From: syzbot <syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [net?] KMSAN: kernel-infoleak in __skb_datagram_iter (4)
Date: Fri, 24 May 2024 05:51:27 -0700 [thread overview]
Message-ID: <00000000000035941f061932a077@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 101b7a97143a Merge tag 'acpi-6.10-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15633df4980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ac2f8c387a23814
dashboard link: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4f673334a91c/disk-101b7a97.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8e6db59f4091/vmlinux-101b7a97.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7e5782387c9d/bzImage-101b7a97.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x24b0 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x366/0x24b0 lib/iov_iter.c:185
copy_to_iter include/linux/uio.h:196 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:4070 [inline]
netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x2c4/0x340 net/socket.c:1068
____sys_recvmsg+0x18a/0x620 net/socket.c:2803
___sys_recvmsg+0x223/0x840 net/socket.c:2845
__sys_recvmsg net/socket.c:2875 [inline]
__do_sys_recvmsg net/socket.c:2885 [inline]
__se_sys_recvmsg net/socket.c:2882 [inline]
__x64_sys_recvmsg+0x304/0x4a0 net/socket.c:2882
x64_sys_call+0x38ff/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:48
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2271
netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
netlink_broadcast_filtered+0x82/0x23b0 net/netlink/af_netlink.c:1523
nlmsg_multicast_filtered include/net/netlink.h:1111 [inline]
nlmsg_multicast include/net/netlink.h:1130 [inline]
nlmsg_notify+0x15f/0x2f0 net/netlink/af_netlink.c:2602
rtnl_notify+0xc3/0xf0 net/core/rtnetlink.c:757
wireless_nlevent_flush net/wireless/wext-core.c:354 [inline]
wireless_nlevent_process+0xfe/0x250 net/wireless/wext-core.c:414
process_one_work kernel/workqueue.c:3267 [inline]
process_scheduled_works+0xa81/0x1bd0 kernel/workqueue.c:3348
worker_thread+0xea5/0x1560 kernel/workqueue.c:3429
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was stored to memory at:
wireless_send_event+0x566/0x1020 net/wireless/wext-core.c:580
ioctl_standard_iw_point+0x12e5/0x13c0
compat_standard_call+0x179/0x310 net/wireless/wext-core.c:1110
wext_ioctl_dispatch+0x234/0xa30 net/wireless/wext-core.c:1016
compat_wext_handle_ioctl+0x1ae/0x2f0 net/wireless/wext-core.c:1139
compat_sock_ioctl+0x26b/0x1370 net/socket.c:3525
__do_compat_sys_ioctl fs/ioctl.c:1004 [inline]
__se_compat_sys_ioctl+0x791/0x1090 fs/ioctl.c:947
__ia32_compat_sys_ioctl+0x93/0xe0 fs/ioctl.c:947
ia32_sys_call+0x1481/0x40a0 arch/x86/include/generated/asm/syscalls_32.h:55
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0xb4/0x120 arch/x86/entry/common.c:386
do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:411
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:449
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Local variable iwp created at:
compat_standard_call+0x48/0x310 net/wireless/wext-core.c:1097
wext_ioctl_dispatch+0x234/0xa30 net/wireless/wext-core.c:1016
Bytes 60-63 of 64 are uninitialized
Memory access of size 64 starts at ffff88804af03180
Data copied to user address 00007fff5690c968
CPU: 0 PID: 4697 Comm: dhcpcd Tainted: G W 6.9.0-syzkaller-02339-g101b7a97143a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-05-24 12:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 12:51 syzbot [this message]
2024-11-06 17:58 ` [syzbot] [net?] KMSAN: kernel-infoleak in __skb_datagram_iter (4) syzbot
2024-11-06 18:09 ` Eric Dumazet
2024-11-06 22:19 ` syzbot
2025-10-31 9:49 ` Forwarded: test patch for KMSAN: kernel-infoleak in __skb_datagram_iter syzbot
2025-11-05 9:03 ` Forwarded: KMSAN: kernel-infoleak in __skb_datagram_iter (4) syzbot
[not found] <CAMz+-COzOAULnhRPuM=LeXzzG0n5VdbzfDhamiHak9FJaSWxfA@mail.gmail.com>
2025-10-31 11:18 ` [syzbot] [net?] " syzbot
[not found] <CAMz+-CPLgSojr8wHHY1Wdef+UUHBpVB9xWTYwZ-c0tQ41Trh2g@mail.gmail.com>
2025-11-05 9:32 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000035941f061932a077@google.com \
--to=syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.