From: David Howells <dhowells@redhat.com>
To: syzbot <syzbot+13a08c0bf4d212766c3c@syzkaller.appspotmail.com>
Cc: dhowells@redhat.com, davem@davemloft.net,
herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [crypto?] general protection fault in shash_async_final
Date: Wed, 14 Jun 2023 12:25:14 +0100 [thread overview]
Message-ID: <1433015.1686741914@warthog.procyon.org.uk> (raw)
In-Reply-To: <000000000000b928f705fdeb873a@google.com>
Here's a reduced testcase for this. The key seems to be passing MSG_MORE to
sendmsg() and then not following up with more data before calling recvmsg().
Apart from not oopsing, I wonder what the behaviour should be here? Should
recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the
existing operation?
David
---
// https://syzkaller.appspot.com/bug?id=f5d9d503fe959e3b605abdaeedb39b072556281a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <linux/if_alg.h>
#define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)
int main(void)
{
struct sockaddr_alg salg;
struct msghdr msg;
int algfd, hashfd, res;
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
OSERROR(algfd, "socket");
memset(&salg, 0, sizeof(salg));
salg.salg_family = AF_ALG;
strcpy(salg.salg_type, "hash");
strcpy(salg.salg_name, "digest_null-generic");
res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg));
OSERROR(res, "bind/alg");
hashfd = accept4(algfd, NULL, 0, 0);
OSERROR(hashfd, "accept/alg");
res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0);
OSERROR(res, "setsockopt/ALG_SET_KEY");
memset(&msg, 0, sizeof(msg));
res = sendmsg(hashfd, &msg, MSG_MORE);
OSERROR(res, "sendmsg");
res = recvmsg(hashfd, &msg, 0);
OSERROR(res, "recvmsg");
return 0;
}
next prev parent reply other threads:[~2023-06-14 11:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 9:41 [syzbot] [crypto?] general protection fault in shash_async_final syzbot
2023-06-14 11:25 ` David Howells [this message]
2023-06-15 9:13 ` Herbert Xu
2023-06-16 1:03 ` David Howells
2023-06-14 14:45 ` David Howells
2023-06-14 15:36 ` syzbot
2023-06-16 1:01 ` David Howells
2023-06-16 5:01 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1433015.1686741914@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+13a08c0bf4d212766c3c@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox