syzbot

 sign-in | mailing list | source | docs
🐞 Open [950] Subsystems 🐞 Fixed [4575] 🐞 Invalid [10560] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: uninit-value in kvm_cpuid

Status: fixed on 2022/03/08 16:11
Labels: kvm (incorrect?)
Reported-by: syzbot+d6d011bc17bb751d4aa2@syzkaller.appspotmail.com
Fix commit: e8a747d0884e KVM: x86: Swap order of CPUID entry "index" vs. "significant flag" checks
First crash: 623d, last: 592d
Discussions (3)
Title Replies (including bot) Last reply
[PATCH 5.14 000/172] 5.14.10-rc1 review 184 (184) 2021/10/05 06:41
[syzbot] KMSAN: uninit-value in kvm_cpuid 1 (2) 2021/10/01 15:13
[PATCH 0/2] KVM: x86: Fix mostly theoretical undefined behavior 8 (8) 2021/09/30 16:45

Sample crash report:
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
=====================================================
BUG: KMSAN: uninit-value in cpuid_entry2_find arch/x86/kvm/cpuid.c:68 [inline]
BUG: KMSAN: uninit-value in kvm_find_cpuid_entry arch/x86/kvm/cpuid.c:1103 [inline]
BUG: KMSAN: uninit-value in kvm_cpuid+0x456/0x28f0 arch/x86/kvm/cpuid.c:1183
 cpuid_entry2_find arch/x86/kvm/cpuid.c:68 [inline]
 kvm_find_cpuid_entry arch/x86/kvm/cpuid.c:1103 [inline]
 kvm_cpuid+0x456/0x28f0 arch/x86/kvm/cpuid.c:1183
 kvm_vcpu_reset+0x13fb/0x1c20 arch/x86/kvm/x86.c:10885
 kvm_apic_accept_events+0x58f/0x8c0 arch/x86/kvm/lapic.c:2923
 vcpu_enter_guest+0xfd2/0x6d80 arch/x86/kvm/x86.c:9534
 vcpu_run+0x7f5/0x18d0 arch/x86/kvm/x86.c:9788
 kvm_arch_vcpu_ioctl_run+0x245b/0x2d10 arch/x86/kvm/x86.c:10020
 kvm_vcpu_ioctl+0x1055/0x1e00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3749
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860
 __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Local variable ----dummy@kvm_vcpu_reset created at:
 kvm_vcpu_reset+0x1fb/0x1c20 arch/x86/kvm/x86.c:10812
 kvm_apic_accept_events+0x58f/0x8c0 arch/x86/kvm/lapic.c:2923
=====================================================
Kernel panic - not syncing: panic_on_kmsan set ...
CPU: 1 PID: 6364 Comm: syz-executor072 Tainted: G    B             5.15.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106
 dump_stack+0x25/0x28 lib/dump_stack.c:113
 panic+0x44f/0xdeb kernel/panic.c:232
 kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186
 __msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208
 cpuid_entry2_find arch/x86/kvm/cpuid.c:68 [inline]
 kvm_find_cpuid_entry arch/x86/kvm/cpuid.c:1103 [inline]
 kvm_cpuid+0x456/0x28f0 arch/x86/kvm/cpuid.c:1183
 kvm_vcpu_reset+0x13fb/0x1c20 arch/x86/kvm/x86.c:10885
 kvm_apic_accept_events+0x58f/0x8c0 arch/x86/kvm/lapic.c:2923
 vcpu_enter_guest+0xfd2/0x6d80 arch/x86/kvm/x86.c:9534
 vcpu_run+0x7f5/0x18d0 arch/x86/kvm/x86.c:9788
 kvm_arch_vcpu_ioctl_run+0x245b/0x2d10 arch/x86/kvm/x86.c:10020
 kvm_vcpu_ioctl+0x1055/0x1e00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3749
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860
 __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f51eb544a19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe2fe74dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f51eb544a19
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe2fe74f68
R10: 0000000000009120 R11: 0000000000000246 R12: 00007f51eb507c80
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (22):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2021/09/25 03:57 https://github.com/google/kmsan.git master cd2c05533838 8cac236e .config console log report syz C ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/25 16:23 https://github.com/google/kmsan.git master 82e66ad2e586 4f0000ee .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/24 05:35 https://github.com/google/kmsan.git master 82e66ad2e586 282f03fb .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/23 20:15 https://github.com/google/kmsan.git master 82e66ad2e586 282f03fb .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/23 08:35 https://github.com/google/kmsan.git master 82e66ad2e586 282f03fb .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/21 20:53 https://github.com/google/kmsan.git master d6493d2046c4 c5cb7da8 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/21 20:23 https://github.com/google/kmsan.git master d6493d2046c4 c5cb7da8 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/20 14:21 https://github.com/google/kmsan.git master d6493d2046c4 418a00eb .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/16 20:18 https://github.com/google/kmsan.git master d6493d2046c4 0c5d9412 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/16 19:55 https://github.com/google/kmsan.git master d6493d2046c4 0c5d9412 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/16 19:55 https://github.com/google/kmsan.git master d6493d2046c4 0c5d9412 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/16 01:51 https://github.com/google/kmsan.git master 8bdd014d5dc7 0c5d9412 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/10 02:53 https://github.com/google/kmsan.git master c7f84f4e1147 838e7e2c .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/10 02:53 https://github.com/google/kmsan.git master c7f84f4e1147 838e7e2c .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/10/02 22:54 https://github.com/google/kmsan.git master 90f502f5d016 db0f5787 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/28 04:07 https://github.com/google/kmsan.git master cd2c05533838 78494d16 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/28 01:31 https://github.com/google/kmsan.git master cd2c05533838 78494d16 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/27 23:47 https://github.com/google/kmsan.git master cd2c05533838 78494d16 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/24 23:01 https://github.com/google/kmsan.git master cd2c05533838 8cac236e .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/24 22:55 https://github.com/google/kmsan.git master cd2c05533838 8cac236e .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/24 21:56 https://github.com/google/kmsan.git master cd2c05533838 8cac236e .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
2021/09/24 21:35 https://github.com/google/kmsan.git master cd2c05533838 8cac236e .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in kvm_cpuid
* Struck through repros no longer work on HEAD.