af_alg06 test from crypto test suite in LTP failed with kernel oops on B/C

Bug #1829725 reported by Po-Hsu Lin on 2019-05-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Po-Hsu Lin
linux (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Po-Hsu Lin
Cosmic
Undecided
Po-Hsu Lin

Bug Description

== Justification ==
From the commit message:
Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
'enckeylen', followed by an authentication key and an encryption key.
crypto_authenc_extractkeys() parses the key to find the inner keys.

However, it fails to consider the case where the rtattr's payload is
longer than 4 bytes but not 4-byte aligned, and where the key ends
before the next 4-byte aligned boundary. In this case, 'keylen -=
RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
causes a buffer overread and crash during crypto_ahash_setkey().

This error can be easily reproduced with the af_alg06 test in LTP test suite. (Basically it's the reproducer in the commit message)

== Fix ==
8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len)
This patch can be cherry-picked into B/C, and it's already in X/D/E.

== Test ==
Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/

Both verified on a KVM node, this issue will no longer exist.

== Regression potential ==
Low, this patch just improves the checking for rtattr payload size to make sure it's the expected size. Also It has been upstream since 2018 Dec. and applied in some of our kernels. No subsequent bug report was filed against it.

== Original bug report ==
LTP: starting af_alg06
 BUG: unable to handle kernel paging request at ffff9cbffffe0000
 IP: sha256_transform+0x28/0x1b20
 PGD 4d341067 P4D 4d341067 PUD 4d345067 PMD 4d346067 PTE 0
 Oops: 0000 [#1] SMP PTI
 Modules linked in: authenc algif_aead xfrm_user xfrm_algo sha3_generic algif_hash salsa20_generic algif_skcipher af_alg kvm_intel kvm irqbypass joydev input_leds serio_raw mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse virtio_blk drm i2c_piix4 pata_acpi floppy
 CPU: 0 PID: 24368 Comm: af_alg06 Not tainted 4.15.0-50-generic #54-Ubuntu
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 RIP: 0010:sha256_transform+0x28/0x1b20
 RSP: 0018:ffffb58e8344baa0 EFLAGS: 00010283
 RAX: 0000000000000034 RBX: ffff9cbffffe000c RCX: 0000000000000000
 RDX: 0000000000000000 RSI: ffff9cbffffdffcc RDI: ffffb58e8344bca8
 RBP: ffffb58e8344bbd0 R08: 000000001b6c96f6 R09: ffffb58e8344baa0
 R10: 000000007a9a01a1 R11: 000000001ecb7428 R12: ffff9cc0f332c00c
 R13: ffffb58e8344bca8 R14: ffff9cbff4d8d048 R15: ffff9cbff332c00c
 FS: 00007f9f2a44d580(0000) GS:ffff9cbfffc00000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff9cbffffe0000 CR3: 000000007c1da000 CR4: 00000000000006f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  sha256_generic_block_fn+0x36/0x50
  crypto_sha256_finup+0xef/0x170
  crypto_shash_finup+0x25/0x30
  shash_digest_unaligned+0x47/0x60
  crypto_shash_digest+0x2e/0x40
  hmac_setkey+0x15a/0x210
  ? tty_insert_flip_string_fixed_flag+0x86/0xe0
  crypto_shash_setkey+0x35/0xc0
  ? pty_write+0x71/0x90
  shash_async_setkey+0x15/0x20
  crypto_ahash_setkey+0x38/0xb0
  crypto_authenc_setkey+0x68/0x100 [authenc]
  crypto_aead_setkey+0x35/0xc0
  aead_setkey+0x15/0x20 [algif_aead]
  alg_setsockopt+0x112/0x140 [af_alg]
  SyS_setsockopt+0x86/0xf0
  do_syscall_64+0x73/0x130
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7f9f29f61e6a
 RSP: 002b:00007ffdd050ba38 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
 RAX: ffffffffffffffda RBX: 00007f9f2a44d500 RCX: 00007f9f29f61e6a
 RDX: 0000000000000001 RSI: 0000000000000117 RDI: 0000000000000006
 RBP: 0000000000000006 R08: 0000000000000009 R09: 00007ffdd050b960
 R10: 00007ffdd050ba4f R11: 0000000000000207 R12: 0000000000000001
 R13: 0000000000000000 R14: 0000000000000000 R15: 000056456d64d908
 Code: 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 81 ec 08 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 <8b> 14 06 0f ca 89 94 05 d0 fe ff ff 48 83 c0 04 48 83 f8 40 75
 RIP: sha256_transform+0x28/0x1b20 RSP: ffffb58e8344baa0
 CR2: ffff9cbffffe0000
 ---[ end trace ac2d55c95d4eed9d ]---

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-50-generic 4.15.0-50.54
ProcVersionSignature: User Name 4.15.0-50.54-generic 4.15.18
Uname: Linux 4.15.0-50-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 May 20 08:23 seq
 crw-rw---- 1 root audio 116, 33 May 20 08:23 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Mon May 20 08:44:39 2019
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
ProcFB: 0 cirrusdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-50-generic root=UUID=576666e8-9e7f-40ee-934e-f1dce18323e5 ro
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-50-generic N/A
 linux-backports-modules-4.15.0-50-generic N/A
 linux-firmware 1.173.6
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU

Po-Hsu Lin (cypressyew) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu Bionic):
status: New → Confirmed

Patch available in D/E, mark this as fix released for them.

Changed in ubuntu-kernel-tests:
status: New → In Progress
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Cosmic):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in linux (Ubuntu Cosmic):
status: New → In Progress
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
summary: - af_alg06 test from crypto test suite in LTP failed with kernel oops
+ af_alg06 test from crypto test suite in LTP failed with kernel oops on
+ B/C
Po-Hsu Lin (cypressyew) wrote :

Test passed with the Bionic test kernel:
https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/B/

[ 89.621610] LTP: starting af_alg06
[ 89.626967] NET: Registered protocol family 38

Po-Hsu Lin (cypressyew) wrote :

Test passed with the Cosmic test kernel:
https://people.canonical.com/~phlin/kernel/lp-1829725-afalg06/C/
[ 69.838499] LTP: starting af_alg06
[ 69.845786] NET: Registered protocol family 38

Po-Hsu Lin (cypressyew) wrote :
description: updated
description: updated
description: updated
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Cosmic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-cosmic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (11.2 KiB)

This bug was fixed in the package linux - 4.15.0-55.60

---------------
linux (4.15.0-55.60) bionic; urgency=medium

  * linux: 4.15.0-55.60 -proposed tracker (LP: #1834954)

  * Request backport of ceph commits into bionic (LP: #1834235)
    - ceph: use atomic_t for ceph_inode_info::i_shared_gen
    - ceph: define argument structure for handle_cap_grant
    - ceph: flush pending works before shutdown super
    - ceph: send cap releases more aggressively
    - ceph: single workqueue for inode related works
    - ceph: avoid dereferencing invalid pointer during cached readdir
    - ceph: quota: add initial infrastructure to support cephfs quotas
    - ceph: quota: support for ceph.quota.max_files
    - ceph: quota: don't allow cross-quota renames
    - ceph: fix root quota realm check
    - ceph: quota: support for ceph.quota.max_bytes
    - ceph: quota: update MDS when max_bytes is approaching
    - ceph: quota: add counter for snaprealms with quota
    - ceph: avoid iput_final() while holding mutex or in dispatch thread

  * QCA9377 isn't being recognized sometimes (LP: #1757218)
    - SAUCE: USB: Disable USB2 LPM at shutdown

  * hns: fix ICMP6 neighbor solicitation messages discard problem (LP: #1833140)
    - net: hns: fix ICMP6 neighbor solicitation messages discard problem
    - net: hns: fix unsigned comparison to less than zero

  * Fix occasional boot time crash in hns driver (LP: #1833138)
    - net: hns: Fix probabilistic memory overwrite when HNS driver initialized

  * use-after-free in hns_nic_net_xmit_hw (LP: #1833136)
    - net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()

  * hns: attempt to restart autoneg when disabled should report error
    (LP: #1833147)
    - net: hns: Restart autoneg need return failed when autoneg off

  * systemd 237-3ubuntu10.14 ADT test failure on Bionic ppc64el (test-seccomp)
    (LP: #1821625)
    - powerpc: sys_pkey_alloc() and sys_pkey_free() system calls
    - powerpc: sys_pkey_mprotect() system call

  * [UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different
    (LP: #1832625)
    - pkey: Indicate old mkvp only if old and current mkvp are different

  * [UBUNTU] kernel: Fix gcm-aes-s390 wrong scatter-gather list processing
    (LP: #1832623)
    - s390/crypto: fix gcm-aes-s390 selftest failures

  * System crashes on hot adding a core with drmgr command (4.15.0-48-generic)
    (LP: #1833716)
    - powerpc/numa: improve control of topology updates
    - powerpc/numa: document topology_updates_enabled, disable by default

  * Kernel modules generated incorrectly when system is localized to a non-
    English language (LP: #1828084)
    - scripts: override locale from environment when running recordmcount.pl

  * [UBUNTU] kernel: Fix wrong dispatching for control domain CPRBs
    (LP: #1832624)
    - s390/zcrypt: Fix wrong dispatching for control domain CPRBs

  * CVE-2019-11815
    - net: rds: force to destroy connection if t_sock is NULL in
      rds_tcp_kill_sock().

  * Sound device not detected after resume from hibernate (LP: #1826868)
    - drm/i915: Force 2*96 MHz cdclk on glk/cnl when audio power is enabled
    - drm/i915: Save the old CDCLK atomic state
...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) wrote :

af_alg06 test passed with the B/C.

Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
tags: added: verification-done-bionic verification-done-cosmic
removed: verification-needed-bionic verification-needed-cosmic
Po-Hsu Lin (cypressyew) on 2019-08-13
Changed in linux (Ubuntu Cosmic):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers