syzbot


KMSAN: uninit-value in video_usercopy

Status: fixed on 2020/09/25 01:17
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+79d751604cb6f29fbf59@syzkaller.appspotmail.com
Fix commit: 4ffb879ea648 media: media/v4l2-core: Fix kernel-infoleak in video_put_user()
First crash: 1239d, last: 1236d
Discussions (3)
Title Replies (including bot) Last reply
[PATCH 5.8 00/17] 5.8.7-rc1 review 23 (23) 2020/09/05 15:42
[Linux-kernel-mentees] [PATCH] media/v4l2-core: Fix kernel-infoleak in video_put_user() 38 (38) 2020/08/02 16:55
KMSAN: uninit-value in video_usercopy 0 (1) 2020/07/22 05:53
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in video_usercopy (2) media 13058 806d 998d 22/25 fixed on 2021/11/10 00:50
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/07/26 08:46 18m yepeilin.cs@gmail.com patch https://github.com/google/kmsan.git master OK

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428
CPU: 0 PID: 8471 Comm: syz-executor794 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1df/0x240 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428
 instrument_copy_to_user include/linux/instrumented.h:91 [inline]
 _copy_to_user+0x100/0x1d0 lib/usercopy.c:30
 copy_to_user include/linux/uaccess.h:161 [inline]
 video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3226 [inline]
 video_usercopy+0x248a/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325
 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3335
 v4l2_ioctl+0x23f/0x270 drivers/media/v4l2-core/v4l2-dev.c:360
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl fs/ioctl.c:753 [inline]
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl+0x2e9/0x410 fs/ioctl.c:760
 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:760
 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x444009
Code: Bad RIP value.
RSP: 002b:00007ffd83706aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444009
RDX: 0000000020000100 RSI: 00000000c0505611 RDI: 0000000000000003
RBP: 00000000006ce018 R08: 00000000004002e0 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c90
R13: 0000000000401d20 R14: 0000000000000000 R15: 0000000000000000

Local variable ----vb32.i@video_usercopy created at:
 video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3210 [inline]
 video_usercopy+0x20bd/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325
 video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3210 [inline]
 video_usercopy+0x20bd/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325

Bytes 52-55 of 80 are uninitialized
Memory access of size 80 starts at ffffa41d80dcfce0
=====================================================

Crashes (28):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/18 23:34 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report syz C ci-upstream-kmsan-gce
2020/07/20 07:13 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report syz C ci-upstream-kmsan-gce-386
2020/07/21 22:45 https://github.com/google/kmsan.git master 91e18444d6b0 21f1765e .config console log report ci-upstream-kmsan-gce
2020/07/21 13:30 https://github.com/google/kmsan.git master 91e18444d6b0 d88894e6 .config console log report ci-upstream-kmsan-gce
2020/07/21 13:23 https://github.com/google/kmsan.git master 91e18444d6b0 d88894e6 .config console log report ci-upstream-kmsan-gce
2020/07/21 13:16 https://github.com/google/kmsan.git master 91e18444d6b0 d88894e6 .config console log report ci-upstream-kmsan-gce
2020/07/20 16:53 https://github.com/google/kmsan.git master 91e18444d6b0 4285ffa3 .config console log report ci-upstream-kmsan-gce
2020/07/20 16:52 https://github.com/google/kmsan.git master 91e18444d6b0 4285ffa3 .config console log report ci-upstream-kmsan-gce
2020/07/20 07:39 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/20 07:38 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/19 04:10 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/19 03:57 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/19 01:23 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/18 15:32 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce
2020/07/21 01:59 https://github.com/google/kmsan.git master 91e18444d6b0 4285ffa3 .config console log report ci-upstream-kmsan-gce-386
2020/07/20 16:51 https://github.com/google/kmsan.git master 91e18444d6b0 4285ffa3 .config console log report ci-upstream-kmsan-gce-386
2020/07/20 16:51 https://github.com/google/kmsan.git master 91e18444d6b0 4285ffa3 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 18:48 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:30 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:30 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:28 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:27 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:23 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:21 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 17:17 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 04:08 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/19 01:31 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
2020/07/18 01:25 https://github.com/google/kmsan.git master 14525656779e 9c812472 .config console log report ci-upstream-kmsan-gce-386
* Struck through repros no longer work on HEAD.