Re: KASAN: use-after-free Read in aead_recvmsg

From: Eric Biggers
Date: Tue Nov 28 2017 - 02:30:13 EST

Next message: Weiyi Lu: "[PATCH v7 1/6] dt-bindings: soc: add MT2712 power dt-bindings"
Previous message: Weiyi Lu: "[PATCH v7 5/6] arm: dts: mt2712: Add clock controller device nodes"
In reply to: Stephan Mueller: "Re: KASAN: use-after-free Read in aead_recvmsg"
Next in thread: Stephan Mueller: "Re: KASAN: use-after-free Read in aead_recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 28, 2017 at 07:30:46AM +0100, Stephan Mueller wrote:
> Am Montag, 27. November 2017, 23:43:08 CET schrieb Eric Biggers:
>
> Hi Eric,
>
> > No, that doesn't help. I tested v4.15-rc1 with all the extra commits from
> > crypto-2.6.git/master applied:
> >
> > crypto: algif_aead - skip SGL entries with NULL page
> > crypto: af_alg - remove locking in async callback
> > crypto: skcipher - Fix skcipher_walk_aead_common
> >
> > Did you use the .config the bot provided? It's possible the bug is only
> > noticable with KASAN enabled.
>
> Not so far, but the bug seemed to be there without my patch and then gone
> after testing it with my patch. It seems not.
>
> I will use your config then.
>

Sometimes you have to reboot to get the reproducer to work, because the bug has
to do with referencing counting of the "null skcipher" which is a global
resource. Here's a patch that fixes it, it seems:

---8<---

Next message: Weiyi Lu: "[PATCH v7 1/6] dt-bindings: soc: add MT2712 power dt-bindings"
Previous message: Weiyi Lu: "[PATCH v7 5/6] arm: dts: mt2712: Add clock controller device nodes"
In reply to: Stephan Mueller: "Re: KASAN: use-after-free Read in aead_recvmsg"
Next in thread: Stephan Mueller: "Re: KASAN: use-after-free Read in aead_recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]