| Message ID | 322883.1686863334@warthog.procyon.org.uk |
|---|---|
| State | Accepted |
| Commit | 4380499218c6a1aa77e80e3bf6da107dd8babf62 |
| Headers | show |
| Series | [net-next] crypto: Fix af_alg_sendmsg(MSG_SPLICE_PAGES) sglist limit | expand |
On Thu, Jun 15, 2023 at 10:08:54PM +0100, David Howells wrote: > When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as > the maximum number of elements that may be written to, but some of the > elements may already have been used (as recorded in sgl->cur), so > extract_iter_to_sg() may end up overrunning the scatterlist. > > Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur". > > Note: It probably makes sense in future to alter the behaviour of > extract_iter_to_sg() to stop if "sgtable->nents >= sg_max" instead, but > this is a smaller fix for now. > > The bug causes errors looking something like: > > BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatterlist.h:109 [inline] > BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlist.h:139 [inline] > BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c:1183 [inline] > BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c:1352 [inline] > BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib/scatterlist.c:1339 > > Fixes: bf63e250c4b1 ("crypto: af_alg: Support MSG_SPLICE_PAGES") > Reported-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com > Link: https://lore.kernel.org/r/000000000000b2585a05fdeb8379@google.com/ > Signed-off-by: David Howells <dhowells@redhat.com> > Tested-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com > cc: Herbert Xu <herbert@gondor.apana.org.au> > cc: "David S. Miller" <davem@davemloft.net> > cc: Eric Dumazet <edumazet@google.com> > cc: Jakub Kicinski <kuba@kernel.org> > cc: Paolo Abeni <pabeni@redhat.com> > cc: Jens Axboe <axboe@kernel.dk> > cc: Matthew Wilcox <willy@infradead.org> > cc: linux-crypto@vger.kernel.org > cc: netdev@vger.kernel.org > --- > crypto/af_alg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks,
Hello: This patch was applied to netdev/net-next.git (main) by David S. Miller <davem@davemloft.net>: On Thu, 15 Jun 2023 22:08:54 +0100 you wrote: > When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as > the maximum number of elements that may be written to, but some of the > elements may already have been used (as recorded in sgl->cur), so > extract_iter_to_sg() may end up overrunning the scatterlist. > > Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur". > > [...] Here is the summary with links: - [net-next] crypto: Fix af_alg_sendmsg(MSG_SPLICE_PAGES) sglist limit https://git.kernel.org/netdev/net-next/c/4380499218c6 You are awesome, thank you!
diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 7d4b6016b83d..cdb1dcc5dd1a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -1043,7 +1043,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, }; plen = extract_iter_to_sg(&msg->msg_iter, len, &sgtable, - MAX_SGL_ENTS, 0); + MAX_SGL_ENTS - sgl->cur, 0); if (plen < 0) { err = plen; goto unlock;
When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as the maximum number of elements that may be written to, but some of the elements may already have been used (as recorded in sgl->cur), so extract_iter_to_sg() may end up overrunning the scatterlist. Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur". Note: It probably makes sense in future to alter the behaviour of extract_iter_to_sg() to stop if "sgtable->nents >= sg_max" instead, but this is a smaller fix for now. The bug causes errors looking something like: BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatterlist.h:109 [inline] BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlist.h:139 [inline] BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c:1183 [inline] BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c:1352 [inline] BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib/scatterlist.c:1339 Fixes: bf63e250c4b1 ("crypto: af_alg: Support MSG_SPLICE_PAGES") Reported-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/000000000000b2585a05fdeb8379@google.com/ Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com cc: Herbert Xu <herbert@gondor.apana.org.au> cc: "David S. Miller" <davem@davemloft.net> cc: Eric Dumazet <edumazet@google.com> cc: Jakub Kicinski <kuba@kernel.org> cc: Paolo Abeni <pabeni@redhat.com> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> cc: linux-crypto@vger.kernel.org cc: netdev@vger.kernel.org --- crypto/af_alg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)