syzbot


KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl (2)

Status: upstream: reported C repro on 2022/09/28 20:43
Reported-by: syzbot+39be4da489ed2493ba25@syzkaller.appspotmail.com
Fix commit: e5b0d06d9b10 misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce]
First crash: 62d, last: 62d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl C 22 657d 741d 21/24 fixed on 2021/03/10 01:48

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:33
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 _copy_to_user+0xbc/0x100 lib/usercopy.c:33
 copy_to_user include/linux/uaccess.h:169 [inline]
 vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431 [inline]
 vmci_host_unlocked_ioctl+0x1cd3/0x5480 drivers/misc/vmw_vmci/vmci_host.c:925
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0x222/0x400 fs/ioctl.c:856
 __x64_sys_ioctl+0x92/0xd0 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was stored to memory at:
 kmemdup+0x89/0xd0 mm/util.c:131
 dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271 [inline]
 vmci_datagram_dispatch+0x4ee/0x13f0 drivers/misc/vmw_vmci/vmci_datagram.c:339
 qp_notify_peer+0x1fe/0x310 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 [inline]
 qp_broker_alloc+0x3370/0x3850 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
 vmci_qp_broker_alloc+0xdf/0x120 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
 vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488 [inline]
 vmci_host_unlocked_ioctl+0x3305/0x5480 drivers/misc/vmw_vmci/vmci_host.c:927
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0x222/0x400 fs/ioctl.c:856
 __x64_sys_ioctl+0x92/0xd0 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Local variable ev created at:
 qp_notify_peer+0x5a/0x310 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 [inline]
 qp_broker_alloc+0x3370/0x3850 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750

Bytes 28-31 of 48 are uninitialized
Memory access of size 48 starts at ffff88811768de80
Data copied to user address 0000000020000100

CPU: 0 PID: 3489 Comm: syz-executor851 Not tainted 6.0.0-rc5-syzkaller-48540-g466a27efa4f0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
=====================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kmsan-gce 2022/09/28 08:10 https://github.com/google/kmsan.git master 466a27efa4f0 75c78242 .config log report syz C KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl
ci-upstream-kmsan-gce 2022/09/28 06:51 https://github.com/google/kmsan.git master 466a27efa4f0 75c78242 .config log report info KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl
* Struck through repros no longer work on HEAD.