syzbot


KMSAN: kernel-infoleak in sys_name_to_handle_at (4)

Status: fixed on 2024/04/10 03:59
Subsystems: nfs
[Documentation on labels]
Reported-by: syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com
Fix commit: 3948abaa4e2b do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
First crash: 171d, last: 101d
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 4.19 018/148] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 23:48
[PATCH 5.4 022/183] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 23:43
[PATCH 5.10 029/238] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 23:36
[PATCH 5.15 031/317] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 23:30
[PATCH 6.1 058/451] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 23:05
[PATCH 6.6 067/638] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 22:51
[PATCH 6.7 081/713] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 22:36
[PATCH 6.8 001/715] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 1 (1) 2024/03/24 22:23
[PATCH] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 3 (3) 2024/01/22 11:03
[syzbot] [nfs?] KMSAN: kernel-infoleak in sys_name_to_handle_at (4) 2 (4) 2024/01/18 16:45
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in sys_name_to_handle_at (3) nfs 1 245d 245d 0/28 closed as invalid on 2023/12/22 15:49
upstream KMSAN: kernel-infoleak in sys_name_to_handle_at (2) nfs 3 376d 437d 0/28 auto-obsoleted due to no activity on 2023/09/11 04:32
upstream KMSAN: kernel-infoleak in sys_name_to_handle_at nfs 2 543d 538d 0/28 auto-obsoleted due to no activity on 2023/03/17 17:26
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/01/18 16:45 25m n.zhandarovich@fintech.ru patch https://github.com/google/kmsan.git master OK log
2024/01/08 16:23 17m retest repro upstream report log

Sample crash report:
WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:40
 copy_to_user include/linux/uaccess.h:191 [inline]
 do_sys_name_to_handle fs/fhandle.c:73 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3819 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 __do_kmalloc_node mm/slub.c:3980 [inline]
 __kmalloc+0x919/0xf80 mm/slub.c:3994
 kmalloc include/linux/slab.h:594 [inline]
 do_sys_name_to_handle fs/fhandle.c:39 [inline]
 __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]
 __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94
 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Bytes 18-19 of 20 are uninitialized
Memory access of size 20 starts at ffff88812c04f880
Data copied to user address 0000000020000240

CPU: 1 PID: 5007 Comm: syz-executor982 Not tainted 6.8.0-rc6-syzkaller-00250-g04b8076df253 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
=====================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/03 17:21 upstream 04b8076df253 25905f5d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2023/12/25 15:46 upstream 861deac3b092 fb427a07 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2024/01/24 11:59 upstream 9f8413c4a66f 1e153dc8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2024/01/08 18:09 upstream 0dd3ee311255 4c0fd4bb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2023/12/24 22:19 upstream 861deac3b092 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2024/02/24 10:13 upstream 603c04e27c3e 8d446f15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in sys_name_to_handle_at
2024/01/08 18:23 upstream 0dd3ee311255 4c0fd4bb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in sys_name_to_handle_at
* Struck through repros no longer work on HEAD.