Re: [syzbot] [ext4?] general protection fault in ext4_put_io_end_defer

[Eric Biggers <ebiggers@kernel.org>]

On Fri, Jun 30, 2023 at 12:41:11AM -0700, Eric Biggers wrote:
> On Wed, Jun 28, 2023 at 11:57:14PM -0400, Theodore Ts'o wrote:
> > #syz set subsystems: crypto
> > 
> > On Sat, Jun 24, 2023 at 07:21:44PM -0700, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:    f7efed9f38f8 Add linux-next specific files for 20230616
> > > git tree:       linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=152e89f3280000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=60b1a32485a77c16
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=94a8c779c6b238870393
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=116af1eb280000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e22d2f280000
> > 
> > If you look at the reproducer, it's creating an AF_ALG (algorithm)
> > socket and messing with it.  This is easier to see in the syz
> > reproducer, but you can see exactly what it's doing in the C
> > reproducer above:
> > 
> > # https://syzkaller.appspot.com/bug?id=4ee7656695de92cbd5820111379ae0698af0f475
> > # See https://goo.gl/kgGztJ for information about syzkaller reproducers.
> > #{"threaded":true,"repeat":true,"procs":1,"slowdown":1,"sandbox":"none","sandbox_arg":0,"netdev":true,"binfmt_misc":true,"close_fds":true,"vhci":true,"ieee802154":true,"sysctl":true,"swap":true,"tmpdir":true}
> > r0 = socket$alg(0x26, 0x5, 0x0)
> > bind$alg(r0, &(0x7f0000000280)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-256-generic\x00'}, 0x58)
> > r1 = accept4(r0, 0x0, 0x0, 0x0)
> > recvmmsg$unix(r1, &(0x7f0000003700)=[{{0x0, 0x700, 0x0}}], 0x600, 0x0, 0x0)
> > sendmsg$can_bcm(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x400c800)
> > 
> > (0x26 is 38, or AF_ALG)
> > 
> > From looking at the stack trace, it looks like this is triggering a
> > coredump, which presumably is the ext4 write that triggers the GPF in
> > ext4_put_io_end_defer.  But given that the syz and C reproducer isn't
> > doing anything ext4 related at all, and it's purely trying to use the
> > AF_ALG socket to calculate SHA3 in the kernel (and the greek chorus
> > cries out, "WHY?"[1]), I'm going to send this over to the crypto folks to
> > investigate.
> 
> Just a couple weeks ago, commit c662b043cdca ("crypto: af_alg/hash: Support
> MSG_SPLICE_PAGES") had many syzbot reports against it.  This particular report
> is against next-20230616 which didn't include the fix commit b6d972f68983
> ("crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)").  So there's a
> high chance this report is no longer valid.  I'll go ahead and invalidate it:
> 
> #syz invalid
> 
> > 
> > Cheers,
> > 
> > 					- Ted
> > 
> > [1] TIL that AF_ALG exists.  Inquiring minds want to know:
> >    * Why do we expose the AF_ALG userspace interface?
> >    * Who uses it?
> >    * Why do they use it?
> >    * Is there a CONFIG option to disable it in the name of decreasing
> >      the attack surface of the kernel?
> >    * If not, should we add one?  :-)
> 
> AF_ALG has existed since 2010.  My understanding that its original purpose was
> to expose hardware crypto accelerators to userspace.  Unfortunately, support for
> exposing *any* crypto algorithm was included as well, which IMO was a mistake.
> 
> There are quite a few different userspace programs that use AF_ALG purely to get
> at the CPU-based algorithm implementations, without any sort of intention to use
> hardware crypto accelerator.  Probably because it seemed "easy".  Or "better"
> because everything in the kernel is better, right?
> 
> It's controlled by the CONFIG_CRYPTO_USER_API_* options, with the hash support
> in particular controlled by CONFIG_CRYPTO_USER_API_HASH.  Though good luck
> disabling it on most systems, as systemd depends on it...
> 

Actually it turns out systemd has finally seen the light:
https://github.com/systemd/systemd/commit/2c3794f4228162c9bfd9e10886590d9f5b1920d7

- Eric