KMSAN: kernel-infoleak in copyout (2)

KMSAN: kernel-infoleak in copyout (2)
Status: upstream: reported C repro on 2020/03/26 17:19
Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
First crash: 661d, last: 300d

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: kernel-infoleak in copyout	C			1860	661d	661d	0/21	closed as invalid on 2019/05/15 17:57

Sample crash report:

=====================================================
BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
CPU: 1 PID: 11522 Comm: syz-executor835 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
 copyout+0x15a/0x1e0 lib/iov_iter.c:145
 _copy_to_iter+0x34e/0x2420 lib/iov_iter.c:633
 copy_to_iter include/linux/uio.h:138 [inline]
 simple_copy_to_iter+0xd7/0x130 net/core/datagram.c:515
 __skb_datagram_iter+0x25f/0xfc0 net/core/datagram.c:423
 skb_copy_datagram_iter+0x292/0x2b0 net/core/datagram.c:529
 tun_put_user drivers/net/tun.c:2144 [inline]
 tun_do_read+0x2471/0x2df0 drivers/net/tun.c:2228
 tun_chr_read_iter+0x229/0x460 drivers/net/tun.c:2247
 call_read_iter include/linux/fs.h:1896 [inline]
 new_sync_read fs/read_write.c:414 [inline]
 __vfs_read+0xa64/0xc80 fs/read_write.c:427
 vfs_read+0x346/0x6a0 fs/read_write.c:461
 ksys_read+0x267/0x450 fs/read_write.c:587
 __do_sys_read fs/read_write.c:597 [inline]
 __se_sys_read+0x92/0xb0 fs/read_write.c:595
 __x64_sys_read+0x4a/0x70 fs/read_write.c:595
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x403f40
Code: 01 f0 ff ff 0f 83 a0 0d 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 6d a0 2d 00 00 75 14 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 0d 00 00 c3 48 83 ec 08 e8 da 02 00 00
RSP: 002b:00007ffe8e33e1d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000403f40
RDX: 00000000000003e8 RSI: 00007ffe8e33e1e0 RDI: 00000000000000f0
RBP: 000000000002640f R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004051d0 R14: 0000000000000000 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:310
 kmsan_memcpy_memmove_metadata+0x272/0x2e0 mm/kmsan/kmsan.c:247
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:267
 __msan_memcpy+0x43/0x50 mm/kmsan/kmsan_instr.c:116
 pskb_expand_head+0x38b/0x1b00 net/core/skbuff.c:1637
 __skb_cow include/linux/skbuff.h:3120 [inline]
 skb_cow_head include/linux/skbuff.h:3154 [inline]
 batadv_skb_head_push+0x234/0x350 net/batman-adv/soft-interface.c:74
 batadv_send_skb_packet+0x1a7/0x8c0 net/batman-adv/send.c:86
 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127
 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
 batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:419 [inline]
 batadv_iv_send_outstanding_bat_ogm_packet+0x97e/0xd50 net/batman-adv/bat_iv_ogm.c:1706
 process_one_work+0x1552/0x1ef0 kernel/workqueue.c:2264
 worker_thread+0xef6/0x2450 kernel/workqueue.c:2410
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:353

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
 kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
 __alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800
 __alloc_pages include/linux/gfp.h:498 [inline]
 __alloc_pages_node include/linux/gfp.h:511 [inline]
 alloc_pages_node include/linux/gfp.h:525 [inline]
 __page_frag_cache_refill mm/page_alloc.c:4875 [inline]
 page_frag_alloc+0x3ae/0x910 mm/page_alloc.c:4905
 __netdev_alloc_skb+0x703/0xbb0 net/core/skbuff.c:455
 __netdev_alloc_skb_ip_align include/linux/skbuff.h:2801 [inline]
 netdev_alloc_skb_ip_align include/linux/skbuff.h:2811 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:558 [inline]
 batadv_iv_ogm_queue_add+0x10da/0x1900 net/batman-adv/bat_iv_ogm.c:670
 batadv_iv_ogm_schedule_buff net/batman-adv/bat_iv_ogm.c:845 [inline]
 batadv_iv_ogm_schedule+0x107b/0x13c0 net/batman-adv/bat_iv_ogm.c:865
 batadv_iv_send_outstanding_bat_ogm_packet+0xbae/0xd50 net/batman-adv/bat_iv_ogm.c:1718
 process_one_work+0x1552/0x1ef0 kernel/workqueue.c:2264
 worker_thread+0xef6/0x2450 kernel/workqueue.c:2410
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:353

Bytes 52-53 of 146 are uninitialized
Memory access of size 146 starts at ffff9ecbf8eb0c40
Data copied to user address 00007ffe8e33e1e0
=====================================================

Crashes (6371):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kmsan-gce	2020/02/16 03:31	https://github.com/google/kmsan.git master	686a4f77	5d7b90f1	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/02/10 13:57	https://github.com/google/kmsan.git master	686a4f77	35f5e45e	.config	log	report	syz	C
ci-upstream-kmsan-gce	2020/01/10 01:31	https://github.com/google/kmsan.git master	178db004	4de4e9f0	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/12/03 04:22	https://github.com/google/kmsan.git master	940694c1	ab342da3	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/12/01 20:38	https://github.com/google/kmsan.git master	e2027b2c	a76bf83f	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/11/30 18:47	https://github.com/google/kmsan.git master	e2027b2c	3a75be00	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/07/20 00:33	https://github.com/google/kmsan.git master	beaab8a3	1656845f	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/07/13 03:49	https://github.com/google/kmsan.git master	7280182c	baa5258a	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/06/28 11:31	https://github.com/google/kmsan.git master	41550654	7509bf36	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/06/18 19:26	https://github.com/google/kmsan.git master	aad0f0dd	e3f76baa	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/06/17 20:04	https://github.com/google/kmsan.git master	aad0f0dd	442206d7	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/06/03 15:14	https://github.com/google/kmsan.git master	f75e4cfe	63bf051f	.config	log	report	syz	C
ci-upstream-kmsan-gce	2019/09/05 23:13	https://github.com/google/kmsan.git master	040b8306	040fda58	.config	log	report	syz
ci-upstream-kmsan-gce	2020/05/10 10:06	https://github.com/google/kmsan.git master	a7b0442d	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/10 07:31	https://github.com/google/kmsan.git master	a7b0442d	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/10 05:44	https://github.com/google/kmsan.git master	a7b0442d	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/10 03:59	https://github.com/google/kmsan.git master	a7b0442d	8742a2b9	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 23:48	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 22:45	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 21:44	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 17:12	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 12:24	https://github.com/google/kmsan.git master	a7b0442d	e97b06d3	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 11:23	https://github.com/google/kmsan.git master	a7b0442d	e97b06d3	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 06:24	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 03:00	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce	2020/05/09 00:08	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 17:56	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 14:08	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 10:49	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 09:12	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 07:48	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce	2020/05/08 06:36	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 23:36	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 19:58	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 18:41	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 17:00	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 11:58	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 09:19	https://github.com/google/kmsan.git master	21c44613	4618eb2d	.config	log	report
ci-upstream-kmsan-gce	2020/05/07 07:42	https://github.com/google/kmsan.git master	21c44613	4618eb2d	.config	log	report
ci-upstream-kmsan-gce	2019/05/15 23:46	https://github.com/google/kmsan.git master	3b955a40	051c49fe	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/10 08:33	https://github.com/google/kmsan.git master	a7b0442d	8742a2b9	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/10 00:58	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/09 17:23	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/09 15:38	https://github.com/google/kmsan.git master	a7b0442d	88cb3e92	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/09 05:31	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/09 04:21	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/09 01:30	https://github.com/google/kmsan.git master	21c44613	e97b06d3	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 20:27	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 19:06	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 16:55	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 15:24	https://github.com/google/kmsan.git master	21c44613	2b98fdbc	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 02:06	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/08 01:13	https://github.com/google/kmsan.git master	21c44613	6c70a1c2	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/07 15:30	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/07 14:11	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/07 13:14	https://github.com/google/kmsan.git master	21c44613	98cbd87b	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/07 05:38	https://github.com/google/kmsan.git master	21c44613	4618eb2d	.config	log	report
ci-upstream-kmsan-gce-386	2020/05/07 04:32	https://github.com/google/kmsan.git master	21c44613	4618eb2d	.config	log	report