[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000009569c60570a953e0@google.com>
Date: Tue, 10 Jul 2018 11:30:37 -0700
From: syzbot <syzbot+17a8efdf800000@...kaller.appspotmail.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: glider@...gle.com, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 4.9 08/52] vt: prevent leaking uninitialized data to
userspace via /dev/vcs*
> 4.9-stable review patch. If anyone has any objections, please let me
> know.
> ------------------
> From: Alexander Potapenko <glider@...gle.com>
> commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.
> KMSAN reported an infoleak when reading from /dev/vcs*:
> BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
> Call Trace:
> ...
> kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
> copy_to_user ./include/linux/uaccess.h:184
> vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
> __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
> vfs_read+0x36c/0x6b0 fs/read_write.c:452
> ...
> Uninit was created at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
> kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
> kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
> __kmalloc+0x13a/0x350 mm/slub.c:3818
> kmalloc ./include/linux/slab.h:517
> vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
> con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
> tty_driver_install_tty drivers/tty/tty_io.c:1224
> tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
> tty_open_by_driver drivers/tty/tty_io.c:1959
> tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
> chrdev_open+0xc25/0xd90 fs/char_dev.c:417
> do_dentry_open+0xccc/0x1440 fs/open.c:794
> vfs_open+0x1b6/0x2f0 fs/open.c:908
> ...
> Bytes 0-79 of 240 are uninitialized
> Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem
> Reported-by: syzbot+17a8efdf800000@...kaller.appspotmail.com
> Signed-off-by: Alexander Potapenko <glider@...gle.com>
> Cc: stable <stable@...r.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> ---
> drivers/tty/vt/vt.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -785,7 +785,7 @@ int vc_allocate(unsigned int currcons) /
> if (!*vc->vc_uni_pagedir_loc)
> con_set_default_unimap(vc);
> - vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
> + vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
> if (!vc->vc_screenbuf)
> goto err_free;
> @@ -872,7 +872,7 @@ static int vc_do_resize(struct tty_struc
> if (new_screen_size > (4 << 20))
> return -EINVAL;
> - newscreen = kmalloc(new_screen_size, GFP_USER);
> + newscreen = kzalloc(new_screen_size, GFP_USER);
> if (!newscreen)
> return -ENOMEM;
Can't find the corresponding bug.
Powered by blists - more mailing lists