From: ebiederm@xmission.com (Eric W. Biederman)
To: Andrew Morton <akpm@linux-foundation.org>
Cc: arnd@arndb.de, christian@brauner.io, deepa.kernel@gmail.com,
glider@google.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
Oleg Nesterov <oleg@redhat.com>,
syzbot <syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com>
Subject: Re: KMSAN: kernel-infoleak in copy_siginfo_to_user (2)
Date: Tue, 28 May 2019 12:34:28 -0500 [thread overview]
Message-ID: <87woia5vq3.fsf@xmission.com> (raw)
In-Reply-To: <000000000000410d500588adf637@google.com> (syzbot's message of "Sun, 12 May 2019 03:07:05 -0700")
Andrew,
Didn't someone already provide a fix for this one?
I thought I saw that hit your tree a while ago. I am looking in
ptrace.c and I don't see anything that would have fixed this issue.
If there isn't a fix in the queue I will take a stab at it.
Thank you
Eric
syzbot <syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com> writes:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: d062d017 usb-fuzzer: main usb gadget fuzzer driver
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=137348b4a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=67ebf8b3cce62ce7
> dashboard link: https://syzkaller.appspot.com/bug?extid=0d602a1b0d8c95bdf299
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 06d00afa61eef8f7f501ebdb4e8612ea43ec2d78)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175d65e0a00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ae05c0a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
>
> ptrace attach of "./syz-executor353086472"[10278] was attempted by
> "./syz-executor353086472"[10279]
> ptrace attach of "./syz-executor353086472"[10280] was attempted by
> "./syz-executor353086472"[10281]
> ptrace attach of "./syz-executor353086472"[10282] was attempted by
> "./syz-executor353086472"[10283]
> ==================================================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> CPU: 1 PID: 10284 Comm: syz-executor353 Not tainted 5.1.0-rc7+ #5
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:619
> kmsan_internal_check_memory+0x974/0xa80 mm/kmsan/kmsan.c:713
> kmsan_copy_to_user+0xa9/0xb0 mm/kmsan/kmsan_hooks.c:492
> _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> copy_to_user include/linux/uaccess.h:174 [inline]
> copy_siginfo_to_user+0x80/0x160 kernel/signal.c:3059
> ptrace_peek_siginfo kernel/ptrace.c:742 [inline]
> ptrace_request+0x24bd/0x2950 kernel/ptrace.c:913
> arch_ptrace+0x9fa/0x1090 arch/x86/kernel/ptrace.c:868
> __do_sys_ptrace kernel/ptrace.c:1155 [inline]
> __se_sys_ptrace+0x2b9/0x7b0 kernel/ptrace.c:1120
> __x64_sys_ptrace+0x56/0x70 kernel/ptrace.c:1120
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x441cc9
> Code: e8 bc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 0f 83 1b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00000000007efdd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000065
> RAX: ffffffffffffffda RBX: 0000000000000063 RCX: 0000000000441cc9
> RDX: 00000000200000c0 RSI: 0000000000000007 RDI: 0000000000004209
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000716000 R11: 0000000000000246 R12: 0000000000000002
> R13: 0000000000402a00 R14: 0000000000000000 R15: 0000000000000000
>
> Local variable description: ----info.i@ptrace_request
> Variable was created at:
> ptrace_peek_siginfo kernel/ptrace.c:714 [inline]
> ptrace_request+0x2161/0x2950 kernel/ptrace.c:913
> arch_ptrace+0x9fa/0x1090 arch/x86/kernel/ptrace.c:868
>
> Bytes 0-47 of 48 are uninitialized
> Memory access of size 48 starts at ffff8880a902fd70
> Data copied to user address 0000000000716000
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
next prev parent reply other threads:[~2019-05-28 17:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-12 10:07 KMSAN: kernel-infoleak in copy_siginfo_to_user (2) syzbot
2019-05-28 17:34 ` Eric W. Biederman [this message]
2019-05-28 19:47 ` Andrew Morton
2019-05-29 1:21 ` [PATCH] signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO Eric W. Biederman
2019-06-04 18:33 ` Andrei Vagin
2019-06-04 19:42 ` Eric W. Biederman
2019-06-10 19:39 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87woia5vq3.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=christian@brauner.io \
--cc=deepa.kernel@gmail.com \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.