From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com,
Ivan Orlov <ivan.orlov0322@gmail.com>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 63/84] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Date: Mon, 3 Apr 2023 16:09:04 +0200 [thread overview]
Message-ID: <20230403140355.601224526@linuxfoundation.org> (raw)
In-Reply-To: <20230403140353.406927418@linuxfoundation.org>
From: Ivan Orlov <ivan.orlov0322@gmail.com>
[ Upstream commit 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f ]
Syzkaller reported the following issue:
=====================================================
BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
aio_rw_done fs/aio.c:1520 [inline]
aio_write+0x899/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook mm/slab.h:766 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc+0x11d/0x3b0 mm/slab_common.c:981
kmalloc_array include/linux/slab.h:636 [inline]
bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
sock_write_iter+0x495/0x5e0 net/socket.c:1108
call_write_iter include/linux/fs.h:2189 [inline]
aio_write+0x63a/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
=====================================================
We can follow the call chain and find that 'bcm_tx_setup' function
calls 'memcpy_from_msg' to copy some content to the newly allocated
frame of 'op->frames'. After that the 'len' field of copied structure
being compared with some constant value (64 or 8). However, if
'memcpy_from_msg' returns an error, we will compare some uninitialized
memory. This triggers 'uninit-value' issue.
This patch will add 'memcpy_from_msg' possible errors processing to
avoid uninit-value issue.
Tested via syzkaller
Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Fixes: 6f3b911d5f29b ("can: bcm: add support for CAN FD frames")
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/bcm.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 74e555a22de75..61269cc2fa828 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -935,6 +935,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
cf = op->frames + op->cfsiz * i;
err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
+ if (err < 0)
+ goto free_op;
if (op->flags & CAN_FD_FRAME) {
if (cf->len > 64)
@@ -944,12 +946,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
err = -EINVAL;
}
- if (err < 0) {
- if (op->frames != &op->sframe)
- kfree(op->frames);
- kfree(op);
- return err;
- }
+ if (err < 0)
+ goto free_op;
if (msg_head->flags & TX_CP_CAN_ID) {
/* copy can_id into frame */
@@ -1020,6 +1018,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
bcm_tx_start_timer(op);
return msg_head->nframes * op->cfsiz + MHSIZ;
+
+free_op:
+ if (op->frames != &op->sframe)
+ kfree(op->frames);
+ kfree(op);
+ return err;
}
/*
--
2.39.2
next prev parent reply other threads:[~2023-04-03 14:18 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:08 [PATCH 4.19 00/84] 4.19.280-rc1 review Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 01/84] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 02/84] i40evf: Change a VF mac without reloading the VF driver Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 03/84] intel-ethernet: rename i40evf to iavf Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 04/84] iavf: diet and reformat Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 05/84] iavf: fix inverted Rx hash condition leading to disabled hash Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 06/84] intel/igbvf: free irq on the error path in igbvf_request_msix() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 07/84] igbvf: Regard vf reset nack as success Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 08/84] i2c: imx-lpi2c: check only for enabled interrupt flags Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 09/84] scsi: scsi_dh_alua: Fix memleak for qdata in alua_activate() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 10/84] net: usb: smsc95xx: Limit packet length to skb->len Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 11/84] qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 12/84] xirc2ps_cs: Fix use after free bug in xirc2ps_detach Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 13/84] net: qcom/emac: Fix use after free bug in emac_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 14/84] net/ps3_gelic_net: Fix RX sk_buff length Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 15/84] net/ps3_gelic_net: Use dma_mapping_error Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 16/84] bpf: Adjust insufficient default bpf_jit_limit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 17/84] net/mlx5: Read the TC mapping of all priorities on ETS query Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 18/84] atm: idt77252: fix kmemleak when rmmod idt77252 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 19/84] erspan: do not use skb_mac_header() in ndo_start_xmit() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 20/84] net/sonic: use dma_mapping_error() for error check Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 21/84] hvc/xen: prevent concurrent accesses to the shared ring Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 22/84] net: mdio: thunder: Add missing fwnode_handle_put() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 23/84] Bluetooth: btqcomsmd: Fix command timeout after setting BD address Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 24/84] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 25/84] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 26/84] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 27/84] thunderbolt: Use const qualifier for `ring_interrupt_index` Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 28/84] riscv: Bump COMMAND_LINE_SIZE value to 1024 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 29/84] ca8210: fix mac_len negative array access Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 30/84] m68k: Only force 030 bus error if PC not in exception table Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 31/84] scsi: target: iscsi: Fix an error message in iscsi_check_key() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 32/84] scsi: ufs: core: Add soft dependency on governor_simpleondemand Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 33/84] net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 34/84] net: usb: qmi_wwan: add Telit 0x1080 composition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 35/84] sh: sanitize the flags on sigreturn Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 36/84] cifs: empty interface list when server doesnt support query interfaces Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 37/84] scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 38/84] usb: gadget: u_audio: dont let userspace block driver unbind Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 39/84] igb: revert rtnl_lock() that causes deadlock Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 40/84] dm thin: fix deadlock when swapping to thin device Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 41/84] usb: chipdea: core: fix return -EINVAL if request role is the same with current role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 42/84] usb: chipidea: core: fix possible concurrent when switch role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 43/84] nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 44/84] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 45/84] dm stats: check for and propagate alloc_percpu failure Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 46/84] dm crypt: add cond_resched() to dmcrypt_write() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 47/84] sched/fair: sanitize vruntime of entity being placed Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 48/84] sched/fair: Sanitize vruntime of entity being migrated Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 49/84] tun: avoid double free in tun_free_netdev Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 50/84] ocfs2: fix data corruption after failed write Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 51/84] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 52/84] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 53/84] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 54/84] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 55/84] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 56/84] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 57/84] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.19 58/84] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 59/84] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 60/84] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 61/84] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 62/84] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 4.19 64/84] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 65/84] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 66/84] net: mvneta: make tx buffer array agnostic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 67/84] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 68/84] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 69/84] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 70/84] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 71/84] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 72/84] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 73/84] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 74/84] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 75/84] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 76/84] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 77/84] usb: host: ohci-pxa27x: Fix and & vs | typo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 78/84] ext4: fix kernel BUG in ext4_write_inline_data_end() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 79/84] firmware: arm_scmi: Fix device node validation for mailbox transport Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 80/84] gfs2: Always check inode size of inline inodes Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 81/84] net: sched: cbq: dont intepret cls results when asked to drop Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 82/84] cgroup/cpuset: Change cpuset_rwsem and hotplug lock order Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 83/84] cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.19 84/84] cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() Greg Kroah-Hartman
2023-04-03 23:06 ` [PATCH 4.19 00/84] 4.19.280-rc1 review Shuah Khan
2023-04-04 5:19 ` Naresh Kamboju
2023-04-04 10:49 ` Chris Paterson
2023-04-04 11:46 ` Pavel Machek
2023-04-04 18:30 ` Greg Kroah-Hartman
2023-04-04 21:24 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140355.601224526@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ivan.orlov0322@gmail.com \
--cc=mkl@pengutronix.de \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=socketcan@hartkopp.net \
--cc=stable@vger.kernel.org \
--cc=syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox