syzbot

 sign-in | mailing list | source | docs
🐞 Open [1335]
Subsystems
🐞 Fixed [5785]
🐞 Invalid [14131]
Missing Backports [88]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KMSAN: kernel-infoleak in put_cmsg

Status: fixed on 2018/08/08 18:10
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
Fix commit: 2efd4fca703a ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull
First crash: 2322d, last: 2313d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 4.17 00/66] 4.17.11-stable review 72 (72) 2018/07/30 11:44
[PATCH 4.4 00/23] 4.4.145-stable review 28 (28) 2018/07/28 06:55
[PATCH 4.9 00/33] 4.9.116-stable review 38 (38) 2018/07/28 06:55
[PATCH 4.14 00/48] 4.14.59-stable review 50 (50) 2018/07/28 06:54
[PATCH net v2] ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull 2 (2) 2018/07/24 23:36
[PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen 3 (3) 2018/07/23 02:01
KMSAN: kernel-infoleak in put_cmsg 2 (3) 2018/07/21 02:41

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KMSAN: kernel-infoleak in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
CPU: 0 PID: 4569 Comm: syz-executor867 Not tainted 4.17.0+ #22
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:990
 kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1035
 kmsan_copy_to_user+0x73/0xb0 mm/kmsan/kmsan_hooks.c:479
 copy_to_user include/linux/uaccess.h:184 [inline]
 put_cmsg+0x5ef/0x860 net/core/scm.c:242
 ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
 ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
 rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
 sock_common_recvmsg+0x173/0x280 net/core/sock.c:3023
 sock_recvmsg_nosec net/socket.c:802 [inline]
 sock_recvmsg+0x1d6/0x230 net/socket.c:809
 ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
 __sys_recvmsg net/socket.c:2328 [inline]
 __do_sys_recvmsg net/socket.c:2338 [inline]
 __se_sys_recvmsg net/socket.c:2335 [inline]
 __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4456c9
RSP: 002b:00007f32213cbda8 EFLAGS: 00000297 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 00000000004456c9
RDX: 0000000000000000 RSI: 00000000200004c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac20
R13: 0000000020000500 R14: 0100000000000000 R15: 0000000000000001

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:271 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:581
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:483
 ip6_datagram_recv_specific_ctl+0x1c3e/0x1eb0 net/ipv6/datagram.c:713
 ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
 rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
 sock_common_recvmsg+0x173/0x280 net/core/sock.c:3023
 sock_recvmsg_nosec net/socket.c:802 [inline]
 sock_recvmsg+0x1d6/0x230 net/socket.c:809
 ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
 __sys_recvmsg net/socket.c:2328 [inline]
 __do_sys_recvmsg net/socket.c:2338 [inline]
 __se_sys_recvmsg net/socket.c:2335 [inline]
 __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan_hooks.c:91
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 __ip6_append_data+0x364d/0x4fb0 net/ipv6/ip6_output.c:1434
 ip6_append_data+0x40e/0x6b0 net/ipv6/ip6_output.c:1597
 rawv6_sendmsg+0x2756/0x4fc0 net/ipv6/raw.c:928
 inet_sendmsg+0x3fc/0x760 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Bytes 2-3 of 24 are uninitialized
Memory access starts at ffff88019620f8a8
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/07 04:26 https://github.com/google/kmsan.git master a00de5aa4da3 6c0c0099 .config console log report syz C ci-upstream-kmsan-gce
2018/06/28 00:20 https://github.com/google/kmsan.git master 123906095e30 43e60f7e .config console log report syz C ci-upstream-kmsan-gce
2018/06/27 18:51 https://github.com/google/kmsan.git master 123906095e30 43e60f7e .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.