crypto: fix uninit-value in af_alg_free_resources

pskrgag · herbertx · commit 080aa61e370b · 2023-08-18T18:30:09.000+08:00
Syzbot was able to trigger use of uninitialized memory in af_alg_free_resources. Bug is caused by missing initialization of rsgl->sgl.need_unpin before adding to rsgl_list. Then in case of extract_iter_to_sg() failure, rsgl is left with uninitialized need_unpin which is read during clean up BUG: KMSAN: uninit-value in af_alg_free_sg crypto/af_alg.c:545 [inline] BUG: KMSAN: uninit-value in af_alg_free_areq_sgls crypto/af_alg.c:778 [inline] BUG: KMSAN: uninit-value in af_alg_free_resources+0x3d1/0xf60 crypto/af_alg.c:1117 af_alg_free_sg crypto/af_alg.c:545 [inline] af_alg_free_areq_sgls crypto/af_alg.c:778 [inline] af_alg_free_resources+0x3d1/0xf60 crypto/af_alg.c:1117 _skcipher_recvmsg crypto/algif_skcipher.c:144 [inline] ... Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3470 [inline] __kmem_cache_alloc_node+0x536/0x8d0 mm/slub.c:3509 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:998 kmalloc include/linux/slab.h:586 [inline] sock_kmalloc+0x128/0x1c0 net/core/sock.c:2683 af_alg_alloc_areq+0x41/0x2a0 crypto/af_alg.c:1188 _skcipher_recvmsg crypto/algif_skcipher.c:71 [inline] Fixes: c1abe6f ("crypto: af_alg: Use extract_iter_to_sg() to create scatterlists") Reported-and-tested-by: syzbot+cba21d50095623218389@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cba21d50095623218389 Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
@@ -1241,6 +1241,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
 				return -ENOMEM;
 		}
 
+		rsgl->sgl.need_unpin =
+			iov_iter_extract_will_pin(&msg->msg_iter);
 		rsgl->sgl.sgt.sgl = rsgl->sgl.sgl;
 		rsgl->sgl.sgt.nents = 0;
 		rsgl->sgl.sgt.orig_nents = 0;
@@ -1255,8 +1257,6 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
 		}
 
 		sg_mark_end(rsgl->sgl.sgt.sgl + rsgl->sgl.sgt.nents - 1);
-		rsgl->sgl.need_unpin =
-			iov_iter_extract_will_pin(&msg->msg_iter);
 
 		/* chain the new scatterlist with previous one */
 		if (areq->last_rsgl)

Original file line number	Diff line number	Diff line change
`@@ -1241,6 +1241,8 @@ int af_alg_get_rsgl(struct sock sk, struct msghdr msg, int flags,`
`1241`	`1241`	`return -ENOMEM;`
`1242`	`1242`	`}`
`1243`	`1243`
	`1244`	`+ rsgl->sgl.need_unpin =`
	`1245`	`+ iov_iter_extract_will_pin(&msg->msg_iter);`
`1244`	`1246`	`rsgl->sgl.sgt.sgl = rsgl->sgl.sgl;`
`1245`	`1247`	`rsgl->sgl.sgt.nents = 0;`
`1246`	`1248`	`rsgl->sgl.sgt.orig_nents = 0;`
`@@ -1255,8 +1257,6 @@ int af_alg_get_rsgl(struct sock sk, struct msghdr msg, int flags,`
`1255`	`1257`	`}`
`1256`	`1258`
`1257`	`1259`	`sg_mark_end(rsgl->sgl.sgt.sgl + rsgl->sgl.sgt.nents - 1);`
`1258`		`- rsgl->sgl.need_unpin =`
`1259`		`- iov_iter_extract_will_pin(&msg->msg_iter);`
`1260`	`1260`
`1261`	`1261`	`/* chain the new scatterlist with previous one */`
`1262`	`1262`	`if (areq->last_rsgl)`