From: Greg KH <gregkh@linuxfoundation.org>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
oneukum@suse.com,
syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH v3] usb/cdc-wdm: fix memory info leak in wdm_read
Date: Tue, 12 Nov 2024 12:13:22 +0100 [thread overview]
Message-ID: <2024111232-relative-bottom-4995@gregkh> (raw)
In-Reply-To: <20241111120139.3483366-1-snovitoll@gmail.com>
On Mon, Nov 11, 2024 at 05:01:39PM +0500, Sabyrzhan Tasbolatov wrote:
> syzbot reported "KMSAN: kernel-infoleak in wdm_read", though there is no
> reproducer and the only report for this issue.
>
> The check:
>
> if (cntr > count)
> cntr = count;
>
> only limits `cntr` to `count` (the number of bytes requested by
> userspace), but it doesn't verify that `desc->ubuf` actually has `count`
> bytes. This oversight can lead to situations where `copy_to_user` reads
> uninitialized data from `desc->ubuf`.
>
> This patch makes sure `cntr` respects` both the `desc->length` and the
> `count` requested by userspace, preventing any uninitialized memory from
> leaking into userspace.
>
> syzbot report
> =============
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
> instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> _inline_copy_to_user include/linux/uaccess.h:180 [inline]
> _copy_to_user+0xbc/0x110 lib/usercopy.c:26
> copy_to_user include/linux/uaccess.h:209 [inline]
> wdm_read+0x227/0x1270 drivers/usb/class/cdc-wdm.c:603
> vfs_read+0x2a1/0xf60 fs/read_write.c:474
> ksys_read+0x20f/0x4c0 fs/read_write.c:619
> __do_sys_read fs/read_write.c:629 [inline]
> __se_sys_read fs/read_write.c:627 [inline]
> __x64_sys_read+0x93/0xe0 fs/read_write.c:627
> x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Reported-by: syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9760fbbd535cee131f81
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
> ---
> Changes v2 -> v3:
> - reverted kzalloc back to kmalloc as the fix is cntr related (Oliver).
> - added constraint to select the min length from count and desc->length.
> - refactored git commit description as the memory info leak is confirmed.
>
> Changes v1 -> v2:
> - added explanation comment above kzalloc (Greg).
> - renamed patch title from memory leak to memory info leak (Greg).
> ---
> drivers/usb/class/cdc-wdm.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
> index 86ee39db013f..dd7349f8a97a 100644
> --- a/drivers/usb/class/cdc-wdm.c
> +++ b/drivers/usb/class/cdc-wdm.c
> @@ -598,8 +598,9 @@ static ssize_t wdm_read
> spin_unlock_irq(&desc->iuspin);
> }
>
> - if (cntr > count)
> - cntr = count;
> + /* Ensure cntr does not exceed available data in ubuf. */
> + cntr = min(count, (size_t) desc->length);
You should never cast in a call to min(), please use min_t() instead as
that is what it is there for.
thanks,
greg k-h
next prev parent reply other threads:[~2024-11-12 11:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-20 22:48 [syzbot] [usb?] KMSAN: kernel-infoleak in wdm_read syzbot
2024-11-09 15:28 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Sabyrzhan Tasbolatov
2024-11-10 7:07 ` Greg KH
2024-11-10 8:21 ` [PATCH v2] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-11 9:44 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Oliver Neukum
2024-11-11 10:40 ` Sabyrzhan Tasbolatov
2024-11-11 11:46 ` Greg KH
2024-11-11 12:01 ` [PATCH v3] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-12 11:13 ` Greg KH [this message]
2024-11-12 13:29 ` [PATCH v4] " Sabyrzhan Tasbolatov
2024-11-12 15:52 ` Alan Stern
2024-11-12 19:30 ` Sabyrzhan Tasbolatov
2024-11-12 20:25 ` Alan Stern
2024-11-14 5:58 ` Sabyrzhan Tasbolatov
2024-11-11 14:29 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Alan Stern
2024-11-12 9:34 ` Sabyrzhan Tasbolatov
2024-11-12 15:38 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024111232-relative-bottom-4995@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=snovitoll@gmail.com \
--cc=syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.