From: syzbot <syzbot+79102ed905e5b2dc0fc3@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] KMSAN: kernel-infoleak in bpf_probe_write_user
Date: Fri, 12 Apr 2024 19:27:25 -0700 [thread overview]
Message-ID: <000000000000fe696d0615f120bb@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: fec50db7033e Linux 6.9-rc3
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16509ba1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=13e7da432565d94c
dashboard link: https://syzkaller.appspot.com/bug?extid=79102ed905e5b2dc0fc3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a4af9d180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12980f9d180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/901017b36ccc/disk-fec50db7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16bfcf5618d3/vmlinux-fec50db7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc9c5a1e7d02/bzImage-fec50db7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+79102ed905e5b2dc0fc3@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in __copy_to_user_inatomic include/linux/uaccess.h:125 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_nofault+0x129/0x1f0 mm/maccess.c:149
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
__copy_to_user_inatomic include/linux/uaccess.h:125 [inline]
copy_to_user_nofault+0x129/0x1f0 mm/maccess.c:149
____bpf_probe_write_user kernel/trace/bpf_trace.c:349 [inline]
bpf_probe_write_user+0x104/0x180 kernel/trace/bpf_trace.c:327
___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
__bpf_prog_run64+0xb5/0xe0 kernel/bpf/core.c:2236
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420
__bpf_trace_kfree+0x29/0x40 include/trace/events/kmem.h:94
trace_kfree include/trace/events/kmem.h:94 [inline]
kfree+0x6a5/0xa30 mm/slub.c:4377
vfs_writev+0x12bf/0x1450 fs/read_write.c:978
do_writev+0x251/0x5c0 fs/read_write.c:1018
__do_sys_writev fs/read_write.c:1091 [inline]
__se_sys_writev fs/read_write.c:1088 [inline]
__x64_sys_writev+0x98/0xe0 fs/read_write.c:1088
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x72/0x7a
Local variable stack created at:
__bpf_prog_run64+0x45/0xe0 kernel/bpf/core.c:2236
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420
Bytes 0-7 of 8 are uninitialized
Memory access of size 8 starts at ffff888121ec7ae8
Data copied to user address 00000000ffffffff
CPU: 1 PID: 4779 Comm: dhcpcd Not tainted 6.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-04-13 2:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-13 2:27 syzbot [this message]
2024-04-15 20:18 ` [syzbot] [mm?] KMSAN: kernel-infoleak in bpf_probe_write_user Andrew Morton
2024-04-15 21:06 ` Alexei Starovoitov
2024-04-16 8:46 ` Aleksandr Nogikh
2024-04-16 8:52 ` Alexander Potapenko
2024-04-16 15:16 ` Alexei Starovoitov
2024-04-18 7:58 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000fe696d0615f120bb@google.com \
--to=syzbot+79102ed905e5b2dc0fc3@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.