Re: [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	 linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write
Date: Wed, 04 Sep 2024 05:00:29 -0700	[thread overview]
Message-ID: <000000000000a338d6062149eb22@google.com> (raw)
In-Reply-To: <000000000000407108061e0ed264@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    88fac17500f4 Merge tag 'fuse-fixes-6.11-rc7' of git://git...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12281339980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=35c699864e165c51
dashboard link: https://syzkaller.appspot.com/bug?extid=9d34f80f841e948c3fdb
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1702531f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=150dd8af980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6e5a9ba13ba0/disk-88fac175.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/229238ec073e/vmlinux-88fac175.xz
kernel image: https://storage.googleapis.com/syzbot-assets/64327bdcda24/bzImage-88fac175.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x597/0x2350 drivers/usb/core/urb.c:430
 usb_submit_urb+0x597/0x2350 drivers/usb/core/urb.c:430
 usbtmc_write+0xc32/0x1220 drivers/usb/class/usbtmc.c:1606
 vfs_write+0x493/0x1550 fs/read_write.c:588
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x306a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3994 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 __kmalloc_cache_noprof+0x4f0/0xb00 mm/slub.c:4184
 kmalloc_noprof include/linux/slab.h:681 [inline]
 usbtmc_create_urb drivers/usb/class/usbtmc.c:757 [inline]
 usbtmc_write+0x3d3/0x1220 drivers/usb/class/usbtmc.c:1547
 vfs_write+0x493/0x1550 fs/read_write.c:588
 ksys_write+0x20f/0x4c0 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 x64_sys_call+0x306a/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Byte 15 of 16 is uninitialized
Memory access of size 16 starts at ffff88810bce7000

CPU: 0 UID: 0 PID: 5229 Comm: syz-executor195 Not tainted 6.11.0-rc6-syzkaller-00026-g88fac17500f4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2024-09-04 12:00 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-25  9:14 [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write syzbot
2024-09-04 12:00 ` syzbot [this message]
2024-09-04 12:47   ` Edward Adam Davis
2024-09-04 13:33     ` syzbot
2024-09-04 13:55   ` [PATCH] USB: usbtmc: prevent kernel-infoleak Edward Adam Davis
2024-09-04 14:09     ` Greg KH
2024-09-04 14:13       ` Greg KH
2024-09-05 13:56         ` Edward Adam Davis
2024-09-05 14:04           ` Greg KH
2024-09-05 14:16             ` Edward Adam Davis
2024-09-06 14:11               ` [PATCH V2] USB: usbtmc: prevent kernel-usb-infoleak Edward Adam Davis
2024-09-06 14:28                 ` Alan Stern
2024-09-07  2:08                   ` Edward Adam Davis
2024-09-07 14:45                     ` Alan Stern
2024-09-08  0:59                       ` Edward Adam Davis
2024-09-08  1:32                         ` Alan Stern
2024-09-08  2:01                           ` Edward Adam Davis
2024-09-08  2:20                           ` [PATCH V3] " Edward Adam Davis
2024-09-08  5:20                             ` Greg KH
2024-09-08  7:35                               ` Edward Adam Davis
2024-09-08  7:54                                 ` Greg KH
2024-09-08  8:16                                   ` Edward Adam Davis
2024-09-08  8:33                                     ` Greg KH
2024-09-08  9:17                                       ` [PATCH v4] " Edward Adam Davis
2024-09-05 11:27   ` [syzbot] [usb?] KMSAN: kernel-usb-infoleak in usbtmc_write Edward Adam Davis
2024-09-05 15:42     ` syzbot
2024-09-05 14:21   ` Edward Adam Davis
2024-09-05 16:11     ` syzbot
2024-09-06 11:55   ` Edward Adam Davis
2024-09-06 12:29     ` syzbot
2024-09-06 12:37   ` Edward Adam Davis
2024-09-06 13:07     ` syzbot
2024-09-06 13:06   ` Edward Adam Davis
2024-09-06 13:51     ` syzbot
2024-09-06 13:52   ` Edward Adam Davis
2024-09-06 16:59     ` syzbot
2024-09-05  7:11 ` [syzbot] " syzbot
2024-09-05  8:29 ` syzbot
     [not found] <20240905071112.1621278-1-lizhi.xu@windriver.com>
2024-09-05  7:57 ` syzbot
     [not found] <20240905082935.2536851-1-lizhi.xu@windriver.com>
2024-09-05  8:59 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000a338d6062149eb22@google.com \
    --to=syzbot+9d34f80f841e948c3fdb@syzkaller.appspotmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.