lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68592246.a00a0220.2e5631.001a.GAE@google.com>
Date: Mon, 23 Jun 2025 02:45:42 -0700
From: syzbot <syzbot+9b9124ae9b12d5af5d95@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org
Subject: Re: [syzbot] Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in
 vmci_host_unlocked_ioctl (3)

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl (3)
Author: lizhi.xu@...driver.com

#syz test

diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index b64944367ac5..fd41bad0a73d 100644
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -293,6 +293,8 @@ static int vmci_host_get_version(struct vmci_host_dev *vmci_host_dev,
 #define vmci_ioctl_err(fmt, ...)	\
 	pr_devel("%s: " fmt, ioctl_name, ##__VA_ARGS__)
 
+static DEFINE_MUTEX(init_rec_mutex);
+
 static int vmci_host_do_init_context(struct vmci_host_dev *vmci_host_dev,
 				     const char *ioctl_name,
 				     void __user *uptr)
@@ -306,6 +308,7 @@ static int vmci_host_do_init_context(struct vmci_host_dev *vmci_host_dev,
 		return -EFAULT;
 	}
 
+	mutex_lock(&init_rec_mutex);
 	mutex_lock(&vmci_host_dev->lock);
 
 	if (vmci_host_dev->ct_type != VMCIOBJ_NOT_SET) {
@@ -354,6 +357,7 @@ static int vmci_host_do_init_context(struct vmci_host_dev *vmci_host_dev,
 
 out:
 	mutex_unlock(&vmci_host_dev->lock);
+	mutex_unlock(&init_rec_mutex);
 	return retval;
 }
 
@@ -426,8 +430,11 @@ static int vmci_host_do_receive_datagram(struct vmci_host_dev *vmci_host_dev,
 		return -EINVAL;
 	}
 
-	if (copy_from_user(&recv_info, uptr, sizeof(recv_info)))
-		return -EFAULT;
+	mutex_lock(&init_rec_mutex);
+	if (copy_from_user(&recv_info, uptr, sizeof(recv_info))) {
+		retval = -EFAULT;
+		goto out;
+	}
 
 	size = recv_info.len;
 	recv_info.result = vmci_ctx_dequeue_datagram(vmci_host_dev->context,
@@ -437,11 +444,17 @@ static int vmci_host_do_receive_datagram(struct vmci_host_dev *vmci_host_dev,
 		void __user *ubuf = (void __user *)(uintptr_t)recv_info.addr;
 		retval = copy_to_user(ubuf, dg, VMCI_DG_SIZE(dg));
 		kfree(dg);
-		if (retval != 0)
-			return -EFAULT;
+		if (retval != 0) {
+			retval = -EFAULT;
+			goto out;
+		}
 	}
 
-	return copy_to_user(uptr, &recv_info, sizeof(recv_info)) ? -EFAULT : 0;
+	retval = copy_to_user(uptr, &recv_info, sizeof(recv_info)) ? -EFAULT : 0;
+
+out:
+	mutex_unlock(&init_rec_mutex);
+	return retval;
 }
 
 static int vmci_host_do_alloc_queuepair(struct vmci_host_dev *vmci_host_dev,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ