0xc0/0xc0
> [  183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.750087]  ? lock_downgrade+0x8e0/0x8e0
> [  183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.751152]  ? lock_downgrade+0x8e0/0x8e0
> [  183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4
> [  183.752693]  ? __lock_acquire+0x7f5/0x5130
> [  183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.754595]  ? graph_lock+0x170/0x170
> [  183.755167] Call Trace:
> [  183.756102]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.756639]  dump_stack+0x1b9/0x29f
> [  183.757562]  ? debug_check_no_locks_freed+0x310/0x310
> [  183.758333]  ? arch_local_irq_restore+0x52/0x52
> [  183.758872]  ? find_held_lock+0x36/0x1c0
> [  183.759218] FAULT_INJECTION: forcing a failure.
> [  183.759218] name failslab, interval 1, probability 0, space 0, times 0
> [  183.759966]  ? __save_stack_trace+0x7e/0xd0
> [  183.760453]  ? lock_downgrade+0x8e0/0x8e0
> [  183.760788]  should_fail.cold.4+0xa/0x1a
> [  183.761427]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.761933]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.762593]  ? do_raw_spin_trylock+0x1b0/0x1b0
> [  183.763216]  ? kasan_kmalloc+0xc4/0xe0
> [  183.763742]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
> [  183.765288]  ? __kmalloc+0x14e/0x760
> [  183.765844]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.766423]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.766945]  ? trace_hardirqs_on+0xd/0x10
> [  183.767556]  ? crypto_rng_reset+0x7c/0x130
> [  183.768227]  ? graph_lock+0x170/0x170
> [  183.768845]  ? rng_setkey+0x25/0x30
> [  183.769368]  ? add_wait_queue+0x2a0/0x2a0
> [  183.770026]  ? alg_setsockopt+0x306/0x3b0
> [  183.770501]  ? kasan_check_write+0x14/0x20
> [  183.771198]  ? graph_lock+0x170/0x170
> [  183.771758]  ? do_raw_read_lock+0x3f/0x80
> [  183.772336]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.772887]  _do_fork+0x291/0x12a0
> [  183.773416]  ? find_held_lock+0x36/0x1c0
> [  183.773881]  ? fork_idle+0x1a0/0x1a0
> [  183.774458]  ? __lock_is_held+0xb5/0x140
> [  183.774989]  ? lock_release+0xa10/0xa10
> [  183.775581]  ? check_same_owner+0x320/0x320
> [  183.776070]  ? check_same_owner+0x320/0x320
> [  183.776650]  ? rcu_note_context_switch+0x710/0x710
> [  183.777234]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
> [  183.777725]  should_failslab+0x124/0x180
> [  183.778246]  ? put_pid.part.2+0x1bc/0x230
> [  183.778792]  __kmalloc+0x2c8/0x760
> [  183.779311]  ? __might_sleep+0x95/0x190
> [  183.779871]  ? graph_lock+0x170/0x170
> [  183.780426]  ? __might_fault+0x1a3/0x1e0
> [  183.781007]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.781643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.782423]  drbg_kcapi_seed+0x882/0x12e0
> [  183.782942]  ? kernel_wait4+0x2d8/0x3d0
> [  183.783520]  ? drbg_seed+0x10a0/0x10a0
> [  183.783980]  ? SyS_waitid+0x40/0x40
> [  183.784539]  ? lock_downgrade+0x8e0/0x8e0
> [  183.785026]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.785596]  ? lock_acquire+0x1dc/0x520
> [  183.786146]  ? task_stopped_code+0x190/0x190
> [  183.786922]  ? lock_release+0xa10/0xa10
> [  183.787451]  compat_SyS_x86_clone+0x37/0x50
> [  183.788020]  ? check_same_owner+0x320/0x320
> [  183.788517]  ? compat_SyS_x86_fallocate+0x60/0x60
> [  183.789028]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.789556]  do_fast_syscall_32+0x41f/0x10dc
> [  183.790334]  ? __check_object_size+0x95/0x5d9
> [  183.790841]  ? do_page_fault+0xee/0x8a7
> [  183.791460]  ? sock_kmalloc+0x14e/0x1d0
> [  183.791971]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.792583]  ? mark_held_locks+0xc9/0x160
> [  183.793137]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.793820]  ? __might_sleep+0x95/0x190
> [  183.794528]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.795147]  crypto_rng_reset+0x7c/0x130
> [  183.795737]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.796291]  rng_setkey+0x25/0x30
> [  183.796803]  ? sysret32_from_system_call+0x5/0x3c
> [  183.797442]  ? rng_sock_destruct+0x90/0x90
> [  183.797997]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.798658]  alg_setsockopt+0x306/0x3b0
> [  183.799166]  entry_SYSENTER_compat+0x70/0x7f
> [  183.799971]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.800486] RIP: 0023:0xf7f0ecb9
> [  183.801190]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246
> [  183.802312]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.802850]  ORIG_RAX: 0000000000000078
> [  183.803534]  ? ksys_write+0x1a6/0x250
> [  183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
> [  183.804693]  ? SyS_read+0x30/0x30
> [  183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8
> [  183.805768]  compat_SyS_setsockopt+0x34/0x50
> [  183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000
> [  183.807154]  ? scm_detach_fds_compat+0x440/0x440
> [  183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.808421]  do_fast_syscall_32+0x41f/0x10dc
> [  183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.808905] Code:
> [  183.809928]  ? do_page_fault+0xee/0x8a7
> [  183.810365] 55
> [  183.811385]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.811949] 48
> [  183.812992]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.813590] 89
> [  183.814630]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.815191] e5
> [  183.816214]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.816487] 41
> [  183.817066]  ? sysret32_from_system_call+0x5/0x3c
> [  183.817313] 57
> [  183.817958]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.818200] 49
> [  183.818869]  entry_SYSENTER_compat+0x70/0x7f
> [  183.819109] c7
> [  183.819894] RIP: 0023:0xf7f0ecb9
> [  183.820135] c7
> [  183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
> [  183.821065] a0
> [  183.821738]  ORIG_RAX: 000000000000016e
> [  183.821984] 72
> [  183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.822900] b1
> [  183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.823760] 88
> [  183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.824492] 41
> [  183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4
> [  183.825490] 56
> [  183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.826204] FAULT_INJECTION: forcing a failure.
> [  183.826204] name failslab, interval 1, probability 0, space 0, times 0
> [  183.826315] 41
> [  183.827333] Call Trace:
> [  183.827583] 55
> [  183.828608]  dump_stack+0x1b9/0x29f
> [  183.828844] 41
> [  183.829864]  ? arch_local_irq_restore+0x52/0x52
> [  183.830780] 54
> [  183.831054]  ? __save_stack_trace+0x7e/0xd0
> [  183.831979] 49
> [  183.832860]  should_fail.cold.4+0xa/0x1a
> [  183.833097] 89
> [  183.834277]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.835690] f4
> [  183.835964]  ? kasan_kmalloc+0xc4/0xe0
> [  183.836300] 53
> [  183.836568]  ? __kmalloc+0x14e/0x760
> [  183.836577]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.837061] 48
> [  183.837329]  ? crypto_rng_reset+0x7c/0x130
> [  183.837338]  ? rng_setkey+0x25/0x30
> [  183.837931] 83
> [  183.838200]  ? alg_setsockopt+0x306/0x3b0
> [  183.838748] ec
> [  183.839015]  ? __compat_sys_setsockopt+0x315/0x7c0
> [  183.839026]  ? do_fast_syscall_32+0x41f/0x10dc
> [  183.839536] 10
> [  183.839814]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.840457] 48
> [  183.840728]  ? check_same_owner+0x320/0x320
> [  183.841224] 89
> [  183.841495]  ? kasan_check_write+0x14/0x20
> [  183.841969] 7d
> [  183.842572]  ? kasan_unpoison_shadow+0x35/0x50
> [  183.842811] c8
> [  183.843405]  ? lock_acquire+0x1dc/0x520
> [  183.843867] 4d
> [  183.844142]  ? fs_reclaim_acquire+0x20/0x20
> [  183.844665] 89
> [  183.844935]  ? lock_downgrade+0x8e0/0x8e0
> [  183.845555] e5
> [  183.846234]  ? lock_release+0xa10/0xa10
> [  183.846474] 4d
> [  183.847130]  ? drbg_init_sym_kernel+0x516/0x74a
> [  183.847139]  ? check_same_owner+0x320/0x320
> [  183.847380] 85
> [  183.847991]  ? rcu_note_context_switch+0x710/0x710
> [  183.848229] e4
> [  183.848824]  should_failslab+0x124/0x180
> [  183.849063] 0f
> [  183.849707]  __kmalloc+0x2c8/0x760
> [  183.849946] 84
> [  183.850505]  ? lock_acquire+0x1dc/0x520
> [  183.850744] c8
> [  183.851350]  ? __fget+0x3e3/0x650
> [  183.851593] 00
> [  183.852177]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.852416] 00
> [  183.852972]  drbg_kcapi_seed+0x882/0x12e0
> [  183.853213] 00
> [  183.853867]  ? drbg_seed+0x10a0/0x10a0
> [  183.854414] <49>
> [  183.854688]  ? lock_acquire+0x1dc/0x520
> [  183.855313] 63
> [  183.855591]  ? __might_fault+0x12b/0x1e0
> [  183.856105] 95
> [  183.856375]  ? lock_downgrade+0x8e0/0x8e0
> [  183.856821] fc
> [  183.857090]  ? lock_acquire+0x1dc/0x520
> [  183.857590] 00
> [  183.857858]  ? lock_release+0xa10/0xa10
> [  183.858319] 00
> [  183.858589]  ? check_same_owner+0x320/0x320
> [  183.859131] 00
> [  183.859401]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.859928] 4c
> [  183.860200]  ? __check_object_size+0x95/0x5d9
> [  183.860689] 8b
> [  183.860983]  ? sock_kmalloc+0x14e/0x1d0
> [  183.861482] 30
> [  183.861748]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.861758]  ? __might_sleep+0x95/0x190
> [  183.862269] 48
> [  183.862539]  crypto_rng_reset+0x7c/0x130
> [  183.863079] 29
> [  183.863348]  rng_setkey+0x25/0x30
> [  183.863878] d0
> [  183.864150]  ? rng_sock_destruct+0x90/0x90
> [  183.864654] 49
> [  183.864924]  alg_setsockopt+0x306/0x3b0
> [  183.865488] 83
> [  183.865758]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.866488] 3f
> [  183.866758]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.867324] 00
> [  183.867598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.868098] 48
> [  183.868369]  ? ksys_write+0x1a6/0x250
> [  183.868941] 89
> [  183.869500]  ? SyS_read+0x30/0x30
> [  183.869740] c6
> [  183.870312]  compat_SyS_setsockopt+0x34/0x50
> [  183.870551] 0f
> [  183.871043]  ? scm_detach_fds_compat+0x440/0x440
> [  183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050
> [  183.871893]  do_fast_syscall_32+0x41f/0x10dc
> [  183.872134] CR2: 0000000000000106
> [  183.872695]  ? do_page_fault+0xee/0x8a7
> [  183.872988] ---[ end trace 0fa4e77a7b3c174f ]---
> [  183.873604]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.873611]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.873622]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.873871] Kernel panic - not syncing: Fatal exception
> [  183.874560]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.885552]  ? prepare_exit_to_usermode+0x390/0x390
> [  183.886255]  ? prepare_exit_to_usermode+0x285/0x390
> [  183.886953]  ? perf_trace_sys_enter+0xaf0/0xaf0
> [  183.887609]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.888289]  entry_SYSENTER_compat+0x70/0x7f
> [  183.888906] RIP: 0023:0xf7f0ecb9
> [  183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
> 000000000000016e
> [  183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.895514] Kernel Offset: disabled
> [  183.896034] Rebooting in 86400 seconds..

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> Stephan,
> 
> Do you have any hypothesis as to why this is not detected by KASAN and
> causes silent corruptions?
> We generally try to understand such cases and improve KASAN so that it
> catches such cases more reliably and they do not cause splashes of
> random crashes on syzbot.

I do not have any hypothesis at this point. I know that you induce some fault. 
As you mentioned the drbg_kcapi_seed function, I was looking through the error 
code paths to see whether some error handlers trip over each other. But all is 
guesswork so far. And I am not even sure whether the bug is in the DRBG code 
base.

Looking into the trace you sent, I see a NULL pointer dereference. At one 
point there is also the drbg_init_hash_kernel that is called. But nowhere I 
see any smoking gun.

Could you please give me a description of the fault you are inducing?

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Tue, Apr 10, 2018 at 5:35 PM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>> Stephan,
>>
>> Do you have any hypothesis as to why this is not detected by KASAN and
>> causes silent corruptions?
>> We generally try to understand such cases and improve KASAN so that it
>> catches such cases more reliably and they do not cause splashes of
>> random crashes on syzbot.
>
> I do not have any hypothesis at this point. I know that you induce some fault.
> As you mentioned the drbg_kcapi_seed function, I was looking through the error
> code paths to see whether some error handlers trip over each other. But all is
> guesswork so far. And I am not even sure whether the bug is in the DRBG code
> base.
>
> Looking into the trace you sent, I see a NULL pointer dereference. At one
> point there is also the drbg_init_hash_kernel that is called. But nowhere I
> see any smoking gun.
>
> Could you please give me a description of the fault you are inducing?

Hi Stephan,

What do you mean by description of the fault?
It's kernel standard FAULT_INJECTION facility, it injects faults
mainly into kmalloc/slab_alloc (also in a bunch of other things, but
in this case this seems to be kmalloc). In the repro you can see that
it's injecting a fault into 8-th malloc in the setsockopt syscall.

I wonder why you can't reproduce it. I can trigger it reliably in a
qemu. Let's try this:
I have upstream kernel on b284d4d5a6785f8cd07eda2646a95782373cd01e.
Here is my config:
https://gist.githubusercontent.com/dvyukov/f843ea09bc5b9439a820c8e809a5501d/raw/ad330e9b6b710f57f63b61590747b48230e5cb61/gistfile1.txt
Here is the compiler:
https://storage.googleapis.com/syzkaller/gcc-8.0.1-20180301.tar.gz
Build as: make -jN CC=that/gcc/bin/gcc
Then I start qemu as:

qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
arch/x86/boot/bzImage -append "kvm-intel.nested=1
kvm-intel.unrestricted_guest=1 kvm-intel.ept=1
kvm-intel.flexpriority=1 kvm-intel.vpid=1
kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1
kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1
kvm-intel.enable_apicv=1 console=ttyS0 root=/dev/sda
earlyprintk=serial slub_debug=UZ vsyscall=native rodata=n oops=panic
panic_on_warn=1 panic=86400" -enable-kvm -pidfile vm_pid -m 2G -smp 4
-cpu host

You can find the wheezy.img and ssh key for it here:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#crash-does-not-reproduce

Then I compile this program:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
as: gcc prog.c -static -m32

Run in the qemu and within a minute it gives me the crash.

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Mittwoch, 11. April 2018, 14:29:45 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
> 
> What do you mean by description of the fault?
> It's kernel standard FAULT_INJECTION facility, it injects faults
> mainly into kmalloc/slab_alloc (also in a bunch of other things, but
> in this case this seems to be kmalloc). In the repro you can see that
> it's injecting a fault into 8-th malloc in the setsockopt syscall.

I am now able to reproduce it.

I think I have a smoking gun, but let me test it first.

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Müller]

Hi Dimitry,

This fix prevents the kernel from crashing when injecting the fault. 
Stack traces are yet shown but I guess that is expected every time
a fault is injected.

As to why KASAN did not notice this one, I am not sure. Maybe it is
because I use two buffer pointers to point to (almost) the same memory
(one that is aligned and one pointing to the complete buffer)?

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

[PATCH] crypto: drbg - set freed buffers to NULL

[Stephan Müller]

Sorry, this time with the proper subject line.

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Wed, Apr 11, 2018 at 4:26 PM, Stephan Müller <smueller@chronox.de> wrote:
> Hi Dimitry,
>
> This fix prevents the kernel from crashing when injecting the fault.

Good!

> Stack traces are yet shown but I guess that is expected every time
> a fault is injected.

Yes, nothing to fix here.

> As to why KASAN did not notice this one, I am not sure. Maybe it is
> because I use two buffer pointers to point to (almost) the same memory
> (one that is aligned and one pointing to the complete buffer)?

After looking at the fix, I figured out what happened with KASAN.
Filed https://bugzilla.kernel.org/show_bug.cgi?id=199359. In short,
tricky interplay between kzfree, ksize and double-free detection.
If KASAN worked as intended it would give a nice "double-free in this
stack for object allocated in this stack and previously freed in this
stack", which would probably make debugging much simpler.


> ---8<---
>
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
> ---
>  crypto/drbg.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..466a112a4446 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
>         if (!drbg)
>                 return;
>         kzfree(drbg->Vbuf);
> +       drbg->Vbuf = NULL;
>         drbg->V = NULL;
>         kzfree(drbg->Cbuf);
> +       drbg->Cbuf = NULL;
>         drbg->C = NULL;
>         kzfree(drbg->scratchpadbuf);
>         drbg->scratchpadbuf = NULL;
> --
> 2.14.3
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/2186798.qrgUIDAn9S%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.

Re: [PATCH] crypto: drbg - set freed buffers to NULL

[Eric Biggers]

On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan Müller wrote:
> Sorry, this time with the proper subject line.
> 
> ---8<---
> 
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
> ---
>  crypto/drbg.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..466a112a4446 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
>  	if (!drbg)
>  		return;
>  	kzfree(drbg->Vbuf);
> +	drbg->Vbuf = NULL;
>  	drbg->V = NULL;
>  	kzfree(drbg->Cbuf);
> +	drbg->Cbuf = NULL;
>  	drbg->C = NULL;
>  	kzfree(drbg->scratchpadbuf);
>  	drbg->scratchpadbuf = NULL;

Can you please add Fixes and Cc stable?

- Eric

[PATCH] crypto: drbg - set freed buffers to NULL

[Stephan Müller]

Add the Fixes, CC stable tags.

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Cc: stable@vger.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

Re: [PATCH] crypto: drbg - set freed buffers to NULL

[Herbert Xu]

On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan Müller wrote:
> Add the Fixes, CC stable tags.
> 
> ---8<---
> 
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
> 
> Cc: stable@vger.kernel.org
> Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt