From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com,
Ivan Orlov <ivan.orlov0322@gmail.com>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 080/104] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Date: Mon, 3 Apr 2023 16:09:12 +0200 [thread overview]
Message-ID: <20230403140407.252575136@linuxfoundation.org> (raw)
In-Reply-To: <20230403140403.549815164@linuxfoundation.org>
From: Ivan Orlov <ivan.orlov0322@gmail.com>
[ Upstream commit 2b4c99f7d9a57ecd644eda9b1fb0a1072414959f ]
Syzkaller reported the following issue:
=====================================================
BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline]
BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600
aio_rw_done fs/aio.c:1520 [inline]
aio_write+0x899/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook mm/slab.h:766 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc+0x11d/0x3b0 mm/slab_common.c:981
kmalloc_array include/linux/slab.h:636 [inline]
bcm_tx_setup+0x80e/0x29d0 net/can/bcm.c:930
bcm_sendmsg+0x3a2/0xce0 net/can/bcm.c:1351
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
sock_write_iter+0x495/0x5e0 net/socket.c:1108
call_write_iter include/linux/fs.h:2189 [inline]
aio_write+0x63a/0x950 fs/aio.c:1600
io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
__do_sys_io_submit fs/aio.c:2078 [inline]
__se_sys_io_submit+0x293/0x770 fs/aio.c:2048
__x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
=====================================================
We can follow the call chain and find that 'bcm_tx_setup' function
calls 'memcpy_from_msg' to copy some content to the newly allocated
frame of 'op->frames'. After that the 'len' field of copied structure
being compared with some constant value (64 or 8). However, if
'memcpy_from_msg' returns an error, we will compare some uninitialized
memory. This triggers 'uninit-value' issue.
This patch will add 'memcpy_from_msg' possible errors processing to
avoid uninit-value issue.
Tested via syzkaller
Reported-by: syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Fixes: 6f3b911d5f29b ("can: bcm: add support for CAN FD frames")
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/all/20230314120445.12407-1-ivan.orlov0322@gmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/bcm.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index fbf1143a56e13..23c7d5f896bd2 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -938,6 +938,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
cf = op->frames + op->cfsiz * i;
err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
+ if (err < 0)
+ goto free_op;
if (op->flags & CAN_FD_FRAME) {
if (cf->len > 64)
@@ -947,12 +949,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
err = -EINVAL;
}
- if (err < 0) {
- if (op->frames != &op->sframe)
- kfree(op->frames);
- kfree(op);
- return err;
- }
+ if (err < 0)
+ goto free_op;
if (msg_head->flags & TX_CP_CAN_ID) {
/* copy can_id into frame */
@@ -1023,6 +1021,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
bcm_tx_start_timer(op);
return msg_head->nframes * op->cfsiz + MHSIZ;
+
+free_op:
+ if (op->frames != &op->sframe)
+ kfree(op->frames);
+ kfree(op);
+ return err;
}
/*
--
2.39.2
next prev parent reply other threads:[~2023-04-03 14:22 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:07 [PATCH 5.4 000/104] 5.4.240-rc1 review Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 001/104] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 002/104] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 003/104] iavf: fix inverted Rx hash condition leading to disabled hash Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 004/104] iavf: fix non-tunneled IPv6 UDP packet type and hashing Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 005/104] intel/igbvf: free irq on the error path in igbvf_request_msix() Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 006/104] igbvf: Regard vf reset nack as success Greg Kroah-Hartman
2023-04-03 14:07 ` [PATCH 5.4 007/104] i2c: imx-lpi2c: check only for enabled interrupt flags Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 008/104] scsi: scsi_dh_alua: Fix memleak for qdata in alua_activate() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 009/104] net: usb: smsc95xx: Limit packet length to skb->len Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 010/104] qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 011/104] xirc2ps_cs: Fix use after free bug in xirc2ps_detach Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 012/104] net: qcom/emac: Fix use after free bug in emac_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 013/104] net/ps3_gelic_net: Fix RX sk_buff length Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 014/104] net/ps3_gelic_net: Use dma_mapping_error Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 015/104] keys: Do not cache key in task struct if key is requested from kernel thread Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 016/104] bpf: Adjust insufficient default bpf_jit_limit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 017/104] net/mlx5: Read the TC mapping of all priorities on ETS query Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 018/104] atm: idt77252: fix kmemleak when rmmod idt77252 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 019/104] erspan: do not use skb_mac_header() in ndo_start_xmit() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 020/104] net/sonic: use dma_mapping_error() for error check Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 021/104] nvme-tcp: fix nvme_tcp_term_pdu to match spec Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 022/104] hvc/xen: prevent concurrent accesses to the shared ring Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 023/104] net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 024/104] net: mdio: thunder: Add missing fwnode_handle_put() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 025/104] Bluetooth: btqcomsmd: Fix command timeout after setting BD address Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 026/104] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 027/104] platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 028/104] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 029/104] scsi: qla2xxx: Perform lockless command completion in abort path Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 030/104] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 031/104] thunderbolt: Use const qualifier for `ring_interrupt_index` Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 032/104] riscv: Bump COMMAND_LINE_SIZE value to 1024 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 033/104] ca8210: fix mac_len negative array access Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 034/104] m68k: Only force 030 bus error if PC not in exception table Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 035/104] selftests/bpf: check that modifier resolves after pointer Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 036/104] scsi: target: iscsi: Fix an error message in iscsi_check_key() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 037/104] scsi: ufs: core: Add soft dependency on governor_simpleondemand Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 038/104] scsi: lpfc: Avoid usage of list iterator variable after loop Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 039/104] net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 040/104] net: usb: qmi_wwan: add Telit 0x1080 composition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 041/104] sh: sanitize the flags on sigreturn Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 042/104] cifs: empty interface list when server doesnt support query interfaces Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 043/104] scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 044/104] usb: gadget: u_audio: dont let userspace block driver unbind Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 045/104] fsverity: Remove WQ_UNBOUND from fsverity read workqueue Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 046/104] igb: revert rtnl_lock() that causes deadlock Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 047/104] dm thin: fix deadlock when swapping to thin device Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 048/104] usb: cdns3: Fix issue with using incorrect PCI device function Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 049/104] usb: chipdea: core: fix return -EINVAL if request role is the same with current role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 050/104] usb: chipidea: core: fix possible concurrent when switch role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 051/104] wifi: mac80211: fix qos on mesh interfaces Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 052/104] nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 053/104] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 054/104] dm stats: check for and propagate alloc_percpu failure Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 055/104] dm crypt: add cond_resched() to dmcrypt_write() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 056/104] sched/fair: sanitize vruntime of entity being placed Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 057/104] sched/fair: Sanitize vruntime of entity being migrated Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 058/104] tun: avoid double free in tun_free_netdev Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 059/104] ocfs2: fix data corruption after failed write Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 060/104] fsverity: dont drop pagecache at end of FS_IOC_ENABLE_VERITY Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 061/104] bus: imx-weim: fix branch condition evaluates to a garbage value Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 062/104] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 063/104] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 064/104] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 065/104] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 066/104] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 5.4 067/104] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 068/104] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 069/104] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 070/104] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 071/104] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 072/104] dma-mapping: drop the dev argument to arch_sync_dma_for_* Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 073/104] mips: bmips: BCM6358: disable RAC flush for TP1 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 074/104] mtd: rawnand: meson: invalidate cache on polling ECC bit Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 075/104] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 076/104] ptp_qoriq: fix memory leak in probe() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 077/104] regulator: fix spelling mistake "Cant" -> "Cant" Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 078/104] regulator: Handle deferred clk Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 079/104] net/net_failover: fix txq exceeding warning Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 5.4 081/104] s390/vfio-ap: fix memory leak in vfio_ap device driver Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 082/104] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 083/104] bnxt_en: Fix typo in PCI id to device description string mapping Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 084/104] net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 085/104] net: mvneta: make tx buffer array agnostic Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 086/104] pinctrl: ocelot: Fix alt mode for ocelot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 087/104] Input: alps - fix compatibility with -funsigned-char Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 088/104] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 089/104] cifs: prevent infinite recursion in CIFSGetDFSRefer() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 090/104] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 091/104] Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 092/104] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 093/104] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 094/104] NFSv4: Fix hangs when recovering open state after a server reboot Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 095/104] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 096/104] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 097/104] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 098/104] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 099/104] btrfs: scan device in non-exclusive mode Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 100/104] ext4: fix kernel BUG in ext4_write_inline_data_end() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 101/104] net_sched: add __rcu annotation to netdev->qdisc Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 102/104] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 103/104] firmware: arm_scmi: Fix device node validation for mailbox transport Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 5.4 104/104] gfs2: Always check inode size of inline inodes Greg Kroah-Hartman
2023-04-03 23:05 ` [PATCH 5.4 000/104] 5.4.240-rc1 review Shuah Khan
2023-04-04 6:21 ` Naresh Kamboju
2023-04-04 10:51 ` Chris Paterson
2023-04-04 17:21 ` Florian Fainelli
2023-04-04 20:33 ` Tom Saeger
2023-04-05 9:33 ` Greg Kroah-Hartman
2023-04-05 19:50 ` Tom Saeger
2023-04-04 21:25 ` Guenter Roeck
2023-04-05 6:08 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140407.252575136@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ivan.orlov0322@gmail.com \
--cc=mkl@pengutronix.de \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=socketcan@hartkopp.net \
--cc=stable@vger.kernel.org \
--cc=syzbot+c9bfd85eca611ebf5db1@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox