Bug 1395896

Summary: (at least 4.9.0-0.rc4.git2.2.fc26.x86_64): trivial to make kernel oops by deref NULL using AF_ALG
Product: [Fedora] Fedora Reporter: Lennart Poettering <lpoetter>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, ichavero, itamar, jonathan, kernel-maint, labbott, madhu.chinakonda, mchehab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 15:50:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lennart Poettering 2016-11-16 21:24:38 UTC 
Not sure which kernel versions this applies to, but on 4.9.0-0.rc4.git2.2.fc26.x86_64 at least you can trivially easy make the kernel oops by running this little program:

https://paste.fedoraproject.org/483300/79317646/raw/
Comment 1 Laura Abbott 2016-11-17 00:09:36 UTC 
Looks like 

commit 493b2ed3f7603a15ff738553384d5a4510ffeb95
Author: Herbert Xu <herbert.org.au>
Date:   Thu Sep 1 17:16:44 2016 +0800

    crypto: algif_hash - Handle NULL hashes correctly
    
    Right now attempting to read an empty hash simply returns zeroed
    bytes, this patch corrects this by calling the digest function
    using an empty input.
    
    Reported-by: Russell King - ARM Linux <linux.uk>
    Signed-off-by: Herbert Xu <herbert.org.au>


based on the bisect. I'll start a thread upstream.
Comment 2 Laura Abbott 2016-11-17 21:23:21 UTC 
Fix confirmed from maintainer upstream https://patchwork.kernel.org/patch/9434741/