lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+YiNvfhx93um7FUp6bgv9nhvbW21K_RJh8yM8kdN12LZw@mail.gmail.com>
Date:   Thu, 8 Nov 2018 08:56:34 -0800
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+fed4435f163beccc67eb@...kaller.appspotmail.com>
Cc:     Alexander Potapenko <glider@...gle.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jslaby@...e.com>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Philippe Ombredanne <pombredanne@...b.com>,
        syzkaller-bugs@...glegroups.com,
        Thomas Gleixner <tglx@...utronix.de>,
        Al Viro <viro@...iv.linux.org.uk>
Subject: Re: Re: KMSAN: uninit-value in vcs_read

On Thu, Nov 8, 2018 at 8:48 AM, syzbot
<syzbot+fed4435f163beccc67eb@...kaller.appspotmail.com> wrote:
>> On Tue, May 15, 2018 at 9:26 AM, syzbot
>> <syzbot+fed4435f163beccc67eb@...kaller.appspotmail.com> wrote:
>>>
>>> Hello,
>
>
>>> syzbot found the following crash on:
>
>
>>> HEAD commit:    e2ab7e8abba4 kmsan: temporarily disable
>>> visitAsmInstructio..
>>> git tree:       https://github.com/google/kmsan.git/master
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=158135db800000
>>> kernel config:
>>> https://syzkaller.appspot.com/x/.config?x=5bf8b7964e37a698
>>> dashboard link:
>>> https://syzkaller.appspot.com/bug?extid=fed4435f163beccc67eb
>>> compiler:       clang version 7.0.0 (trunk 329391)
>>> syzkaller
>>> repro:https://syzkaller.appspot.com/x/repro.syz?x=17a2f91b800000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17bd452b800000
>
>
>>> IMPORTANT: if you fix the bug, please add the following tag to the
>>> commit:
>>> Reported-by: syzbot+fed4435f163beccc67eb@...kaller.appspotmail.com
>
>
>> #syz dup: KMSAN: kernel-infoleak in vcs_read
>
>
> Can't dup bug to a bug in different reporting (upstream->moderation).Please
> dup syzbot bugs only onto syzbot bugs for the same kernel/reporting.

Let's try this:

#syz fix: vt: prevent leaking uninitialized data to userspace via /dev/vcs*


>>> ==================================================================
>>> BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184
>>> [inline]
>>> BUG: KMSAN: uninit-value in vcs_read+0x18ba/0x1cc0
>>> drivers/tty/vt/vc_screen.c:352
>>> CPU: 1 PID: 3501 Comm: syzkaller315412 Not tainted 4.16.0+ #82
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>   __dump_stack lib/dump_stack.c:17 [inline]
>>>   dump_stack+0x185/0x1d0 lib/dump_stack.c:53
>>>   kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
>>>   kmsan_internal_check_memory+0x125/0x1d0 mm/kmsan/kmsan.c:1157
>>>   kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
>>>   copy_to_user include/linux/uaccess.h:184 [inline]
>>>   vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
>>>   __vfs_read+0x19f/0x8e0 fs/read_write.c:411
>>>   vfs_read+0x36c/0x6c0 fs/read_write.c:447
>>>   SYSC_pread64+0x275/0x310 fs/read_write.c:611
>>>   SyS_pread64+0x65/0x90 fs/read_write.c:598
>>>   do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
>>>   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
>>> RIP: 0033:0x443d39
>>> RSP: 002b:00007ffcbd3c35f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000011
>>> RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d39
>>> RDX: 0000000000000083 RSI: 0000000020000140 RDI: 0000000000000003
>>> RBP: 00000000006ce018 R08: 00000000004002e0 R09: 00000000004002e0
>>> R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004019e0
>>> R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000
>
>
>>> Uninit was stored to memory at:
>>>   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
>>>   kmsan_save_stack mm/kmsan/kmsan.c:293 [inline]
>>>   kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684
>>>   __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521
>>>   vcs_read+0xd01/0x1cc0 drivers/tty/vt/vc_screen.c:274
>>>   __vfs_read+0x19f/0x8e0 fs/read_write.c:411
>>>   vfs_read+0x36c/0x6c0 fs/read_write.c:447
>>>   SYSC_pread64+0x275/0x310 fs/read_write.c:611
>>>   SyS_pread64+0x65/0x90 fs/read_write.c:598
>>>   do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
>>>   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
>>> Uninit was created at:
>>>   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
>>>   kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
>>>   kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
>>>   __kmalloc+0x23c/0x350 mm/slub.c:3791
>>>   kmalloc include/linux/slab.h:517 [inline]
>>>   vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
>>>   con_install+0x8c/0x640 drivers/tty/vt/vt.c:2876
>>>   tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline]
>>>   tty_init_dev+0x1b0/0x1020 drivers/tty/tty_io.c:1324
>>>   tty_open_by_driver drivers/tty/tty_io.c:1959 [inline]
>>>   tty_open+0x15e9/0x2ea0 drivers/tty/tty_io.c:2007
>>>   chrdev_open+0xc20/0xd90 fs/char_dev.c:417
>>>   do_dentry_open+0xcc6/0x1430 fs/open.c:752
>>>   vfs_open+0x1b7/0x2e0 fs/open.c:866
>>>   do_last fs/namei.c:3379 [inline]
>>>   path_openat+0x460a/0x6520 fs/namei.c:3520
>>>   do_filp_open+0x261/0x640 fs/namei.c:3554
>>>   do_sys_open+0x624/0x960 fs/open.c:1059
>>>   SYSC_open+0xab/0xc0 fs/open.c:1077
>>>   SyS_open+0x54/0x80 fs/open.c:1072
>>>   do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
>>>   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
>
>
>>> Bytes 0-79 of 131 are uninitialized
>>> ==================================================================
>
>
>
>>> ---
>>> This bug is generated by a bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
>
>>> syzbot will keep track of this bug report. See:
>>> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
>>> syzbot.
>>> syzbot can test patches for this bug, for details see:
>>> https://goo.gl/tpsmEJ#testing-patches
>
>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "syzkaller-bugs" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to syzkaller-bugs+unsubscribe@...glegroups.com.
>>> To view this discussion on the web visit
>>>
>>> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000da269e056c410efd%40google.com.
>>> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ