[syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, luto@kernel.org,
	peterz@infradead.org, syzkaller-bugs@googlegroups.com,
	tglx@linutronix.de
Subject: [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)
Date: Sat, 21 Oct 2023 11:49:56 -0700	[thread overview]
Message-ID: <0000000000008fcf9806083e7405@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    dd72f9c7e512 Merge tag 'spi-fix-v6-6-rc4' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15fd7ae5680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3f3af4cd712401d4
dashboard link: https://syzkaller.appspot.com/bug?extid=cfc08744435c4cf94a40
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/70e48b37a929/disk-dd72f9c7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/60aeb36b39dc/vmlinux-dd72f9c7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/71699a83a138/bzImage-dd72f9c7.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 copy_siginfo_to_user+0x40/0x130 kernel/signal.c:3362
 x64_setup_rt_frame+0x1e74/0x2400 arch/x86/kernel/signal_64.c:197
 setup_rt_frame arch/x86/kernel/signal.c:222 [inline]
 handle_signal arch/x86/kernel/signal.c:266 [inline]
 arch_do_signal_or_restart+0x626/0xca0 arch/x86/kernel/signal.c:311
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was stored to memory at:
 copy_siginfo include/linux/signal.h:17 [inline]
 collect_signal kernel/signal.c:596 [inline]
 __dequeue_signal+0x548/0xa00 kernel/signal.c:625
 dequeue_signal+0x14b/0xb10 kernel/signal.c:648
 get_signal+0xc3f/0x2d10 kernel/signal.c:2772
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
 slab_free_hook mm/slub.c:1770 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x670/0x12a0 mm/slub.c:3831
 __sigqueue_free kernel/signal.c:460 [inline]
 collect_signal kernel/signal.c:603 [inline]
 __dequeue_signal+0x998/0xa00 kernel/signal.c:625
 dequeue_signal+0x14b/0xb10 kernel/signal.c:648
 get_signal+0xc3f/0x2d10 kernel/signal.c:2772
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Bytes 12-15 of 48 are uninitialized
Memory access of size 48 starts at ffff88801301fdb0
Data copied to user address 000000c000e7bbf0

CPU: 0 PID: 5011 Comm: syz-fuzzer Not tainted 6.6.0-rc6-syzkaller-00043-gdd72f9c7e512 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2023-10-21 18:50 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-21 18:49 syzbot [this message]
2023-12-25 22:15 ` [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) syzbot
2023-12-31  1:51   ` Edward Adam Davis
2023-12-31  2:15     ` syzbot
2023-12-31  2:41   ` [PATCH] ptrace: fix kernel-infoleak-after-free in copy_siginfo_to_user Edward Adam Davis
2024-03-24  9:13 ` [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) syzbot
  -- strict thread matches above, loose matches on Subject: below --
2023-12-25  7:16 xingwei lee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000008fcf9806083e7405@google.com \
    --to=syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.