[PATCH 5.15 44/99] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com,
	Ivan Orlov <ivan.orlov0322@gmail.com>,
	Oliver Hartkopp <socketcan@hartkopp.net>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 44/99] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Date: Mon,  3 Apr 2023 16:09:07 +0200	[thread overview]
Message-ID: <20230403140404.924435673@linuxfoundation.org> (raw)
In-Reply-To: <20230403140356.079638751@linuxfoundation.org>

From: Ivan Orlov <ivan.orlov0322@gmail.com>

[ Upstream commit 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f ]

Syzkaller reported the following issue:

=====================================================
BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
 aio_rw_done fs/aio.c:1520 [inline]
 aio_write+0x899/0x950 fs/aio.c:1600
 io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
 __do_sys_io_submit fs/aio.c:2078 [inline]
 __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
 __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:766 [inline]
 slab_alloc_node mm/slub.c:3452 [inline]
 __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
 __do_kmalloc_node mm/slab_common.c:967 [inline]
 __kmalloc+0x11d/0x3b0 mm/slab_common.c:981
 kmalloc_array include/linux/slab.h:636 [inline]
 bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
 bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 sock_write_iter+0x495/0x5e0 net/socket.c:1108
 call_write_iter include/linux/fs.h:2189 [inline]
 aio_write+0x63a/0x950 fs/aio.c:1600
 io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
 __do_sys_io_submit fs/aio.c:2078 [inline]
 __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
 __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
=====================================================

We can follow the call chain and find that 'bcm_tx_setup' function
calls 'memcpy_from_msg' to copy some content to the newly allocated
frame of 'op->frames'. After that the 'len' field of copied structure
being compared with some constant value (64 or 8). However, if
'memcpy_from_msg' returns an error, we will compare some uninitialized
memory. This triggers 'uninit-value' issue.

This patch will add 'memcpy_from_msg' possible errors processing to
avoid uninit-value issue.

Tested via syzkaller

Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Fixes: 6f3b911d5f29b ("can: bcm: add support for CAN FD frames")
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/can/bcm.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index aab3a18f4a90f..5727a073189b2 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -936,6 +936,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 
 			cf = op->frames + op->cfsiz * i;
 			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
+			if (err < 0)
+				goto free_op;
 
 			if (op->flags & CAN_FD_FRAME) {
 				if (cf->len > 64)
@@ -945,12 +947,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 					err = -EINVAL;
 			}
 
-			if (err < 0) {
-				if (op->frames != &op->sframe)
-					kfree(op->frames);
-				kfree(op);
-				return err;
-			}
+			if (err < 0)
+				goto free_op;
 
 			if (msg_head->flags & TX_CP_CAN_ID) {
 				/* copy can_id into frame */
@@ -1021,6 +1019,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 		bcm_tx_start_timer(op);
 
 	return msg_head->nframes * op->cfsiz + MHSIZ;
+
+free_op:
+	if (op->frames != &op->sframe)
+		kfree(op->frames);
+	kfree(op);
+	return err;
 }
 
 /*
-- 
2.39.2

next prev parent reply	other threads:[~2023-04-03 14:32 UTC|newest]

Thread overview: 108+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-03 14:08 [PATCH 5.15 00/99] 5.15.106-rc1 review Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 01/99] fsverity: dont drop pagecache at end of FS_IOC_ENABLE_VERITY Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 02/99] usb: dwc3: gadget: move cmd_endtransfer to extra function Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 03/99] usb: dwc3: gadget: Add 1ms delay after end transfer command without IOC Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 04/99] kernel: kcsan: kcsan_test: build without structleak plugin Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 05/99] kcsan: avoid passing -g for test Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 06/99] ksmbd: dont terminate inactive sessions after a few seconds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 07/99] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 08/99] xfrm: Zero padding when dumping algos and encap Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 09/99] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 10/99] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 11/99] x86/PVH: obtain VGA console info in Dom0 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 12/99] net: hsr: Dont log netdev_err message on unknown prp dst node Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 13/99] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 14/99] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 15/99] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 16/99] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 17/99] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 18/99] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 19/99] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 20/99] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 21/99] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 22/99] tools/power turbostat: fix decoding of HWP_STATUS Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 23/99] tracing: Fix wrong return in kprobe_event_gen_test.c Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 24/99] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 25/99] mips: bmips: BCM6358: disable RAC flush for TP1 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 26/99] ALSA: usb-audio: Fix recursive locking at XRUN during syncing Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 27/99] platform/x86: think-lmi: add missing type attribute Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 28/99] platform/x86: think-lmi: use correct possible_values delimiters Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 29/99] platform/x86: think-lmi: only display possible_values if available Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 30/99] platform/x86: think-lmi: Add possible_values for ThinkStation Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 31/99] mtd: rawnand: meson: invalidate cache on polling ECC bit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 32/99] SUNRPC: fix shutdown of NFS TCP client socket Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 33/99] sfc: ef10: dont overwrite offload features at NIC reset Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 34/99] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 35/99] scsi: mpt3sas: Dont print sense pool info twice Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.15 36/99] ptp_qoriq: fix memory leak in probe() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 37/99] net: dsa: microchip: ksz8863_smi: fix bulk access Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 38/99] r8169: fix RTL8168H and RTL8107E rx crc error Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 39/99] regulator: Handle deferred clk Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 40/99] net/net_failover: fix txq exceeding warning Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 41/99] net: stmmac: dont reject VLANs when IFF_PROMISC is set Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 42/99] drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 43/99] platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 5.15 45/99] s390/vfio-ap: fix memory leak in vfio_ap device driver Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 46/99] loop: suppress uevents while reconfiguring the device Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 47/99] loop: LOOP_CONFIGURE: send uevents for partitions Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 48/99] net: mvpp2: classifier flow fix fragmentation flags Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 49/99] net: mvpp2: parser fix QinQ Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 50/99] net: mvpp2: parser fix PPPoE Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 51/99] smsc911x: avoid PHY being resumed when interface is not up Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 52/99] ice: add profile conflict check for AVF FDIR Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 53/99] ice: fix invalid check for empty list in ice_sched_assoc_vsi_to_agg() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 54/99] ALSA: ymfpci: Create card with device-managed snd_devm_card_new() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 55/99] ALSA: ymfpci: Fix BUG_ON in probe function Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 56/99] net: ipa: compute DMA pool size properly Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 57/99] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 58/99] bnxt_en: Fix reporting of test result in ethtool selftest Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 59/99] bnxt_en: Fix typo in PCI id to device description string mapping Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 60/99] bnxt_en: Add missing 200G link speed reporting Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 61/99] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 62/99] net: ethernet: mtk_eth_soc: fix flow block refcounting logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 63/99] pinctrl: ocelot: Fix alt mode for ocelot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 64/99] iommu/vt-d: Allow zero SAGAW if second-stage not supported Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 65/99] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 66/99] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 67/99] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 68/99] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 69/99] Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 70/99] btrfs: fix race between quota disable and quota assign ioctls Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 71/99] btrfs: scan device in non-exclusive mode Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 72/99] zonefs: Always invalidate last cached page on append write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 73/99] can: j1939: prevent deadlock by moving j1939_sk_errqueue() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 74/99] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 75/99] net: phy: dp83869: fix default value for tx-/rx-internal-delay Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 76/99] pinctrl: amd: Disable and mask interrupts on resume Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 77/99] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 78/99] powerpc: Dont try to copy PPR for task with NULL pt_regs Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 79/99] NFSv4: Fix hangs when recovering open state after a server reboot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 80/99] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 81/99] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 82/99] ALSA: hda/realtek: Add quirks for some Clevo laptops Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 83/99] ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 84/99] xtensa: fix KASAN report for show_stack Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 85/99] rcu: Fix rcu_torture_read ftrace event Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 86/99] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 87/99] drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 88/99] KVM: arm64: Disable interrupts while walking userspace PTs Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 89/99] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 90/99] KVM: VMX: Move preemption timer <=> hrtimer dance to common x86 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 91/99] KVM: x86: Inject #GP on x2APIC WRMSR that sets reserved bits 63:32 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 92/99] KVM: x86: Purge "highest ISR" cache when updating APICv state Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 93/99] zonefs: Fix error message in zonefs_file_dio_append() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 94/99] selftests/bpf: Test btf dump for struct with padding only fields Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 95/99] libbpf: Fix BTF-to-C converters padding logic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.15 96/99] selftests/bpf: Add few corner cases to test padding handling of btf_dump Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 97/99] libbpf: Fix btf_dumps packed struct determination Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 98/99] hsr: ratelimit only when errors are printed Greg Kroah-Hartman
2023-04-03 14:10 ` [PATCH 5.15 99/99] x86/PVH: avoid 32-bit build warning when obtaining VGA console info Greg Kroah-Hartman
2023-04-03 22:59 ` [PATCH 5.15 00/99] 5.15.106-rc1 review Shuah Khan
2023-04-04  2:06 ` Florian Fainelli
2023-04-04  2:41 ` Bagas Sanjaya
2023-04-04 10:05 ` Naresh Kamboju
2023-04-04 10:55 ` Chris Paterson
2023-04-04 21:21 ` Guenter Roeck
2023-04-05  6:08 ` Harshit Mogalapalli
2023-04-05  8:49 ` Ron Economos

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:aab3a18f4a90 dfblob:5727a073189b )
 OR (
bs:"[PATCH 5.15 44/99] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230403140404.924435673@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ivan.orlov0322@gmail.com \
    --cc=mkl@pengutronix.de \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=socketcan@hartkopp.net \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox