From: Greg KH <gregkh@linuxfoundation.org>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
oneukum@suse.com,
syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH v3] usb/cdc-wdm: fix memory info leak in wdm_read
Date: Tue, 12 Nov 2024 12:13:22 +0100 [thread overview]
Message-ID: <2024111232-relative-bottom-4995@gregkh> (raw)
In-Reply-To: <20241111120139.3483366-1-snovitoll@gmail.com>
On Mon, Nov 11, 2024 at 05:01:39PM +0500, Sabyrzhan Tasbolatov wrote:
> syzbot reported "KMSAN: kernel-infoleak in wdm_read", though there is no
> reproducer and the only report for this issue.
>
> The check:
>
> if (cntr > count)
> cntr = count;
>
> only limits `cntr` to `count` (the number of bytes requested by
> userspace), but it doesn't verify that `desc->ubuf` actually has `count`
> bytes. This oversight can lead to situations where `copy_to_user` reads
> uninitialized data from `desc->ubuf`.
>
> This patch makes sure `cntr` respects` both the `desc->length` and the
> `count` requested by userspace, preventing any uninitialized memory from
> leaking into userspace.
>
> syzbot report
> =============
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> BUG: KMSAN: kernel-infoleak in _inline_copy_to_user include/linux/uaccess.h:180 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:26
> instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> _inline_copy_to_user include/linux/uaccess.h:180 [inline]
> _copy_to_user+0xbc/0x110 lib/usercopy.c:26
> copy_to_user include/linux/uaccess.h:209 [inline]
> wdm_read+0x227/0x1270 drivers/usb/class/cdc-wdm.c:603
> vfs_read+0x2a1/0xf60 fs/read_write.c:474
> ksys_read+0x20f/0x4c0 fs/read_write.c:619
> __do_sys_read fs/read_write.c:629 [inline]
> __se_sys_read fs/read_write.c:627 [inline]
> __x64_sys_read+0x93/0xe0 fs/read_write.c:627
> x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Reported-by: syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9760fbbd535cee131f81
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
> ---
> Changes v2 -> v3:
> - reverted kzalloc back to kmalloc as the fix is cntr related (Oliver).
> - added constraint to select the min length from count and desc->length.
> - refactored git commit description as the memory info leak is confirmed.
>
> Changes v1 -> v2:
> - added explanation comment above kzalloc (Greg).
> - renamed patch title from memory leak to memory info leak (Greg).
> ---
> drivers/usb/class/cdc-wdm.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
> index 86ee39db013f..dd7349f8a97a 100644
> --- a/drivers/usb/class/cdc-wdm.c
> +++ b/drivers/usb/class/cdc-wdm.c
> @@ -598,8 +598,9 @@ static ssize_t wdm_read
> spin_unlock_irq(&desc->iuspin);
> }
>
> - if (cntr > count)
> - cntr = count;
> + /* Ensure cntr does not exceed available data in ubuf. */
> + cntr = min(count, (size_t) desc->length);
You should never cast in a call to min(), please use min_t() instead as
that is what it is there for.
thanks,
greg k-h
next prev parent reply other threads:[~2024-11-12 11:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-20 22:48 [syzbot] [usb?] KMSAN: kernel-infoleak in wdm_read syzbot
2024-11-09 15:28 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Sabyrzhan Tasbolatov
2024-11-10 7:07 ` Greg KH
2024-11-10 8:21 ` [PATCH v2] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-11 9:44 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Oliver Neukum
2024-11-11 10:40 ` Sabyrzhan Tasbolatov
2024-11-11 11:46 ` Greg KH
2024-11-11 12:01 ` [PATCH v3] usb/cdc-wdm: fix memory info leak in wdm_read Sabyrzhan Tasbolatov
2024-11-12 11:13 ` Greg KH [this message]
2024-11-12 13:29 ` [PATCH v4] " Sabyrzhan Tasbolatov
2024-11-12 15:52 ` Alan Stern
2024-11-12 19:30 ` Sabyrzhan Tasbolatov
2024-11-12 20:25 ` Alan Stern
2024-11-14 5:58 ` Sabyrzhan Tasbolatov
2024-11-11 14:29 ` [PATCH] usb/cdc-wdm: fix memory leak of wdm_device Alan Stern
2024-11-12 9:34 ` Sabyrzhan Tasbolatov
2024-11-12 15:38 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024111232-relative-bottom-4995@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=snovitoll@gmail.com \
--cc=syzbot+9760fbbd535cee131f81@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox