Linux block layer
 help / color / mirror / Atom feed
From: Peilin Ye <yepeilin.cs@gmail.com>
To: syzbot <syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com>
Cc: axboe@kernel.dk, glider@google.com, linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	Anant Thazhemadam <anant.thazhemadam@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: KMSAN: kernel-infoleak in scsi_cmd_ioctl
Date: Fri, 2 Oct 2020 09:49:44 -0400	[thread overview]
Message-ID: <20201002134944.GA8205@PWN> (raw)
In-Reply-To: <000000000000a24fa705ae29dc6c@google.com>

On Mon, Aug 31, 2020 at 03:28:22AM -0700, syzbot wrote:
> BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> CPU: 1 PID: 12272 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x21c/0x280 lib/dump_stack.c:118
>  kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
>  kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
>  kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
>  instrument_copy_to_user include/linux/instrumented.h:91 [inline]
>  _copy_to_user+0x18e/0x260 lib/usercopy.c:33
>  scsi_put_cdrom_generic_arg include/linux/uaccess.h:170 [inline]

+ Cc: Greg Kroah-Hartman
+ Cc: Anant Thazhemadam

Hi all,

In looking at the report, I guess this patch should fix the issue, there's
a 3-byte hole in `struct compat_cdrom_generic_command`:

[PATCH v3] block/scsi-ioctl: Prevent kernel-infoleak in scsi_put_cdrom_generic_arg()
https://lore.kernel.org/lkml/20200909095057.1214104-1-yepeilin.cs@gmail.com/

But I cannot verify it, since syzbot doesn't have a reproducer for it.
The patch adds a 3-byte padding field to `struct
compat_cdrom_generic_command`. It hasn't been accepted yet.

> Local variable ----cgc32.i42.i@scsi_cmd_ioctl created at:
>  scsi_put_cdrom_generic_arg block/scsi_ioctl.c:695 [inline]

#ifdef CONFIG_COMPAT
	if (in_compat_syscall()) {
		struct compat_cdrom_generic_command
		[...]

$ # before
$ pahole -C "compat_cdrom_generic_command" !$
pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
	unsigned char              cmd[12];              /*     0    12 */
	compat_caddr_t             buffer;               /*    12     4 */
	compat_uint_t              buflen;               /*    16     4 */
	compat_int_t               stat;                 /*    20     4 */
	compat_caddr_t             sense;                /*    24     4 */
	unsigned char              data_direction;       /*    28     1 */

	/* XXX 3 bytes hole, try to pack */

	compat_int_t               quiet;                /*    32     4 */
	compat_int_t               timeout;              /*    36     4 */
	compat_caddr_t             reserved[1];          /*    40     4 */

	/* size: 44, cachelines: 1, members: 9 */
	/* sum members: 41, holes: 1, sum holes: 3 */
	/* last cacheline: 44 bytes */
};
$ # after
$ pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o
struct compat_cdrom_generic_command {
	unsigned char              cmd[12];              /*     0    12 */
	compat_caddr_t             buffer;               /*    12     4 */
	compat_uint_t              buflen;               /*    16     4 */
	compat_int_t               stat;                 /*    20     4 */
	compat_caddr_t             sense;                /*    24     4 */
	unsigned char              data_direction;       /*    28     1 */
	unsigned char              pad[3];               /*    29     3 */
	compat_int_t               quiet;                /*    32     4 */
	compat_int_t               timeout;              /*    36     4 */
	compat_caddr_t             reserved[1];          /*    40     4 */

	/* size: 44, cachelines: 1, members: 10 */
	/* last cacheline: 44 bytes */
};
$ _

Thank you,
Peilin Ye


  reply	other threads:[~2020-10-02 13:49 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-31 10:28 KMSAN: kernel-infoleak in scsi_cmd_ioctl syzbot
2020-10-02 13:49 ` Peilin Ye [this message]
2020-10-02 14:00   ` Greg Kroah-Hartman
2020-10-02 14:22 ` [PATCH v4] block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() Peilin Ye
2020-10-02 18:02   ` Jens Axboe
  -- strict thread matches above, loose matches on Subject: below --
2020-09-30 15:53 KMSAN: kernel-infoleak in scsi_cmd_ioctl Anant Thazhemadam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201002134944.GA8205@PWN \
    --to=yepeilin.cs@gmail.com \
    --cc=anant.thazhemadam@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=glider@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox