Re: general protection fault in blkcipher_walk_done
From: Stephan Mueller
Date: Tue Nov 28 2017 - 04:04:06 EST
Am Dienstag, 28. November 2017, 06:37:38 CET schrieb Eric Biggers:
Hi Eric,
> On Mon, Nov 27, 2017 at 10:56:47AM -0800, syzbot wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> > git://git.cmpxchg.org/linux-mmots.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
>
> Still happens on latest Linus tree (v4.15-rc1) with crypto/master merged in.
> It seems that _aead_recvmsg() is being confused by the operation mode
> being changed from encryption to decryption while it has dropped the socket
> lock in af_alg_wait_for_data(). Here's a simplified reproducer:
Right, the enc/dec direction should be a local variable and not used from the context.
All other variables are either accessed before or after the sleep that releases the socket. Thus, the other variables are save regarding this issue.
Note, I also checked the code before v4.13: this code is not affected by this issue because the sleep happens before any member of the context is dereferenced.
Eric, may I ask you to check the attached patch? Note, I did not yet test that patch myself. Thanks a lot.
---8<---