Re: [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, luto@kernel.org,
	peterz@infradead.org,  syzkaller-bugs@googlegroups.com,
	tglx@linutronix.de, xrivendell7@gmail.com
Subject: Re: [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2)
Date: Mon, 25 Dec 2023 14:15:18 -0800	[thread overview]
Message-ID: <000000000000a9d761060d5ce6cf@google.com> (raw)
In-Reply-To: <0000000000008fcf9806083e7405@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    861deac3b092 Linux 6.7-rc7
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15826ec9e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=cfc08744435c4cf94a40
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17ea5231e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0ea60ee8ed32/disk-861deac3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d69fdc33021/vmlinux-861deac3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f0158750d452/bzImage-861deac3.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak-after-free in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 copy_siginfo_to_user+0x40/0x130 kernel/signal.c:3374
 ptrace_request+0xfa6/0x36d0 kernel/ptrace.c:1066
 arch_ptrace+0x435/0x680 arch/x86/kernel/ptrace.c:848
 __do_sys_ptrace kernel/ptrace.c:1305 [inline]
 __se_sys_ptrace+0x2d8/0x750 kernel/ptrace.c:1278
 __x64_sys_ptrace+0xbd/0x110 kernel/ptrace.c:1278
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was stored to memory at:
 copy_siginfo include/linux/signal.h:17 [inline]
 ptrace_getsiginfo kernel/ptrace.c:705 [inline]
 ptrace_request+0xf32/0x36d0 kernel/ptrace.c:1064
 arch_ptrace+0x435/0x680 arch/x86/kernel/ptrace.c:848
 __do_sys_ptrace kernel/ptrace.c:1305 [inline]
 __se_sys_ptrace+0x2d8/0x750 kernel/ptrace.c:1278
 __x64_sys_ptrace+0xbd/0x110 kernel/ptrace.c:1278
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was stored to memory at:
 copy_siginfo include/linux/signal.h:17 [inline]
 collect_signal kernel/signal.c:596 [inline]
 __dequeue_signal+0x548/0xa00 kernel/signal.c:625
 dequeue_signal+0x14b/0xb10 kernel/signal.c:648
 get_signal+0xc3f/0x2d10 kernel/signal.c:2784
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
 do_syscall_64+0x50/0x110 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_free_hook mm/slub.c:1770 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x66f/0x1250 mm/slub.c:3831
 __sigqueue_free kernel/signal.c:460 [inline]
 collect_signal kernel/signal.c:603 [inline]
 __dequeue_signal+0x998/0xa00 kernel/signal.c:625
 dequeue_signal+0x14b/0xb10 kernel/signal.c:648
 get_signal+0xc3f/0x2d10 kernel/signal.c:2784
 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2a/0x140 kernel/entry/common.c:296
 do_syscall_64+0x50/0x110 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Bytes 12-15 of 48 are uninitialized
Memory access of size 48 starts at ffff888115d6bc80
Data copied to user address 00000000016164e0

CPU: 1 PID: 5004 Comm: strace-static-x Not tainted 6.7.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2023-12-25 22:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-21 18:49 [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) syzbot
2023-12-25 22:15 ` syzbot [this message]
2023-12-31  1:51   ` Edward Adam Davis
2023-12-31  2:15     ` syzbot
2023-12-31  2:41   ` [PATCH] ptrace: fix kernel-infoleak-after-free in copy_siginfo_to_user Edward Adam Davis
2024-03-24  9:13 ` [syzbot] [kernel?] KMSAN: kernel-infoleak-after-free in copy_siginfo_to_user (2) syzbot
  -- strict thread matches above, loose matches on Subject: below --
2023-12-25  7:16 xingwei lee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000a9d761060d5ce6cf@google.com \
    --to=syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=xrivendell7@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.