| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <69122a59.a70a0220.22f260.00fb.GAE@google.com> Date: Mon, 10 Nov 2025 10:09:29 -0800 From: syzbot <syzbot+f64019ba229e3a5c411b@...kaller.appspotmail.com> To: david@...hat.com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, muchun.song@...ux.dev, osalvador@...e.de, syzkaller-bugs@...glegroups.com Subject: [syzbot] [fs?] [mm?] KMSAN: kernel-infoleak in hugetlbfs_read_iter Hello, syzbot found the following issue on: HEAD commit: 439fc29dfd3b Merge tag 'drm-fixes-2025-11-09' of https://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14c7517c580000 kernel config: https://syzkaller.appspot.com/x/.config?x=cbf50e713aaa5cb0 dashboard link: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107f3084580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10634b42580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/cfc76859b0d7/disk-439fc29d.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/1a4aa2e08e02/vmlinux-439fc29d.xz kernel image: https://storage.googleapis.com/syzbot-assets/24591c797483/bzImage-439fc29d.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f64019ba229e3a5c411b@...kaller.appspotmail.com ===================================================== BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_iovec include/linux/iov_iter.h:52 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:304 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:330 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4e4/0x33f0 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_iovec include/linux/iov_iter.h:52 [inline] iterate_and_advance2 include/linux/iov_iter.h:304 [inline] iterate_and_advance include/linux/iov_iter.h:330 [inline] _copy_to_iter+0x4e4/0x33f0 lib/iov_iter.c:185 copy_page_to_iter+0x482/0x910 lib/iov_iter.c:362 copy_folio_to_iter include/linux/uio.h:204 [inline] hugetlbfs_read_iter+0x6cd/0xe10 fs/hugetlbfs/inode.c:281 do_iter_readv_writev+0x9e1/0xc20 fs/read_write.c:-1 vfs_readv+0x34a/0xf30 fs/read_write.c:1018 do_preadv fs/read_write.c:1132 [inline] __do_sys_preadv fs/read_write.c:1179 [inline] __se_sys_preadv fs/read_write.c:1174 [inline] __x64_sys_preadv+0x2a3/0x510 fs/read_write.c:1174 x64_sys_call+0x3064/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:296 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __alloc_frozen_pages_noprof+0x689/0xf00 mm/page_alloc.c:5206 alloc_buddy_hugetlb_folio mm/hugetlb.c:1944 [inline] only_alloc_fresh_hugetlb_folio+0x2b0/0x1280 mm/hugetlb.c:1984 alloc_fresh_hugetlb_folio mm/hugetlb.c:2003 [inline] alloc_surplus_hugetlb_folio+0x178/0x5c0 mm/hugetlb.c:2223 gather_surplus_pages mm/hugetlb.c:2415 [inline] hugetlb_acct_memory+0x759/0x2420 mm/hugetlb.c:5331 hugetlb_reserve_pages+0x10d1/0x26f0 mm/hugetlb.c:7347 memfd_alloc_folio+0x20a/0x7b0 mm/memfd.c:90 memfd_pin_folios+0x10b3/0x16a0 mm/gup.c:3523 udmabuf_pin_folios drivers/dma-buf/udmabuf.c:337 [inline] udmabuf_create+0x1256/0x1ed0 drivers/dma-buf/udmabuf.c:434 udmabuf_ioctl_create drivers/dma-buf/udmabuf.c:486 [inline] udmabuf_ioctl+0x2eb/0x5b0 drivers/dma-buf/udmabuf.c:517 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0x23c/0x400 fs/ioctl.c:583 __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:583 x64_sys_call+0x1cbc/0x3e30 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 0-5 of 6 are uninitialized Memory access of size 6 starts at ffff88804480000f Data copied to user address 0000200000000080 CPU: 0 UID: 0 PID: 6052 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 ===================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@...glegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
Powered by blists - more mailing lists