syzbot


KMSAN: kernel-infoleak in __skb_datagram_iter (3)

Status: fixed on 2024/05/23 00:06
Subsystems: net
[Documentation on labels]
Fix commit: d313eb8b7755 net/sched: act_skbmod: prevent kernel-infoleak
First crash: 256d, last: 202d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in __skb_datagram_iter (2) net C 126 258d 310d 25/28 fixed on 2024/03/25 23:45
upstream KMSAN: kernel-infoleak in __skb_datagram_iter (4) net C 120 3d03h 198d 0/28 upstream: reported C repro on 2024/05/24 12:51
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 549d 1717d 22/28 fixed on 2023/06/08 14:41
upstream KMSAN: kernel-infoleak in __skb_datagram_iter net 68 439d 544d 23/28 fixed on 2023/09/28 17:51
android-5-15 KASAN: use-after-free Read in __skb_datagram_iter origin:upstream C done 1 360d 391d 0/2 auto-obsoleted due to no activity on 2024/03/22 20:57
upstream KASAN: use-after-free Read in __skb_datagram_iter net 431 1314d 1321d 0/28 auto-closed as invalid on 2021/07/03 04:24
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/04/03 13:11 5h01m edumazet@google.com patch upstream OK log

Sample crash report:
netlink: 28 bytes leftover after parsing attributes in process `syz-executor369'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor369'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor369'.
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 copy_to_user_iter lib/iov_iter.c:24 [inline]
 iterate_ubuf include/linux/iov_iter.h:29 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
 iterate_and_advance include/linux/iov_iter.h:271 [inline]
 _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
 copy_to_iter include/linux/uio.h:196 [inline]
 simple_copy_to_iter net/core/datagram.c:532 [inline]
 __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420
 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546
 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]
 netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962
 sock_recvmsg_nosec net/socket.c:1046 [inline]
 sock_recvmsg+0x2c4/0x340 net/socket.c:1068
 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242
 __do_sys_recvfrom net/socket.c:2260 [inline]
 __se_sys_recvfrom net/socket.c:2256 [inline]
 __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at:
 pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253
 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317
 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351
 nlmsg_unicast include/net/netlink.h:1144 [inline]
 nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610
 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741
 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]
 tcf_add_notify net/sched/act_api.c:2048 [inline]
 tcf_action_add net/sched/act_api.c:2071 [inline]
 tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119
 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
 netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:745
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at:
 __nla_put lib/nlattr.c:1041 [inline]
 nla_put+0x1c6/0x230 lib/nlattr.c:1099
 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256
 tcf_action_dump_old net/sched/act_api.c:1191 [inline]
 tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227
 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251
 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628
 tcf_add_notify_msg net/sched/act_api.c:2023 [inline]
 tcf_add_notify net/sched/act_api.c:2042 [inline]
 tcf_action_add net/sched/act_api.c:2071 [inline]
 tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119
 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595
 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559
 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613
 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
 netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361
 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:745
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
 __sys_sendmsg net/socket.c:2667 [inline]
 __do_sys_sendmsg net/socket.c:2676 [inline]
 __se_sys_sendmsg net/socket.c:2674 [inline]
 __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Local variable opt created at:
 tcf_skbmod_dump+0x9d/0xc20 net/sched/act_skbmod.c:244
 tcf_action_dump_old net/sched/act_api.c:1191 [inline]
 tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227

Bytes 188-191 of 248 are uninitialized
Memory access of size 248 starts at ffff888117697680
Data copied to user address 00007ffe56d855f0

CPU: 1 PID: 5018 Comm: syz-executor369 Not tainted 6.9.0-rc1-syzkaller-00178-g317c7bc0ef03 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
=====================================================

Crashes (25):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/29 20:07 upstream 317c7bc0ef03 c52bcb23 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/19 04:58 upstream 614da38e2f7a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/19 03:13 upstream 614da38e2f7a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/05 03:39 upstream 7367539ad4b0 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/01 03:44 upstream 18737353cca0 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/03/31 13:06 upstream 712e14250dd2 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/03/30 09:25 upstream 486291a0e624 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/03/29 18:59 upstream 317c7bc0ef03 c52bcb23 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/20 07:06 upstream 101b7a97143a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/20 07:06 upstream 101b7a97143a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/11 18:51 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/05/11 18:50 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/26 04:06 upstream e33c4963bf53 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/26 04:06 upstream e33c4963bf53 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/26 04:06 upstream e33c4963bf53 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/23 12:48 upstream 4d2008430ce8 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/21 06:02 upstream 977b1ef51866 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/21 06:02 upstream 977b1ef51866 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/21 06:02 upstream 977b1ef51866 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/20 22:35 upstream 13a2e429f644 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/07 02:50 upstream f2f80ac80987 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/07 01:40 upstream f2f80ac80987 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/04/01 09:32 upstream 39cd87c4eb2b 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/03/27 23:11 upstream 7033999ecd7b 454571b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
2024/03/27 05:32 upstream 928a87efa423 454571b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: kernel-infoleak in __skb_datagram_iter
* Struck through repros no longer work on HEAD.