KMSAN: kernel-infoleak in _copy_to

KMSAN: kernel-infoleak in _copy_to_iter (5)
Status: upstream: reported C repro on 2020/05/13 15:25
Reported-by: syzbot+50ee810676e6a089487b@syzkaller.appspotmail.com
Fix commit: 08c27f3322fe batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-arm32]
First crash: 449d, last: 10d

similar bugs (4):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	KMSAN: kernel-infoleak in _copy_to_iter	C	285	1105d	1141d	9/22	fixed on 2018/08/08 18:10
upstream	KMSAN: kernel-infoleak in _copy_to_iter (4)	C	56	973d	977d	12/22	fixed on 2018/12/18 11:30
upstream	KMSAN: kernel-infoleak in _copy_to_iter (3)	C	36	1008d	1019d	12/22	fixed on 2018/10/30 01:28
upstream	KMSAN: kernel-infoleak in _copy_to_iter (2)	C	7	1035d	1062d	12/22	fixed on 2018/10/08 09:31

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/04/05 00:38	25m	penguin-kernel@i-love.sakura.ne.jp	patch	https://github.com/google/kmsan.git master	OK

Sample crash report:

=====================================================
BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
CPU: 1 PID: 8470 Comm: syz-executor981 Not tainted 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x1f5/0x500 mm/kmsan/kmsan.c:399
 kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 copyout lib/iov_iter.c:145 [inline]
 _copy_to_iter+0xf79/0x2bc0 lib/iov_iter.c:624
 copy_to_iter include/linux/uio.h:137 [inline]
 simple_copy_to_iter+0xf6/0x150 net/core/datagram.c:519
 __skb_datagram_iter+0x2cb/0x1210 net/core/datagram.c:425
 skb_copy_datagram_iter+0xd8/0x200 net/core/datagram.c:533
 skb_copy_datagram_msg include/linux/skbuff.h:3599 [inline]
 packet_recvmsg+0x764/0x2060 net/packet/af_packet.c:3405
 ____sys_recvmsg+0x57f/0xd50 net/socket.c:888
 ___sys_recvmsg net/socket.c:2611 [inline]
 do_recvmmsg+0xa97/0x22d0 net/socket.c:2705
 __sys_recvmmsg net/socket.c:2784 [inline]
 __do_sys_recvmmsg net/socket.c:2807 [inline]
 __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2800
 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2800
 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4438b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd2592bda8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004438b9
RDX: 0000000000000003 RSI: 00000000200072c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd2592bdc0
R13: 00000000000f4240 R14: 00000000000219ca R15: 00007ffd2592bdb4

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:120 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:288
 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:225
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:245
 __msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110
 pskb_expand_head+0x3d6/0x1e20 net/core/skbuff.c:1685
 __skb_cow include/linux/skbuff.h:3232 [inline]
 skb_cow_head include/linux/skbuff.h:3266 [inline]
 batadv_skb_head_push+0x2cc/0x410 net/batman-adv/soft-interface.c:73
 batadv_send_skb_packet+0x1ed/0x970 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0xb2d/0xef0 net/batman-adv/bat_iv_ogm.c:1711
 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275
 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421
 kthread+0x521/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:120 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:103
 kmsan_slab_alloc+0x8e/0xe0 mm/kmsan/kmsan_hooks.c:76
 slab_alloc_node mm/slub.c:2922 [inline]
 __kmalloc_node_track_caller+0xa4f/0x1470 mm/slub.c:4609
 kmalloc_reserve net/core/skbuff.c:353 [inline]
 __alloc_skb+0x4dd/0xe90 net/core/skbuff.c:424
 __netdev_alloc_skb+0x45d/0x810 net/core/skbuff.c:491
 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2884 [inline]
 netdev_alloc_skb_ip_align include/linux/skbuff.h:2894 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline]
 batadv_iv_ogm_queue_add+0x1376/0x1c40 net/batman-adv/bat_iv_ogm.c:670
 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:849 [inline]
 batadv_iv_ogm_schedule+0x12cd/0x16b0 net/batman-adv/bat_iv_ogm.c:869
 batadv_iv_send_outstanding_bat_ogm_packet+0xd6e/0xef0 net/batman-adv/bat_iv_ogm.c:1723
 process_one_work+0x1219/0x1fe0 kernel/workqueue.c:2275
 worker_thread+0x10ec/0x2340 kernel/workqueue.c:2421
 kthread+0x521/0x560 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Bytes 52-53 of 146 are uninitialized
Memory access of size 146 starts at ffff888130248440
Data copied to user address 0000000020000180
=====================================================

Crashes (23883):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kmsan-gce	2021/07/09 07:13	https://github.com/google/kmsan.git master	57b5797c8013	1b20171a	.config	log	report	syz	C		KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/04/18 21:00	https://github.com/google/kmsan.git master	4ebaab5fb428	7e2b734b	.config	log	report	syz	C		KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/04/16 08:11	https://github.com/google/kmsan.git master	4ebaab5fb428	c59079a6	.config	log	report	syz	C		KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/04/16 06:34	https://github.com/google/kmsan.git master	4ebaab5fb428	c59079a6	.config	log	report	syz	C		KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/02/08 07:04	https://github.com/google/kmsan.git master	73d62e81b476	2ce644fc	.config	log	report	syz	C		KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2020/08/14 05:04	https://github.com/google/kmsan.git master	ce8056d1f79e	54ce1ed6	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/05/10 14:24	https://github.com/google/kmsan.git master	14bcee29ad06	8742a2b9	.config	log	report	syz	C
ci-upstream-kmsan-gce-386	2020/08/17 06:42	https://github.com/google/kmsan.git master	ce8056d1f79e	424dd8e7	.config	log	report	syz	C
ci-upstream-kmsan-gce-386	2020/05/10 20:33	https://github.com/google/kmsan.git master	14bcee29ad06	8742a2b9	.config	log	report	syz	C
ci-upstream-kmsan-gce	2021/07/23 22:07	https://github.com/google/kmsan.git master	a43e029dee89	bc5f1d88	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/21 19:12	https://github.com/google/kmsan.git master	aeb985b98bde	29c3f20f	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/19 04:44	https://github.com/google/kmsan.git master	a0f3a2c4404f	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/16 07:53	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/16 06:12	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/16 04:06	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/16 02:54	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/16 00:39	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 22:39	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 19:26	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 18:15	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 15:23	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 14:03	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 09:42	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/15 08:16	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/14 21:52	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/14 20:44	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/14 19:31	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/07/14 18:25	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/21 12:55	https://github.com/google/kmsan.git master	aeb985b98bde	1b201b48	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 14:50	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 13:35	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 11:40	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 10:58	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 09:30	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 05:16	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/16 01:21	https://github.com/google/kmsan.git master	57b5797c8013	f115ae98	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 21:38	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 20:23	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 17:03	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 15:04	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 13:00	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 11:42	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 10:42	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 09:37	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 06:34	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 05:33	https://github.com/google/kmsan.git master	57b5797c8013	b9a2f64e	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 03:58	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 03:37	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 02:35	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 01:32	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 00:24	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/15 00:17	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/14 23:00	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce-386	2021/07/14 17:18	https://github.com/google/kmsan.git master	57b5797c8013	94e0b707	.config	log	report			info	KMSAN: kernel-infoleak in _copy_to_iter
ci-upstream-kmsan-gce	2021/01/17 12:57	https://github.com/google/kmsan.git master	73d62e81b476	813be542	.config	log	report			info
ci-upstream-kmsan-gce-386	2020/05/10 12:05	https://github.com/google/kmsan.git master	14bcee29ad06	8742a2b9	.config	log	report