syzbot


KMSAN: kernel-infoleak in v4l2_compat_put_array_args

Status: upstream: reported on 2022/01/18 19:07
Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
Fix commit: 4e768c8e34e6 media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 386d, last: 81d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args 1 508d 504d 0/24 auto-closed as invalid on 2022/01/14 21:11

Sample crash report:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
 copy_to_user include/linux/uaccess.h:209 [inline]
 v4l2_compat_put_array_args+0x155a/0x1670 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1152
 video_usercopy+0x2332/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3343
 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3373
 v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
 v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
 __do_compat_sys_ioctl fs/ioctl.c:972 [inline]
 __se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
 __ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3247 [inline]
 __kmalloc_node+0xe03/0x14f0 mm/slub.c:4486
 kmalloc_node include/linux/slab.h:604 [inline]
 kvmalloc_node+0x1b6/0x3a0 mm/util.c:580
 kvmalloc include/linux/slab.h:732 [inline]
 video_usercopy+0x1660/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3307
 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3373
 v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
 v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
 __do_compat_sys_ioctl fs/ioctl.c:972 [inline]
 __se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
 __ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
 do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
 __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
 do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Bytes 0-7 of 16 are uninitialized
Memory access of size 16 starts at ffff888018d45558
Data copied to user address 0000000020000214

CPU: 0 PID: 7268 Comm: syz-executor.2 Tainted: G        W         5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================

Crashes (8):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kmsan-gce-386 2022/02/18 21:37 https://github.com/google/kmsan.git master 724946410067 3cd800e4 .config console log report info KMSAN: kernel-infoleak in v4l2_compat_put_array_args
ci-upstream-kmsan-gce-386 2022/02/17 03:43 https://github.com/google/kmsan.git master 85cfd6e539bd 2bea8a27 .config console log report info KMSAN: kernel-infoleak in v4l2_compat_put_array_args
ci-upstream-kmsan-gce-386 2022/01/17 15:24 https://github.com/google/kmsan.git master fa3879a274df 731a2d23 .config console log report info KMSAN: kernel-infoleak in v4l2_compat_put_array_args
ci-upstream-kasan-gce-386 2022/11/12 18:00 upstream 8f2975c2bb4c 3ead01ad .config console log report info [disk image] [vmlinux] [kernel image] KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
ci-upstream-kasan-gce-386 2022/11/03 10:52 upstream b229b6ca5abb 7a2ebf95 .config console log report info [disk image] [vmlinux] [kernel image] KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
ci-upstream-kasan-gce-386 2022/11/01 06:26 upstream b229b6ca5abb a1d8560a .config console log report info [disk image] [vmlinux] [kernel image] KASAN: slab-out-of-bounds Read in v4l2_compat_put_array_args
ci-upstream-kmsan-gce-386 2022/11/18 18:42 https://github.com/google/kmsan.git master cb231e2f67ec 5bb70014 .config console log report info [disk image] [vmlinux] [kernel image] KMSAN: uninit-value in deactivate_slab
ci-upstream-kmsan-gce-386 2022/10/28 09:48 https://github.com/google/kmsan.git master be8b0d020631 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] KMSAN: uninit-value in ib_free_port_attrs
* Struck through repros no longer work on HEAD.