* KMSAN: kernel-infoleak in vcs_read (2)
@ 2019-12-04 15:25 syzbot
2020-09-06 4:04 ` syzbot
0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2019-12-04 15:25 UTC (permalink / raw)
To: glider, gregkh, jslaby, jwilk, linux-kernel, nico, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 141b13f7 fixup "kmsan: ext4: skip block merging logic "
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1201f061e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=fde150fb1e865232
dashboard link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0xa9/0xb0
mm/kmsan/kmsan_hooks.c:257
CPU: 0 PID: 18848 Comm: syz-executor.5 Not tainted 5.4.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
kmsan_internal_check_memory+0x215/0x440 mm/kmsan/kmsan.c:455
kmsan_copy_to_user+0xa9/0xb0 mm/kmsan/kmsan_hooks.c:257
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:174 [inline]
vcs_read+0x1edb/0x22e0 drivers/tty/vt/vc_screen.c:424
do_loop_readv_writev fs/read_write.c:714 [inline]
do_iter_read+0x8e0/0xe10 fs/read_write.c:935
vfs_readv fs/read_write.c:997 [inline]
do_readv+0x37f/0x710 fs/read_write.c:1034
__do_sys_readv fs/read_write.c:1125 [inline]
__se_sys_readv+0x9b/0xb0 fs/read_write.c:1122
__x64_sys_readv+0x4a/0x70 fs/read_write.c:1122
do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45a679
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbb48b2cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 0000000000000002 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbb48b2d6d4
R13: 00000000004c89bc R14: 00000000004e0408 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
kmsan_internal_chain_origin+0xb9/0x170 mm/kmsan/kmsan.c:317
kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:252
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:272
__msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129
vc_uniscr_copy_line+0x4ce/0x750 drivers/tty/vt/vt.c:566
vcs_read+0xd37/0x22e0 drivers/tty/vt/vc_screen.c:332
do_loop_readv_writev fs/read_write.c:714 [inline]
do_iter_read+0x8e0/0xe10 fs/read_write.c:935
vfs_readv fs/read_write.c:997 [inline]
do_readv+0x37f/0x710 fs/read_write.c:1034
__do_sys_readv fs/read_write.c:1125 [inline]
__se_sys_readv+0x9b/0xb0 fs/read_write.c:1122
__x64_sys_readv+0x4a/0x70 fs/read_write.c:1122
do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:86
slab_alloc_node mm/slub.c:2773 [inline]
slab_alloc mm/slub.c:2782 [inline]
__kmalloc+0x28b/0x410 mm/slub.c:3815
kmalloc include/linux/slab.h:561 [inline]
vc_uniscr_alloc+0xa6/0x730 drivers/tty/vt/vt.c:353
vc_do_resize+0x608/0x2b60 drivers/tty/vt/vt.c:1192
vt_resize+0x10e/0x170 drivers/tty/vt/vt.c:1325
tty_ioctl+0x2c39/0x3100 drivers/tty/tty_io.c:2503
do_vfs_ioctl+0xea8/0x2c50 fs/ioctl.c:46
ksys_ioctl fs/ioctl.c:713 [inline]
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
__x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Bytes 0-23 of 216 are uninitialized
Memory access of size 216 starts at ffff8d212e741000
Data copied to user address 0000000020000280
=====================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: kernel-infoleak in vcs_read (2)
2019-12-04 15:25 KMSAN: kernel-infoleak in vcs_read (2) syzbot
@ 2020-09-06 4:04 ` syzbot
2022-07-19 5:49 ` [PATCH] tty: vt: initialize unicode screen buffer Tetsuo Handa
0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2020-09-06 4:04 UTC (permalink / raw)
To: glider, gregkh, jslaby, jwilk, linux-kernel, nico, syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: 3b3ea602 x86: add failure injection to get/put/clear_user
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13232335900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3afe005fb99591f
dashboard link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b2a1a5900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=139ce245900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
CPU: 0 PID: 8471 Comm: syz-executor446 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x21c/0x280 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
kmsan_internal_check_memory+0x19d/0x3d0 mm/kmsan/kmsan.c:443
kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
instrument_copy_to_user include/linux/instrumented.h:91 [inline]
_copy_to_user+0x18e/0x260 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:170 [inline]
vcs_read+0x1c6f/0x2920 drivers/tty/vt/vc_screen.c:424
vfs_read+0x577/0x14d0 fs/read_write.c:479
ksys_read+0x275/0x500 fs/read_write.c:607
__do_sys_read fs/read_write.c:617 [inline]
__se_sys_read+0x92/0xb0 fs/read_write.c:615
__x64_sys_read+0x4a/0x70 fs/read_write.c:615
do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4453c9
Code: Bad RIP value.
RSP: 002b:00007fffa3c8af98 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004453c9
RDX: 0000000000002020 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 0000000000022239 R08: 00000000004002e0 R09: 00000000004002e0
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402590
R13: 0000000000402620 R14: 0000000000000000 R15: 0000000000000000
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
__msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
vc_uniscr_copy_line+0x545/0x800 drivers/tty/vt/vt.c:572
vcs_read+0x107d/0x2920 drivers/tty/vt/vc_screen.c:332
vfs_read+0x577/0x14d0 fs/read_write.c:479
ksys_read+0x275/0x500 fs/read_write.c:607
__do_sys_read fs/read_write.c:617 [inline]
__se_sys_read+0x92/0xb0 fs/read_write.c:615
__x64_sys_read+0x4a/0x70 fs/read_write.c:615
do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:269 [inline]
kmsan_alloc_page+0xc5/0x1a0 mm/kmsan/kmsan_shadow.c:293
__alloc_pages_nodemask+0xdf0/0x1030 mm/page_alloc.c:4889
alloc_pages_current+0x685/0xb50 mm/mempolicy.c:2292
alloc_pages include/linux/gfp.h:545 [inline]
__vmalloc_area_node mm/vmalloc.c:2489 [inline]
__vmalloc_node_range+0x989/0x1400 mm/vmalloc.c:2555
__vmalloc_node mm/vmalloc.c:2598 [inline]
vmalloc+0xe0/0xf0 mm/vmalloc.c:2631
vc_uniscr_alloc drivers/tty/vt/vt.c:354 [inline]
vc_do_resize+0x73e/0x38f0 drivers/tty/vt/vt.c:1222
vc_resize+0xc3/0xe0 drivers/tty/vt/vt.c:1334
fbcon_modechanged+0xdc1/0x1320 drivers/video/fbdev/core/fbcon.c:2990
fbcon_update_vcs+0x86/0xa0 drivers/video/fbdev/core/fbcon.c:3048
fb_set_var+0x1420/0x1850 drivers/video/fbdev/core/fbmem.c:1056
do_fb_ioctl+0xc00/0x1150 drivers/video/fbdev/core/fbmem.c:1109
fb_ioctl+0x1e4/0x210 drivers/video/fbdev/core/fbmem.c:1185
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl fs/ioctl.c:753 [inline]
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl+0x319/0x4d0 fs/ioctl.c:760
__x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:760
do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Bytes 0-319 of 640 are uninitialized
Memory access of size 640 starts at ffff8880bbb25000
Data copied to user address 0000000020000100
=====================================================
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] tty: vt: initialize unicode screen buffer
2020-09-06 4:04 ` syzbot
@ 2022-07-19 5:49 ` Tetsuo Handa
2022-07-19 6:03 ` Jiri Slaby
0 siblings, 1 reply; 4+ messages in thread
From: Tetsuo Handa @ 2022-07-19 5:49 UTC (permalink / raw)
To: Greg Kroah-Hartman, Jiri Slaby; +Cc: LKML
syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read
immediately after resize operation. Initialize buffer using kzalloc().
----------
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <linux/fb.h>
int main(int argc, char *argv[])
{
struct fb_var_screeninfo var = { };
const int fb_fd = open("/dev/fb0", 3);
ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);
var.yres = 0x21;
ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);
return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1;
}
----------
Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1]
Reported-by: syzbot <syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index f8c87c4d7399..6968517d6f8b 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
/* allocate everything in one go */
memsize = cols * rows * sizeof(char32_t);
memsize += rows * sizeof(char32_t *);
- p = vmalloc(memsize);
+ p = vzalloc(memsize);
if (!p)
return NULL;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] tty: vt: initialize unicode screen buffer
2022-07-19 5:49 ` [PATCH] tty: vt: initialize unicode screen buffer Tetsuo Handa
@ 2022-07-19 6:03 ` Jiri Slaby
0 siblings, 0 replies; 4+ messages in thread
From: Jiri Slaby @ 2022-07-19 6:03 UTC (permalink / raw)
To: Tetsuo Handa, Greg Kroah-Hartman; +Cc: LKML
On 19. 07. 22, 7:49, Tetsuo Handa wrote:
> syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read
> immediately after resize operation. Initialize buffer using kzalloc().
>
> ----------
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/ioctl.h>
> #include <linux/fb.h>
>
> int main(int argc, char *argv[])
> {
> struct fb_var_screeninfo var = { };
> const int fb_fd = open("/dev/fb0", 3);
> ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);
> var.yres = 0x21;
> ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);
> return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1;
> }
> ----------
>
> Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1]
> Reported-by: syzbot <syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Yes, it makes sense.
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
> ---
> drivers/tty/vt/vt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index f8c87c4d7399..6968517d6f8b 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
> /* allocate everything in one go */
> memsize = cols * rows * sizeof(char32_t);
> memsize += rows * sizeof(char32_t *);
> - p = vmalloc(memsize);
> + p = vzalloc(memsize);
> if (!p)
> return NULL;
>
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-19 6:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-04 15:25 KMSAN: kernel-infoleak in vcs_read (2) syzbot
2020-09-06 4:04 ` syzbot
2022-07-19 5:49 ` [PATCH] tty: vt: initialize unicode screen buffer Tetsuo Handa
2022-07-19 6:03 ` Jiri Slaby
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox