lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <695f83f3.050a0220.1c677c.0392.GAE@google.com>
Date: Thu, 08 Jan 2026 02:16:19 -0800
From: syzbot <syzbot+bfc7323743ca6dbcc3d3@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, horms@...nel.org, 
	kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, 
	pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [net?] KMSAN: kernel-infoleak in __skb_datagram_iter (5)

Hello,

syzbot found the following issue on:

HEAD commit:    f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f9be9a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=bfc7323743ca6dbcc3d3
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d9ff9c5037b8/disk-f0b9d8eb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b3c97cb6b38c/vmlinux-f0b9d8eb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d523f5e33ff5/bzImage-f0b9d8eb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bfc7323743ca6dbcc3d3@...kaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:30 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:330 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0xef3/0x33f0 lib/iov_iter.c:197
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 copy_to_user_iter lib/iov_iter.c:24 [inline]
 iterate_ubuf include/linux/iov_iter.h:30 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 _copy_to_iter+0xef3/0x33f0 lib/iov_iter.c:197
 copy_to_iter include/linux/uio.h:220 [inline]
 simple_copy_to_iter net/core/datagram.c:521 [inline]
 __skb_datagram_iter+0x196/0x12c0 net/core/datagram.c:402
 skb_copy_datagram_iter+0x5b/0x1e0 net/core/datagram.c:535
 skb_copy_datagram_msg include/linux/skbuff.h:4217 [inline]
 netlink_recvmsg+0x4bb/0xfe0 net/netlink/af_netlink.c:1951
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x2df/0x390 net/socket.c:1100
 ____sys_recvmsg+0x193/0x610 net/socket.c:2812
 ___sys_recvmsg+0x20b/0x850 net/socket.c:2854
 __sys_recvmsg net/socket.c:2887 [inline]
 __do_sys_recvmsg net/socket.c:2893 [inline]
 __se_sys_recvmsg net/socket.c:2890 [inline]
 __x64_sys_recvmsg+0x20e/0x3d0 net/socket.c:2890
 x64_sys_call+0x38b7/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:48
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
 netlink_trim+0x3a3/0x450 net/netlink/af_netlink.c:1299
 netlink_broadcast_filtered+0x80/0x28f0 net/netlink/af_netlink.c:1512
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0x15b/0x2f0 net/netlink/af_netlink.c:2593
 rtnl_notify+0xba/0x100 net/core/rtnetlink.c:958
 wireless_nlevent_flush net/wireless/wext-core.c:354 [inline]
 wireless_nlevent_process+0xfe/0x290 net/wireless/wext-core.c:414
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xb91/0x1d80 kernel/workqueue.c:3340
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3421
 kthread+0xd5c/0xf00 kernel/kthread.c:463
 ret_from_fork+0x208/0x710 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Uninit was stored to memory at:
 wireless_send_event+0x652/0x1540 net/wireless/wext-core.c:580
 ioctl_standard_iw_point+0x12b0/0x13f0 net/wireless/wext-core.c:896
 compat_standard_call+0x188/0x4c0 net/wireless/wext-core.c:1108
 wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
 wext_ioctl_dispatch+0x192/0x7a0 net/wireless/wext-core.c:1014
 compat_wext_handle_ioctl+0x1a1/0x300 net/wireless/wext-core.c:1137
 compat_sock_ioctl+0x20c/0xff0 net/socket.c:3530
 __do_compat_sys_ioctl fs/ioctl.c:695 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:638 [inline]
 __ia32_compat_sys_ioctl+0x7f9/0x1270 fs/ioctl.c:638
 ia32_sys_call+0x25d9/0x4340 arch/x86/include/generated/asm/syscalls_32.h:55
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x154/0x320 arch/x86/entry/syscall_32.c:307
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:332
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:370
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Local variable iwp created at:
 compat_standard_call+0x4a/0x4c0 net/wireless/wext-core.c:1095
 wireless_process_ioctl net/wireless/wext-core.c:-1 [inline]
 wext_ioctl_dispatch+0x192/0x7a0 net/wireless/wext-core.c:1014

Bytes 60-63 of 64 are uninitialized
Memory access of size 64 starts at ffff8881183ec000
Data copied to user address 00007ffe7d4a8260

CPU: 1 UID: 101 PID: 5458 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ