From: Peilin Ye <yepeilin.cs@gmail.com>
To: syzbot <syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com>
Cc: axboe@kernel.dk, glider@google.com, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
Anant Thazhemadam <anant.thazhemadam@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: KMSAN: kernel-infoleak in scsi_cmd_ioctl
Date: Fri, 2 Oct 2020 09:49:44 -0400 [thread overview]
Message-ID: <20201002134944.GA8205@PWN> (raw)
In-Reply-To: <000000000000a24fa705ae29dc6c@google.com>
On Mon, Aug 31, 2020 at 03:28:22AM -0700, syzbot wrote:
> BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> CPU: 1 PID: 12272 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x21c/0x280 lib/dump_stack.c:118
> kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
> kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
> kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> instrument_copy_to_user include/linux/instrumented.h:91 [inline]
> _copy_to_user+0x18e/0x260 lib/usercopy.c:33
> scsi_put_cdrom_generic_arg include/linux/uaccess.h:170 [inline]
+ Cc: Greg Kroah-Hartman
+ Cc: Anant Thazhemadam
Hi all,
In looking at the report, I guess this patch should fix the issue, there's
a 3-byte hole in `struct compat_cdrom_generic_command`:
[PATCH v3] block/scsi-ioctl: Prevent kernel-infoleak in scsi_put_cdrom_generic_arg()
https://lore.kernel.org/lkml/20200909095057.1214104-1-yepeilin.cs@gmail.com/
But I cannot verify it, since syzbot doesn't have a reproducer for it.
The patch adds a 3-byte padding field to `struct
compat_cdrom_generic_command`. It hasn't been accepted yet.
> Local variable ----cgc32.i42.i@scsi_cmd_ioctl created at:
> scsi_put_cdrom_generic_arg block/scsi_ioctl.c:695 [inline]
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
struct compat_cdrom_generic_command
[...]
$ # before
$ pahole -C "compat_cdrom_generic_command" !$
pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
unsigned char cmd[12]; /* 0 12 */
compat_caddr_t buffer; /* 12 4 */
compat_uint_t buflen; /* 16 4 */
compat_int_t stat; /* 20 4 */
compat_caddr_t sense; /* 24 4 */
unsigned char data_direction; /* 28 1 */
/* XXX 3 bytes hole, try to pack */
compat_int_t quiet; /* 32 4 */
compat_int_t timeout; /* 36 4 */
compat_caddr_t reserved[1]; /* 40 4 */
/* size: 44, cachelines: 1, members: 9 */
/* sum members: 41, holes: 1, sum holes: 3 */
/* last cacheline: 44 bytes */
};
$ # after
$ pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
unsigned char cmd[12]; /* 0 12 */
compat_caddr_t buffer; /* 12 4 */
compat_uint_t buflen; /* 16 4 */
compat_int_t stat; /* 20 4 */
compat_caddr_t sense; /* 24 4 */
unsigned char data_direction; /* 28 1 */
unsigned char pad[3]; /* 29 3 */
compat_int_t quiet; /* 32 4 */
compat_int_t timeout; /* 36 4 */
compat_caddr_t reserved[1]; /* 40 4 */
/* size: 44, cachelines: 1, members: 10 */
/* last cacheline: 44 bytes */
};
$ _
Thank you,
Peilin Ye
next prev parent reply other threads:[~2020-10-02 13:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 10:28 KMSAN: kernel-infoleak in scsi_cmd_ioctl syzbot
2020-10-02 13:49 ` Peilin Ye [this message]
2020-10-02 14:00 ` Greg Kroah-Hartman
2020-10-02 14:22 ` [PATCH v4] block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() Peilin Ye
2020-10-02 14:22 ` [Linux-kernel-mentees] " Peilin Ye
2020-10-02 18:02 ` Jens Axboe
2020-10-02 18:02 ` [Linux-kernel-mentees] " Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2020-09-30 15:53 KMSAN: kernel-infoleak in scsi_cmd_ioctl Anant Thazhemadam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201002134944.GA8205@PWN \
--to=yepeilin.cs@gmail.com \
--cc=anant.thazhemadam@gmail.com \
--cc=axboe@kernel.dk \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.