lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <66f057eb.050a0220.a27de.0004.GAE@google.com>
Date: Sun, 22 Sep 2024 10:46:19 -0700
From: syzbot <syzbot+346474e3bf0b26bd3090@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, 
	syzkaller-bugs@...glegroups.com, willemdebruijn.kernel@...il.com
Subject: [syzbot] [net?] KMSAN: kernel-infoleak in move_addr_to_user (7)

Hello,

syzbot found the following issue on:

HEAD commit:    88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=172c4107980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=547de13ee0a4d284
dashboard link: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d7c19f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c81c27980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d83fc781c223/disk-88264981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1ed4c5969fba/vmlinux-88264981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/76a67bd894be/bzImage-88264981.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+346474e3bf0b26bd3090@...kaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _inline_copy_to_user include/linux/uaccess.h:180 [inline]
 _copy_to_user+0xbc/0x110 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:209 [inline]
 move_addr_to_user+0x28b/0x400 net/socket.c:292
 ____sys_recvmsg+0x232/0x620 net/socket.c:2829
 ___sys_recvmsg+0x223/0x840 net/socket.c:2864
 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958
 __sys_recvmmsg net/socket.c:3037 [inline]
 __do_sys_recvmmsg net/socket.c:3060 [inline]
 __se_sys_recvmmsg net/socket.c:3053 [inline]
 __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053
 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 packet_recvmsg+0x176a/0x2500 net/packet/af_packet.c:3585
 sock_recvmsg_nosec+0x22f/0x2b0 net/socket.c:1052
 ____sys_recvmsg+0x541/0x620 net/socket.c:2820
 ___sys_recvmsg+0x223/0x840 net/socket.c:2864
 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958
 __sys_recvmmsg net/socket.c:3037 [inline]
 __do_sys_recvmmsg net/socket.c:3060 [inline]
 __se_sys_recvmmsg net/socket.c:3053 [inline]
 __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053
 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 eth_header_parse+0xb8/0x110 net/ethernet/eth.c:204
 dev_parse_header include/linux/netdevice.h:3158 [inline]
 packet_rcv+0xefc/0x2050 net/packet/af_packet.c:2253
 dev_queue_xmit_nit+0x114b/0x12a0 net/core/dev.c:2347
 xmit_one net/core/dev.c:3584 [inline]
 dev_hard_start_xmit+0x17d/0xa20 net/core/dev.c:3604
 __dev_queue_xmit+0x3576/0x55e0 net/core/dev.c:4424
 dev_queue_xmit include/linux/netdevice.h:3094 [inline]
 __bpf_tx_skb net/core/filter.c:2152 [inline]
 __bpf_redirect_common net/core/filter.c:2196 [inline]
 __bpf_redirect+0x148c/0x1610 net/core/filter.c:2203
 ____bpf_clone_redirect net/core/filter.c:2475 [inline]
 bpf_clone_redirect+0x37e/0x500 net/core/filter.c:2447
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010
 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735
 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5822 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822
 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4092 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
 pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275
 skb_ensure_writable+0x496/0x520 net/core/skbuff.c:6214
 __bpf_try_make_writable net/core/filter.c:1677 [inline]
 bpf_try_make_writable net/core/filter.c:1683 [inline]
 bpf_try_make_head_writable net/core/filter.c:1691 [inline]
 ____bpf_clone_redirect net/core/filter.c:2469 [inline]
 bpf_clone_redirect+0x1c5/0x500 net/core/filter.c:2447
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010
 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735
 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5822 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822
 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Bytes 12-17 of 20 are uninitialized
Memory access of size 20 starts at ffff88812112fa48
Data copied to user address 0000000020000ac0

CPU: 0 UID: 0 PID: 5234 Comm: syz-executor312 Not tainted 6.11.0-syzkaller-08481-g88264981f208 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ