syzbot

 sign-in | mailing list | source | docs
🐞 Open [993] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in audit_log_vformat

Status: fixed on 2020/04/15 17:19
Subsystems: audit
[Documentation on labels]
Reported-by: syzbot+e4b12d8d202701f08b6d@syzkaller.appspotmail.com
Fix commit: 756125289285 audit: always check the netlink payload length in audit_receive_msg()
First crash: 1527d, last: 1472d
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.14 000/126] 4.14.173-stable review 140 (140) 2020/03/13 16:17
[PATCH 4.4 00/72] 4.4.216-stable review 78 (78) 2020/03/11 10:27
[PATCH 4.9 00/88] 4.9.216-stable review 96 (96) 2020/03/10 21:57
[PATCH 5.5 000/176] 5.5.8-stable review 201 (201) 2020/03/04 22:14
[PATCH 5.4 000/152] 5.4.24-stable review 160 (160) 2020/03/04 16:52
KMSAN: uninit-value in audit_log_vformat 1 (2) 2020/02/24 22:31
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in audit_log_vformat (2) audit C 104 1448d 1468d 15/26 fixed on 2020/06/18 13:57

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:608 [inline]
BUG: KMSAN: uninit-value in string+0x522/0x690 lib/vsprintf.c:689
CPU: 1 PID: 12069 Comm: syz-executor170 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 string_nocheck lib/vsprintf.c:608 [inline]
 string+0x522/0x690 lib/vsprintf.c:689
 vsnprintf+0x207d/0x31b0 lib/vsprintf.c:2574
 audit_log_vformat+0x583/0xcd0 kernel/audit.c:1856
 audit_log_format+0x220/0x260 kernel/audit.c:1890
 audit_receive_msg kernel/audit.c:1338 [inline]
 audit_receive+0x3688/0x6be0 kernel/audit.c:1513
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x1246/0x14d0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
 ___sys_sendmsg net/socket.c:2397 [inline]
 __sys_sendmsg+0x451/0x5f0 net/socket.c:2430
 __compat_sys_sendmsg net/compat.c:642 [inline]
 __do_compat_sys_sendmsg net/compat.c:649 [inline]
 __se_compat_sys_sendmsg net/compat.c:646 [inline]
 __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
 do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f12d99
Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ffadf8ac EFLAGS: 00000246 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000200
RDX: 0000000000000000 RSI: 00000000080ea080 RDI: 00000000ffadf900
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
 slab_alloc_node mm/slub.c:2793 [inline]
 __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1051 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
 netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
 ___sys_sendmsg net/socket.c:2397 [inline]
 __sys_sendmsg+0x451/0x5f0 net/socket.c:2430
 __compat_sys_sendmsg net/compat.c:642 [inline]
 __do_compat_sys_sendmsg net/compat.c:649 [inline]
 __se_compat_sys_sendmsg net/compat.c:646 [inline]
 __ia32_compat_sys_sendmsg+0xed/0x130 net/compat.c:646
 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
 do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
=====================================================

Crashes (220):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/22 09:01 https://github.com/google/kmsan.git master 8bbbc5cf3dca 2ffa6679 .config console log report syz C ci-upstream-kmsan-gce-386
2020/04/15 11:15 https://github.com/google/kmsan.git master 75303409203b 3f3c5574 .config console log report ci-upstream-kmsan-gce-386
2020/04/14 16:06 https://github.com/google/kmsan.git master 75303409203b 3f3c5574 .config console log report ci-upstream-kmsan-gce-386
2020/04/14 14:28 https://github.com/google/kmsan.git master 75303409203b 3f3c5574 .config console log report ci-upstream-kmsan-gce-386
2020/04/14 03:49 https://github.com/google/kmsan.git master 75303409203b 7c54686a .config console log report ci-upstream-kmsan-gce-386
2020/04/14 00:20 https://github.com/google/kmsan.git master 75303409203b 7c54686a .config console log report ci-upstream-kmsan-gce-386
2020/04/13 23:19 https://github.com/google/kmsan.git master 75303409203b 7c54686a .config console log report ci-upstream-kmsan-gce-386
2020/04/13 18:47 https://github.com/google/kmsan.git master 75303409203b 17a986e5 .config console log report ci-upstream-kmsan-gce-386
2020/04/13 14:09 https://github.com/google/kmsan.git master 75303409203b 17a986e5 .config console log report ci-upstream-kmsan-gce-386
2020/04/13 05:00 https://github.com/google/kmsan.git master 75303409203b 36b0b050 .config console log report ci-upstream-kmsan-gce-386
2020/04/12 00:29 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/11 07:58 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/11 03:47 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/10 17:07 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/10 11:35 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/10 02:19 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/09 16:38 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/09 08:59 https://github.com/google/kmsan.git master 75303409203b a8c6a3f8 .config console log report ci-upstream-kmsan-gce-386
2020/04/08 15:58 https://github.com/google/kmsan.git master 75303409203b db9bcd4b .config console log report ci-upstream-kmsan-gce-386
2020/04/07 14:02 https://github.com/google/kmsan.git master 75303409203b 99a96044 .config console log report ci-upstream-kmsan-gce-386
2020/04/07 05:01 https://github.com/google/kmsan.git master 75303409203b 99a96044 .config console log report ci-upstream-kmsan-gce-386
2020/04/07 03:50 https://github.com/google/kmsan.git master 75303409203b 99a96044 .config console log report ci-upstream-kmsan-gce-386
2020/04/06 22:30 https://github.com/google/kmsan.git master 75303409203b 99a96044 .config console log report ci-upstream-kmsan-gce-386
2020/04/06 20:44 https://github.com/google/kmsan.git master 75303409203b 99a96044 .config console log report ci-upstream-kmsan-gce-386
2020/04/02 10:31 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 20:59 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 12:13 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 08:28 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 08:04 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 06:56 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/04/01 03:29 https://github.com/google/kmsan.git master 75303409203b a34e2c33 .config console log report ci-upstream-kmsan-gce-386
2020/03/30 17:16 https://github.com/google/kmsan.git master 75303409203b c8d1cc20 .config console log report ci-upstream-kmsan-gce-386
2020/03/30 16:11 https://github.com/google/kmsan.git master 75303409203b c8d1cc20 .config console log report ci-upstream-kmsan-gce-386
2020/03/30 14:49 https://github.com/google/kmsan.git master 75303409203b c8d1cc20 .config console log report ci-upstream-kmsan-gce-386
2020/03/30 09:40 https://github.com/google/kmsan.git master 75303409203b 05736b29 .config console log report ci-upstream-kmsan-gce-386
2020/03/30 06:11 https://github.com/google/kmsan.git master 75303409203b 05736b29 .config console log report ci-upstream-kmsan-gce-386
2020/03/29 14:55 https://github.com/google/kmsan.git master 75303409203b 05736b29 .config console log report ci-upstream-kmsan-gce-386
2020/03/28 23:18 https://github.com/google/kmsan.git master 75303409203b f1ebdfba .config console log report ci-upstream-kmsan-gce-386
2020/03/28 16:22 https://github.com/google/kmsan.git master 75303409203b f1ebdfba .config console log report ci-upstream-kmsan-gce-386
2020/03/28 14:33 https://github.com/google/kmsan.git master 75303409203b f1ebdfba .config console log report ci-upstream-kmsan-gce-386
2020/03/28 13:21 https://github.com/google/kmsan.git master 75303409203b f1ebdfba .config console log report ci-upstream-kmsan-gce-386
2020/03/28 01:31 https://github.com/google/kmsan.git master 75303409203b 831e9a81 .config console log report ci-upstream-kmsan-gce-386
2020/03/27 09:48 https://github.com/google/kmsan.git master c95d0c951e03 7d95711b .config console log report ci-upstream-kmsan-gce-386
2020/03/27 01:46 https://github.com/google/kmsan.git master c95d0c951e03 6d25c5a0 .config console log report ci-upstream-kmsan-gce-386
2020/03/26 08:42 https://github.com/google/kmsan.git master c95d0c951e03 e8e6c7d2 .config console log report ci-upstream-kmsan-gce-386
2020/03/25 10:20 https://github.com/google/kmsan.git master a58741ac26cc 41f049cc .config console log report ci-upstream-kmsan-gce-386
2020/02/21 02:04 https://github.com/google/kmsan.git master 8bbbc5cf3dca bd2a74a3 .config console log report ci-upstream-kmsan-gce-386
* Struck through repros no longer work on HEAD.