syzbot


KMSAN: kernel-infoleak in bpf_probe_write_user

Status: upstream: reported C repro on 2024/04/13 02:27
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+79102ed905e5b2dc0fc3@syzkaller.appspotmail.com
First crash: 42d, last: 25d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] KMSAN: kernel-infoleak in bpf_probe_write_user 6 (7) 2024/04/18 07:58
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/04/26 14:10 27m retest repro upstream report log

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in __copy_to_user_inatomic include/linux/uaccess.h:125 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_nofault+0x129/0x1f0 mm/maccess.c:149
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 __copy_to_user_inatomic include/linux/uaccess.h:125 [inline]
 copy_to_user_nofault+0x129/0x1f0 mm/maccess.c:149
 ____bpf_probe_write_user kernel/trace/bpf_trace.c:349 [inline]
 bpf_probe_write_user+0x104/0x180 kernel/trace/bpf_trace.c:327
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run64+0xb5/0xe0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420
 __bpf_trace_kfree+0x29/0x40 include/trace/events/kmem.h:94
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0x6a5/0xa30 mm/slub.c:4377
 vfs_writev+0x12bf/0x1450 fs/read_write.c:978
 do_writev+0x251/0x5c0 fs/read_write.c:1018
 __do_sys_writev fs/read_write.c:1091 [inline]
 __se_sys_writev fs/read_write.c:1088 [inline]
 __x64_sys_writev+0x98/0xe0 fs/read_write.c:1088
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x72/0x7a

Local variable stack created at:
 __bpf_prog_run64+0x45/0xe0 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420

Bytes 0-7 of 8 are uninitialized
Memory access of size 8 starts at ffff888121ec7ae8
Data copied to user address 00000000ffffffff

CPU: 1 PID: 4779 Comm: dhcpcd Not tainted 6.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/09 03:13 upstream fec50db7033e 53df08b6 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in bpf_probe_write_user
2024/04/10 02:10 upstream 20cb38a7af88 56086b24 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in bpf_probe_write_user
2024/04/09 02:16 upstream fec50db7033e 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in bpf_probe_write_user
* Struck through repros no longer work on HEAD.