All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, arnd@arndb.de, christian@brauner.io,
	deepa.kernel@gmail.com, ebiederm@xmission.com, glider@google.com,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	tglx@linutronix.de
Subject: KMSAN: kernel-infoleak in copy_siginfo_to_user (2)
Date: Sun, 12 May 2019 03:07:05 -0700	[thread overview]
Message-ID: <000000000000410d500588adf637@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    d062d017 usb-fuzzer: main usb gadget fuzzer driver
git tree:       kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x=137348b4a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=67ebf8b3cce62ce7
dashboard link: https://syzkaller.appspot.com/bug?extid=0d602a1b0d8c95bdf299
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=175d65e0a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ae05c0a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com

ptrace attach of "./syz-executor353086472"[10278] was attempted  
by "./syz-executor353086472"[10279]
ptrace attach of "./syz-executor353086472"[10280] was attempted  
by "./syz-executor353086472"[10281]
ptrace attach of "./syz-executor353086472"[10282] was attempted  
by "./syz-executor353086472"[10283]
==================================================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10284 Comm: syz-executor353 Not tainted 5.1.0-rc7+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x191/0x1f0 lib/dump_stack.c:113
  kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:619
  kmsan_internal_check_memory+0x974/0xa80 mm/kmsan/kmsan.c:713
  kmsan_copy_to_user+0xa9/0xb0 mm/kmsan/kmsan_hooks.c:492
  _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
  copy_to_user include/linux/uaccess.h:174 [inline]
  copy_siginfo_to_user+0x80/0x160 kernel/signal.c:3059
  ptrace_peek_siginfo kernel/ptrace.c:742 [inline]
  ptrace_request+0x24bd/0x2950 kernel/ptrace.c:913
  arch_ptrace+0x9fa/0x1090 arch/x86/kernel/ptrace.c:868
  __do_sys_ptrace kernel/ptrace.c:1155 [inline]
  __se_sys_ptrace+0x2b9/0x7b0 kernel/ptrace.c:1120
  __x64_sys_ptrace+0x56/0x70 kernel/ptrace.c:1120
  do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
  entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x441cc9
Code: e8 bc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 1b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00000000007efdd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000065
RAX: ffffffffffffffda RBX: 0000000000000063 RCX: 0000000000441cc9
RDX: 00000000200000c0 RSI: 0000000000000007 RDI: 0000000000004209
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000716000 R11: 0000000000000246 R12: 0000000000000002
R13: 0000000000402a00 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----info.i@ptrace_request
Variable was created at:
  ptrace_peek_siginfo kernel/ptrace.c:714 [inline]
  ptrace_request+0x2161/0x2950 kernel/ptrace.c:913
  arch_ptrace+0x9fa/0x1090 arch/x86/kernel/ptrace.c:868

Bytes 0-47 of 48 are uninitialized
Memory access of size 48 starts at ffff8880a902fd70
Data copied to user address 0000000000716000
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

             reply	other threads:[~2019-05-12 10:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-12 10:07 syzbot [this message]
2019-05-28 17:34 ` KMSAN: kernel-infoleak in copy_siginfo_to_user (2) Eric W. Biederman
2019-05-28 19:47   ` Andrew Morton
2019-05-29  1:21     ` [PATCH] signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO Eric W. Biederman
2019-06-04 18:33       ` Andrei Vagin
2019-06-04 19:42         ` Eric W. Biederman
2019-06-10 19:39           ` Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000410d500588adf637@google.com \
    --to=syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=christian@brauner.io \
    --cc=deepa.kernel@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=glider@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.