| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66f057eb.050a0220.a27de.0004.GAE@google.com> Date: Sun, 22 Sep 2024 10:46:19 -0700 From: syzbot <syzbot+346474e3bf0b26bd3090@...kaller.appspotmail.com> To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com, willemdebruijn.kernel@...il.com Subject: [syzbot] [net?] KMSAN: kernel-infoleak in move_addr_to_user (7) Hello, syzbot found the following issue on: HEAD commit: 88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=172c4107980000 kernel config: https://syzkaller.appspot.com/x/.config?x=547de13ee0a4d284 dashboard link: https://syzkaller.appspot.com/bug?extid=346474e3bf0b26bd3090 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d7c19f980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c81c27980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/d83fc781c223/disk-88264981.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/1ed4c5969fba/vmlinux-88264981.xz kernel image: https://storage.googleapis.com/syzbot-assets/76a67bd894be/bzImage-88264981.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+346474e3bf0b26bd3090@...kaller.appspotmail.com ===================================================== BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _inline_copy_to_user include/linux/uaccess.h:180 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:209 [inline] move_addr_to_user+0x28b/0x400 net/socket.c:292 ____sys_recvmsg+0x232/0x620 net/socket.c:2829 ___sys_recvmsg+0x223/0x840 net/socket.c:2864 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958 __sys_recvmmsg net/socket.c:3037 [inline] __do_sys_recvmmsg net/socket.c:3060 [inline] __se_sys_recvmmsg net/socket.c:3053 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: packet_recvmsg+0x176a/0x2500 net/packet/af_packet.c:3585 sock_recvmsg_nosec+0x22f/0x2b0 net/socket.c:1052 ____sys_recvmsg+0x541/0x620 net/socket.c:2820 ___sys_recvmsg+0x223/0x840 net/socket.c:2864 do_recvmmsg+0x4f6/0xfd0 net/socket.c:2958 __sys_recvmmsg net/socket.c:3037 [inline] __do_sys_recvmmsg net/socket.c:3060 [inline] __se_sys_recvmmsg net/socket.c:3053 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3053 x64_sys_call+0x2e5d/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: eth_header_parse+0xb8/0x110 net/ethernet/eth.c:204 dev_parse_header include/linux/netdevice.h:3158 [inline] packet_rcv+0xefc/0x2050 net/packet/af_packet.c:2253 dev_queue_xmit_nit+0x114b/0x12a0 net/core/dev.c:2347 xmit_one net/core/dev.c:3584 [inline] dev_hard_start_xmit+0x17d/0xa20 net/core/dev.c:3604 __dev_queue_xmit+0x3576/0x55e0 net/core/dev.c:4424 dev_queue_xmit include/linux/netdevice.h:3094 [inline] __bpf_tx_skb net/core/filter.c:2152 [inline] __bpf_redirect_common net/core/filter.c:2196 [inline] __bpf_redirect+0x148c/0x1610 net/core/filter.c:2203 ____bpf_clone_redirect net/core/filter.c:2475 [inline] bpf_clone_redirect+0x37e/0x500 net/core/filter.c:2447 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline] __bpf_prog_run include/linux/filter.h:701 [inline] bpf_prog_run include/linux/filter.h:708 [inline] bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline] __se_sys_bpf kernel/bpf/syscall.c:5822 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4092 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 pskb_expand_head+0x226/0x1a60 net/core/skbuff.c:2275 skb_ensure_writable+0x496/0x520 net/core/skbuff.c:6214 __bpf_try_make_writable net/core/filter.c:1677 [inline] bpf_try_make_writable net/core/filter.c:1683 [inline] bpf_try_make_head_writable net/core/filter.c:1691 [inline] ____bpf_clone_redirect net/core/filter.c:2469 [inline] bpf_clone_redirect+0x1c5/0x500 net/core/filter.c:2447 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:2010 __bpf_prog_run512+0xc5/0xf0 kernel/bpf/core.c:2253 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline] __bpf_prog_run include/linux/filter.h:701 [inline] bpf_prog_run include/linux/filter.h:708 [inline] bpf_test_run+0x546/0xd20 net/bpf/test_run.c:433 bpf_prog_test_run_skb+0x182f/0x24d0 net/bpf/test_run.c:1094 bpf_prog_test_run+0x6b1/0xac0 kernel/bpf/syscall.c:4320 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5735 __do_sys_bpf kernel/bpf/syscall.c:5824 [inline] __se_sys_bpf kernel/bpf/syscall.c:5822 [inline] __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5822 x64_sys_call+0x2cce/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-17 of 20 are uninitialized Memory access of size 20 starts at ffff88812112fa48 Data copied to user address 0000000020000ac0 CPU: 0 UID: 0 PID: 5234 Comm: syz-executor312 Not tainted 6.11.0-syzkaller-08481-g88264981f208 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ===================================================== --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@...glegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
Powered by blists - more mailing lists