syzbot


KMSAN: kernel-infoleak in v4l2_compat_put_array_args

Status: fixed on 2023/02/24 13:50
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
Fix commit: 4e768c8e34e6 media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()
First crash: 997d, last: 692d
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.19 000/101] 5.19.13-rc1 review 118 (118) 2022/10/06 07:45
[PATCH 5.15 00/83] 5.15.72-rc1 review 96 (96) 2022/10/05 01:45
[PATCH for 5.18] v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args() 3 (3) 2022/03/21 11:56
[syzbot] KMSAN: kernel-infoleak in v4l2_compat_put_array_args 0 (1) 2022/01/18 19:07
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args (2) media 1 545d 541d 0/28 auto-obsoleted due to no activity on 2023/08/13 06:28
upstream KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args media 1 1120d 1116d 0/28 auto-closed as invalid on 2022/01/14 21:11
upstream BUG: unable to handle kernel NULL pointer dereference in deactivate_slab kernel 14 107d 137d 0/28 auto-obsoleted due to no activity on 2024/09/04 01:58

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
 copy_to_user include/linux/uaccess.h:209 [inline]
 v4l2_compat_put_array_args+0x155a/0x1670 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1152
 video_usercopy+0x2332/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3343
 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3373
 v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
 v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
 __do_compat_sys_ioctl fs/ioctl.c:972 [inline]
 __se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
 __ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3247 [inline]
 __kmalloc_node+0xe03/0x14f0 mm/slub.c:4486
 kmalloc_node include/linux/slab.h:604 [inline]
 kvmalloc_node+0x1b6/0x3a0 mm/util.c:580
 kvmalloc include/linux/slab.h:732 [inline]
 video_usercopy+0x1660/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3307
 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3373
 v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
 v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
 __do_compat_sys_ioctl fs/ioctl.c:972 [inline]
 __se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
 __ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Bytes 0-7 of 16 are uninitialized
Memory access of size 16 starts at ffff888018d45558
Data copied to user address 0000000020000214

CPU: 0 PID: 7268 Comm: syz-executor.2 Tainted: G        W         5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/02/18 21:37 https://github.com/google/kmsan.git master 724946410067 3cd800e4 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: kernel-infoleak in v4l2_compat_put_array_args
2022/02/17 03:43 https://github.com/google/kmsan.git master 85cfd6e539bd 2bea8a27 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: kernel-infoleak in v4l2_compat_put_array_args
2022/01/17 15:24 https://github.com/google/kmsan.git master fa3879a274df 731a2d23 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: kernel-infoleak in v4l2_compat_put_array_args
2022/11/12 18:00 upstream 8f2975c2bb4c 3ead01ad .config console log report info ci-upstream-kasan-gce-386 KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
2022/11/03 10:52 upstream b229b6ca5abb 7a2ebf95 .config console log report info ci-upstream-kasan-gce-386 KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
2022/11/01 06:26 upstream b229b6ca5abb a1d8560a .config console log report info ci-upstream-kasan-gce-386 KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
2022/11/18 18:42 https://github.com/google/kmsan.git master cb231e2f67ec 5bb70014 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in deactivate_slab
2022/10/28 09:48 https://github.com/google/kmsan.git master be8b0d020631 86777b7f .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in ib_free_port_attrs
* Struck through repros no longer work on HEAD.