Re: [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org, luto@kernel.org,
	 peterz@infradead.org, syzkaller-bugs@googlegroups.com,
	tglx@linutronix.de,  xrivendell7@gmail.com
Subject: Re: [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)
Date: Sun, 24 Mar 2024 02:13:16 -0700	[thread overview]
Message-ID: <0000000000009871740614647751@google.com> (raw)
In-Reply-To: <0000000000008fcf9806083e7405@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    70293240c5ce Merge tag 'timers-urgent-2024-03-23' of git:/..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=139071be180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e6bd769cb793b98a
dashboard link: https://syzkaller.appspot.com/bug?extid=cfc08744435c4cf94a40
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14694231180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15846fc1180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0de52742d0b8/disk-70293240.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f304697881bf/vmlinux-70293240.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2b9d8a9376f0/bzImage-70293240.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x110 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 copy_siginfo_to_user+0x40/0x130 kernel/signal.c:3380
 ptrace_request+0xfa7/0x36e0 kernel/ptrace.c:1046
 arch_ptrace+0x43b/0x680 arch/x86/kernel/ptrace.c:848
 __do_sys_ptrace kernel/ptrace.c:1285 [inline]
 __se_sys_ptrace+0x2d8/0x760 kernel/ptrace.c:1258
 __x64_sys_ptrace+0xbd/0x110 kernel/ptrace.c:1258
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at:
 copy_siginfo include/linux/signal.h:18 [inline]
 ptrace_getsiginfo kernel/ptrace.c:685 [inline]
 ptrace_request+0xf33/0x36e0 kernel/ptrace.c:1044
 arch_ptrace+0x43b/0x680 arch/x86/kernel/ptrace.c:848
 __do_sys_ptrace kernel/ptrace.c:1285 [inline]
 __se_sys_ptrace+0x2d8/0x760 kernel/ptrace.c:1258
 __x64_sys_ptrace+0xbd/0x110 kernel/ptrace.c:1258
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at:
 copy_siginfo include/linux/signal.h:18 [inline]
 collect_signal kernel/signal.c:587 [inline]
 __dequeue_signal+0x501/0xad0 kernel/signal.c:616
 dequeue_signal+0x14b/0xb20 kernel/signal.c:639
 get_signal+0xb46/0x2d00 kernel/signal.c:2790
 arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
 do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was created at:
 slab_free_hook mm/slub.c:2073 [inline]
 slab_free mm/slub.c:4280 [inline]
 kmem_cache_free+0x257/0xa80 mm/slub.c:4344
 __sigqueue_free kernel/signal.c:451 [inline]
 collect_signal kernel/signal.c:594 [inline]
 __dequeue_signal+0xa58/0xad0 kernel/signal.c:616
 dequeue_signal+0x14b/0xb20 kernel/signal.c:639
 get_signal+0xb46/0x2d00 kernel/signal.c:2790
 arch_do_signal_or_restart+0x53/0xcb0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x5d/0x160 kernel/entry/common.c:218
 do_syscall_64+0xe4/0x1f0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Bytes 12-15 of 48 are uninitialized
Memory access of size 48 starts at ffff8881240cfc60
Data copied to user address 0000000014dcf540

CPU: 1 PID: 5012 Comm: strace-static-x Not tainted 6.8.0-syzkaller-13213-g70293240c5ce #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2024-03-24  9:13 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-21 18:49 [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) syzbot
2023-12-25 22:15 ` syzbot
2023-12-31  1:51   ` Edward Adam Davis
2023-12-31  2:15     ` syzbot
2023-12-31  2:41   ` [PATCH] ptrace: fix kernel-infoleak-after-free in copy_siginfo_to_user Edward Adam Davis
2024-03-24  9:13 ` syzbot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-12-25  7:16 [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) xingwei lee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000009871740614647751@google.com \
    --to=syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=xrivendell7@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.