lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YEoTXp1fQ3XhxOV9@phenom.ffwll.local>
Date:   Thu, 11 Mar 2021 13:55:58 +0100
From:   Daniel Vetter <daniel@...ll.ch>
To:     Michel Dänzer <michel@...nzer.net>
Cc:     syzbot <syzbot+620cf21140fc7e772a5d@...kaller.appspotmail.com>,
        airlied@...ux.ie, daniel@...ll.ch, dri-devel@...ts.freedesktop.org,
        glider@...gle.com, linux-kernel@...r.kernel.org,
        maarten.lankhorst@...ux.intel.com, mripard@...nel.org,
        syzkaller-bugs@...glegroups.com, tzimmermann@...e.de
Subject: Re: KMSAN: kernel-infoleak in compat_drm_wait_vblank

On Wed, Mar 03, 2021 at 04:37:18PM +0100, Michel Dänzer wrote:
> On 2021-02-22 10:15 a.m., syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    29ad81a1 arch/x86: add missing include to sparsemem.h
> > git tree:       https://github.com/google/kmsan.git master
> > console output: https://syzkaller.appspot.com/x/log.txt?x=111e6312d00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=c8e3b38ca92283e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=620cf21140fc7e772a5d
> > compiler:       Debian clang version 11.0.1-2
> > userspace arch: i386
> > 
> > Unfortunately, I don't have any reproducer for this issue yet.
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+620cf21140fc7e772a5d@...kaller.appspotmail.com
> > 
> > =====================================================
> > BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
> > CPU: 1 PID: 26999 Comm: syz-executor.2 Not tainted 5.11.0-rc7-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:79 [inline]
> >   dump_stack+0x21c/0x280 lib/dump_stack.c:120
> >   kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> >   kmsan_internal_check_memory+0x484/0x520 mm/kmsan/kmsan.c:437
> >   kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
> >   instrument_copy_to_user include/linux/instrumented.h:121 [inline]
> >   _copy_to_user+0x1ac/0x270 lib/usercopy.c:33
> >   copy_to_user include/linux/uaccess.h:209 [inline]
> >   compat_drm_wait_vblank+0x36f/0x450 drivers/gpu/drm/drm_ioc32.c:866
> >   drm_compat_ioctl+0x3f6/0x590 drivers/gpu/drm/drm_ioc32.c:995
> >   __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> >   __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> >   __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> >   do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> >   __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> >   do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> >   do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> >   entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > RIP: 0023:0xf7f47549
> > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > RSP: 002b:00000000f55415fc EFLAGS: 00000296 ORIG_RAX: 0000000000000036
> > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c018643a
> > RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > 
> > Uninit was stored to memory at:
> >   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline]
> >   kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289
> >   __msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147
> >   compat_drm_wait_vblank+0x43c/0x450 drivers/gpu/drm/drm_ioc32.c:865
> >   drm_compat_ioctl+0x3f6/0x590 drivers/gpu/drm/drm_ioc32.c:995
> >   __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> >   __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> >   __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> >   do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> >   __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> >   do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> >   do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> >   entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > 
> > Local variable ----req@...pat_drm_wait_vblank created at:
> >   compat_drm_wait_vblank+0x7b/0x450 drivers/gpu/drm/drm_ioc32.c:849
> >   compat_drm_wait_vblank+0x7b/0x450 drivers/gpu/drm/drm_ioc32.c:849
> > 
> > Bytes 12-15 of 16 are uninitialized
> > Memory access of size 16 starts at ffff88814ffe3c98
> > Data copied to user address 0000000020000100
> > =====================================================
> 
> compat_drm_wait_vblank would need to initialize
> 
> 	req.reply.tval_usec = req32.reply.tval_usec;
> 
> before calling drm_ioctl_kernel, since it's not aliased by any
> req.request.* member, and drm_wait_vblank_ioctl doesn't always write to
> it.

I've fixed this in

commit e926c474ebee404441c838d18224cd6f246a71b7
Author: Daniel Vetter <daniel.vetter@...ll.ch>
Date:   Mon Feb 22 11:06:43 2021 +0100

    drm/compat: Clear bounce structures

Or at least tried to.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ