From: Eric Biggers <ebiggers@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Jakub Kicinski <kuba@kernel.org>,
Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
glider@google.com, herbert@gondor.apana.org.au,
linux-crypto@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot <syzbot+828dfc12440b4f6f305d@syzkaller.appspotmail.com>,
Aviad Yehezkel <aviadye@nvidia.com>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>
Subject: Re: [PATCH] net: tls: enable __GFP_ZERO upon tls_init()
Date: Fri, 30 Jun 2023 01:15:36 -0700 [thread overview]
Message-ID: <20230630081536.GD36542@sol.localdomain> (raw)
In-Reply-To: <ada9b995-8d67-0375-f153-b434d48bd253@I-love.SAKURA.ne.jp>
On Thu, Jun 29, 2023 at 07:15:21AM +0900, Tetsuo Handa wrote:
> On 2023/06/29 6:03, Jakub Kicinski wrote:
> > On Wed, 28 Jun 2023 22:48:01 +0900 Tetsuo Handa wrote:
> >> syzbot is reporting uninit-value at aes_encrypt(), for block cipher assumes
> >> that bytes to encrypt/decrypt is multiple of block size for that cipher but
> >> tls_alloc_encrypted_msg() is not initializing padding bytes when
> >> required_size is not multiple of block cipher's block size.
> >
> > Sounds odd, so crypto layer reads beyond what we submitted as
> > the buffer? I don't think the buffer needs to be aligned, so
> > the missing bits may well fall into a different (unmapped?) page.
>
> Since passing __GFP_ZERO to skb_page_frag_refill() hides this problem,
> I think that crypto layer is reading up to block size when requested
> size is not multiple of block size.
>
> >
> > This needs more careful investigation. Always zeroing the input
> > is just covering up the real issue.
>
> Since block cipher needs to read up to block size, someone has to initialize
> padding bytes. I guess that crypto API caller is responsible for allocating
> and initializing padding bytes, otherwise such crypto API caller will fail to
> encrypt/decrypt last partial bytes which are not multiple of cipher's block
> size.
>
> Which function in this report is responsible for initializing padding bytes?
According to the sample crash report from
https://syzkaller.appspot.com/bug?extid=828dfc12440b4f6f305d, the uninitialized
memory access happens while the TLS layer is doing an AES-CCM encryption
operation. CCM supports arbitrarily-aligned additional authenticated data and
plaintext/ciphertext. Also, an encryption with crypto_aead_encrypt() reads
exactly 'assoclen + cryptlen' bytes from the 'src' scatterlist; it's not
supposed to ever go past that, even if the data isn't "block aligned".
The "aead" API (include/crypto/aead.h) is still confusing and hard to use
correctly, though, mainly because of the weird scatterlist layout it expects
with the AAD and plaintext/ciphertext concatenated to each other. I wouldn't be
surprised if the TLS layer is making some error. What is the exact sequence of
crypto_aead_* calls that results in this issue?
- Eric
next prev parent reply other threads:[~2023-06-30 8:15 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0000000000008a7ae505aef61db1@google.com>
2020-09-11 17:01 ` [net/tls] Re: KMSAN: uninit-value in aes_encrypt (4) Eric Biggers
[not found] ` <c16e9ab9-13e0-b911-e33a-c9ae81e93a8d@I-love.SAKURA.ne.jp>
2023-06-28 21:03 ` [PATCH] net: tls: enable __GFP_ZERO upon tls_init() Jakub Kicinski
2023-06-28 22:15 ` Tetsuo Handa
2023-06-30 8:15 ` Eric Biggers [this message]
2023-06-30 9:36 ` Ard Biesheuvel
2023-06-30 9:52 ` Tetsuo Handa
2023-06-30 10:02 ` Ard Biesheuvel
2023-06-30 10:10 ` Alexander Potapenko
2023-06-30 10:18 ` Ard Biesheuvel
2023-06-30 11:11 ` Tetsuo Handa
2023-06-30 11:24 ` Eric Dumazet
2023-06-30 11:32 ` Ard Biesheuvel
2023-06-30 11:43 ` Alexander Potapenko
2023-06-30 11:37 ` Alexander Potapenko
2023-06-30 11:49 ` Ard Biesheuvel
2023-06-30 11:55 ` Alexander Potapenko
2023-06-30 15:16 ` Ard Biesheuvel
2023-06-30 15:27 ` Jakub Kicinski
2023-06-30 15:50 ` Ard Biesheuvel
2023-07-01 4:12 ` Tetsuo Handa
2023-07-04 13:32 ` Tetsuo Handa
2023-07-06 20:53 ` Jakub Kicinski
2023-07-07 9:41 ` Tetsuo Handa
2023-07-08 10:34 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230630081536.GD36542@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=aviadye@nvidia.com \
--cc=borisp@nvidia.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+828dfc12440b4f6f305d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).