syzbot


KMSAN: kernel-infoleak in tty_compat_ioctl

Status: fixed on 2020/04/15 17:19
Subsystems: serial
[Documentation on labels]
Reported-by: syzbot+8da9175e28eadcb203ce@syzkaller.appspotmail.com
Fix commit: 17329563a97d tty: fix compat TIOCGSERIAL leaking uninitialized memory
First crash: 1583d, last: 1550d
Discussions (6)
Title Replies (including bot) Last reply
[PATCH AUTOSEL 5.5 01/28] thunderbolt: Fix error code in tb_port_is_width_supported() 33 (33) 2020/03/27 06:28
[PATCH AUTOSEL 5.4 01/19] drm/bridge: dw-hdmi: fix AVI frame colorimetry 19 (19) 2020/03/26 23:24
[PATCH 5.5 000/119] 5.5.12-rc1 review 126 (126) 2020/03/25 17:54
[PATCH 5.4 000/102] 5.4.28-rc1 review 106 (106) 2020/03/25 05:15
[PATCH] tty: fix compat TIOCGSERIAL leaking uninitialized memory 12 (12) 2020/03/18 16:36
KMSAN: kernel-infoleak in tty_compat_ioctl 0 (1) 2020/02/24 08:18

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
CPU: 1 PID: 11476 Comm: syz-executor814 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
 _copy_to_user+0x15a/0x1f0 lib/usercopy.c:33
 copy_to_user include/linux/uaccess.h:174 [inline]
 compat_tty_tiocgserial drivers/tty/tty_io.c:2748 [inline]
 tty_compat_ioctl+0x1482/0x1850 drivers/tty/tty_io.c:2846
 __do_compat_sys_ioctl fs/ioctl.c:857 [inline]
 __se_compat_sys_ioctl+0x57c/0xed0 fs/ioctl.c:808
 __ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:808
 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
 do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7ff7d99
Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ff97b20c EFLAGS: 00000213 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000541e
RDX: 0000000020000300 RSI: 00000000080ea078 RDI: 00000000ff97b260
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Local variable ----v32.i105@tty_compat_ioctl created at:
 compat_tty_tiocgserial drivers/tty/tty_io.c:2735 [inline]
 tty_compat_ioctl+0xf12/0x1850 drivers/tty/tty_io.c:2846
 compat_tty_tiocgserial drivers/tty/tty_io.c:2735 [inline]
 tty_compat_ioctl+0xf12/0x1850 drivers/tty/tty_io.c:2846

Bytes 50-51 of 60 are uninitialized
Memory access of size 60 starts at ffffb50b0158fce0
Data copied to user address 0000000020000300
=====================================================

Crashes (162):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/23 08:15 https://github.com/google/kmsan.git master 8bbbc5cf3dca 2c36e7a7 .config console log report syz C ci-upstream-kmsan-gce-386
2020/03/25 00:27 https://github.com/google/kmsan.git master a58741ac26cc 68660b21 .config console log report ci-upstream-kmsan-gce-386
2020/03/24 22:52 https://github.com/google/kmsan.git master a58741ac26cc 68660b21 .config console log report ci-upstream-kmsan-gce-386
2020/03/24 12:11 https://github.com/google/kmsan.git master a58741ac26cc 33e14df3 .config console log report ci-upstream-kmsan-gce-386
2020/03/24 08:30 https://github.com/google/kmsan.git master a58741ac26cc 33e14df3 .config console log report ci-upstream-kmsan-gce-386
2020/03/23 23:42 https://github.com/google/kmsan.git master a58741ac26cc 84f999d6 .config console log report ci-upstream-kmsan-gce-386
2020/03/23 15:08 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/23 07:13 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/22 13:42 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/22 11:00 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/22 08:47 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/22 05:58 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/22 01:35 https://github.com/google/kmsan.git master a58741ac26cc 78267cec .config console log report ci-upstream-kmsan-gce-386
2020/03/21 21:09 https://github.com/google/kmsan.git master a58741ac26cc 4288d95e .config console log report ci-upstream-kmsan-gce-386
2020/03/21 18:06 https://github.com/google/kmsan.git master a58741ac26cc 4288d95e .config console log report ci-upstream-kmsan-gce-386
2020/03/21 15:50 https://github.com/google/kmsan.git master a58741ac26cc 4288d95e .config console log report ci-upstream-kmsan-gce-386
2020/03/21 08:32 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/21 05:26 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/20 08:37 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/20 03:14 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/19 21:29 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/19 19:27 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/19 16:12 https://github.com/google/kmsan.git master a58741ac26cc 2c31c529 .config console log report ci-upstream-kmsan-gce-386
2020/03/19 06:15 https://github.com/google/kmsan.git master a58741ac26cc 0a96a13c .config console log report ci-upstream-kmsan-gce-386
2020/03/19 05:08 https://github.com/google/kmsan.git master a58741ac26cc 0a96a13c .config console log report ci-upstream-kmsan-gce-386
2020/03/19 02:33 https://github.com/google/kmsan.git master a58741ac26cc 0a96a13c .config console log report ci-upstream-kmsan-gce-386
2020/03/18 23:17 https://github.com/google/kmsan.git master a58741ac26cc 0a96a13c .config console log report ci-upstream-kmsan-gce-386
2020/03/18 08:10 https://github.com/google/kmsan.git master a58741ac26cc 97bc55ce .config console log report ci-upstream-kmsan-gce-386
2020/03/18 05:20 https://github.com/google/kmsan.git master a58741ac26cc 97bc55ce .config console log report ci-upstream-kmsan-gce-386
2020/03/18 02:39 https://github.com/google/kmsan.git master a58741ac26cc 97bc55ce .config console log report ci-upstream-kmsan-gce-386
2020/03/17 13:23 https://github.com/google/kmsan.git master a58741ac26cc 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/17 04:51 https://github.com/google/kmsan.git master a58741ac26cc 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/16 22:59 https://github.com/google/kmsan.git master a58741ac26cc 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 15:49 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 13:07 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 09:41 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 08:05 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 06:43 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/15 05:26 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/14 21:49 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/14 18:20 https://github.com/google/kmsan.git master 8bbbc5cf3dca 749688d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/13 16:15 https://github.com/google/kmsan.git master 8bbbc5cf3dca d850e9d0 .config console log report ci-upstream-kmsan-gce-386
2020/02/21 06:03 https://github.com/google/kmsan.git master 8bbbc5cf3dca bd2a74a3 .config console log report ci-upstream-kmsan-gce-386
2020/02/21 00:08 https://github.com/google/kmsan.git master 8bbbc5cf3dca bd2a74a3 .config console log report ci-upstream-kmsan-gce-386
* Struck through repros no longer work on HEAD.