Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On 16/03/2021 16:06, Arnd Bergmann wrote:
> On Tue, Mar 16, 2021 at 3:02 PM Dmitry Vyukov wrote:
>> On Tue, Mar 16, 2021 at 2:56 PM Arnd Bergmann wrote:
>>> On Tue, Mar 16, 2021 at 11:44 AM Dmitry Vyukov wrote:
On Tue, Mar 16, 2021 at 11:18 AM syzbot
wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h
>>>
>>> This tree seems to be missing fb18802a338b ("media: v4l: ioctl: Fix memory
>>> leak in video_usercopy"), which rewrote that function partly and might
>>> fix the problem.
>>>
> Local variable sbuf@video_usercopy created at:
> video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> =
> =
> BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070
> drivers/media/v4l2-core/v4l2-ioctl.c:963
> CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB
> 5.11.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:79 [inline]
> dump_stack+0x21c/0x280 lib/dump_stack.c:120
> kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
> check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963
> v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107
> __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993
> video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345
> video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391
> v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360
> v4l2_compat_ioctl32+0x2c6/0x370
> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248
> __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> RIP: 0023:0xf7fec549
> Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01
> 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3
> 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036
> RAX: ffda RBX: 0003 RCX: c050565d
> RDX: RSI: RDI:
> RBP: R08: R09:
> R10: R11: R12:
> R13: R14: R15:
>
> Local variable sbuf@video_usercopy created at:
> video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> =
I did not get to the very bottom of this, but I looked at this a bit.
It seems to be related to some unfortunate interaction of compat
syscall and CONFIG_COMPAT_32BIT_TIME. It seems that in this case
nothing at all is copied from userspace because cmd gets messed up or
something. Perhaps VIDIOC_QUERYBUF is translated into
VIDIOC_QUERYBUF_TIME32 instead of VIDIOC_QUERYBUF32_TIME32 and then
this gets into compat syscall path and v4l2_compat_get_user does not
recognize the command, copies nothing but returns 0.
>>>
>>> User space would be calling VIDIOC_QUERYBUF32_TIME32 here,
>>> if it's built against glibc, though with a musl based user space, you
>>> would get called with VIDIOC_QUERYBUF32.
>>
>> Or somebody fetching somebody else's credit card number will be
>> calling VIDIOC_QUERYBUF_TIME32 directly ;)
>
> Ah of course, I forgot the ioctl command may already be fuzzed here.
>
> When I look at
> https://syzkaller.appspot.com/text?tag=CrashLog=12bd0e3ad0
>
> I see 0xc0585609, which would be a VIDIOC_QUERYBUF with
> size=0x58, which is the native ioctl, not the compat one. This
> is something we didn't expect to get passed into the compat ioctl
> handler, but should of course handle gracefully
>
> If the command were to get is the 64-bit version of
> VIDIOC_QUERYBUF_TIME32 (0xc0505609), then it gets converted to
> VIDIOC_QUERYBUF by video_translate_cmd().
> If it's VIDIOC_QUERYBUF, it stays that way.
>
> It does break down in v4l2_compat_get_user() when we get
Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On Tue, Mar 16, 2021 at 3:02 PM Dmitry Vyukov wrote:
> On Tue, Mar 16, 2021 at 2:56 PM Arnd Bergmann wrote:
> > On Tue, Mar 16, 2021 at 11:44 AM Dmitry Vyukov wrote:
> > > On Tue, Mar 16, 2021 at 11:18 AM syzbot
> > > wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h
> >
> > This tree seems to be missing fb18802a338b ("media: v4l: ioctl: Fix memory
> > leak in video_usercopy"), which rewrote that function partly and might
> > fix the problem.
> >
> > > > Local variable sbuf@video_usercopy created at:
> > > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > > =
> > > > =
> > > > BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070
> > > > drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > > CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB
> > > > 5.11.0-rc7-syzkaller #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:79 [inline]
> > > > dump_stack+0x21c/0x280 lib/dump_stack.c:120
> > > > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> > > > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
> > > > check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > > v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107
> > > > __video_do_ioctl+0x15cd/0x1d20
> > > > drivers/media/v4l2-core/v4l2-ioctl.c:2993
> > > > video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345
> > > > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391
> > > > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360
> > > > v4l2_compat_ioctl32+0x2c6/0x370
> > > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248
> > > > __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> > > > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> > > > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> > > > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> > > > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> > > > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> > > > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> > > > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > > > RIP: 0023:0xf7fec549
> > > > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01
> > > > 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59
> > > > c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > > > RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036
> > > > RAX: ffda RBX: 0003 RCX: c050565d
> > > > RDX: RSI: RDI:
> > > > RBP: R08: R09:
> > > > R10: R11: R12:
> > > > R13: R14: R15:
> > > >
> > > > Local variable sbuf@video_usercopy created at:
> > > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > > =
> > >
> > > I did not get to the very bottom of this, but I looked at this a bit.
> > > It seems to be related to some unfortunate interaction of compat
> > > syscall and CONFIG_COMPAT_32BIT_TIME. It seems that in this case
> > > nothing at all is copied from userspace because cmd gets messed up or
> > > something. Perhaps VIDIOC_QUERYBUF is translated into
> > > VIDIOC_QUERYBUF_TIME32 instead of VIDIOC_QUERYBUF32_TIME32 and then
> > > this gets into compat syscall path and v4l2_compat_get_user does not
> > > recognize the command, copies nothing but returns 0.
> >
> > User space would be calling VIDIOC_QUERYBUF32_TIME32 here,
> > if it's built against glibc, though with a musl based user space, you
> > would get called with VIDIOC_QUERYBUF32.
>
> Or somebody fetching somebody else's credit card number will be
> calling VIDIOC_QUERYBUF_TIME32 directly ;)
Ah of course, I forgot the ioctl command may already be fuzzed here.
When I look at
https://syzkaller.appspot.com/text?tag=CrashLog=12bd0e3ad0
I see 0xc0585609, which would be a VIDIOC_QUERYBUF with
size=0x58, which is the native ioctl, not the compat one. This
is something we didn't expect to get passed into the compat ioctl
handler, but should of course handle gracefully
If the command were to get is the 64-bit version of
VIDIOC_QUERYBUF_TIME32 (0xc0505609), then it gets converted to
VIDIOC_QUERYBUF by video_translate_cmd().
If it's VIDIOC_QUERYBUF, it stays that way.
It does break
Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On Tue, Mar 16, 2021 at 2:56 PM Arnd Bergmann wrote:
>
> On Tue, Mar 16, 2021 at 11:44 AM Dmitry Vyukov wrote:
> >
> > On Tue, Mar 16, 2021 at 11:18 AM syzbot
> > wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h
>
> This tree seems to be missing fb18802a338b ("media: v4l: ioctl: Fix memory
> leak in video_usercopy"), which rewrote that function partly and might
> fix the problem.
As far as I see the bug happens before any of the code changed by
fb18802a338b is invoked.
> > > Local variable sbuf@video_usercopy created at:
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > =
> > > =
> > > BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070
> > > drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB
> > > 5.11.0-rc7-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:79 [inline]
> > > dump_stack+0x21c/0x280 lib/dump_stack.c:120
> > > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> > > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
> > > check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107
> > > __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993
> > > video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345
> > > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391
> > > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360
> > > v4l2_compat_ioctl32+0x2c6/0x370
> > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248
> > > __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> > > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> > > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> > > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> > > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> > > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> > > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> > > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > > RIP: 0023:0xf7fec549
> > > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01
> > > 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3
> > > 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > > RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036
> > > RAX: ffda RBX: 0003 RCX: c050565d
> > > RDX: RSI: RDI:
> > > RBP: R08: R09:
> > > R10: R11: R12:
> > > R13: R14: R15:
> > >
> > > Local variable sbuf@video_usercopy created at:
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > =
> >
> > I did not get to the very bottom of this, but I looked at this a bit.
> > It seems to be related to some unfortunate interaction of compat
> > syscall and CONFIG_COMPAT_32BIT_TIME. It seems that in this case
> > nothing at all is copied from userspace because cmd gets messed up or
> > something. Perhaps VIDIOC_QUERYBUF is translated into
> > VIDIOC_QUERYBUF_TIME32 instead of VIDIOC_QUERYBUF32_TIME32 and then
> > this gets into compat syscall path and v4l2_compat_get_user does not
> > recognize the command, copies nothing but returns 0.
>
> User space would be calling VIDIOC_QUERYBUF32_TIME32 here,
> if it's built against glibc, though with a musl based user space, you
> would get called with VIDIOC_QUERYBUF32.
>
> What I notice in get_v4l2_buffer32_time32(), is that we do a full
> copy_from_user() to the stack of this function, and then copy the
> members individually to the output v4l2_buffer structure:
>
> struct v4l2_buffer32_time32 vb32;
> if (copy_from_user(, arg, sizeof(vb32)))
> return -EFAULT;
> *vb = (struct v4l2_buffer) {
> .index = vb32.index,
> .type = vb32.type,
> .bytesused = vb32.bytesused,
> .flags = vb32.flags,
> .field = vb32.field,
> .timestamp.tv_sec = vb32.timestamp.tv_sec,
> .timestamp.tv_usec = vb32.timestamp.tv_usec,
> .timecode = vb32.timecode,
> .sequence
Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On Tue, Mar 16, 2021 at 2:56 PM Arnd Bergmann wrote:
>
> On Tue, Mar 16, 2021 at 11:44 AM Dmitry Vyukov wrote:
> >
> > On Tue, Mar 16, 2021 at 11:18 AM syzbot
> > wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h
>
> This tree seems to be missing fb18802a338b ("media: v4l: ioctl: Fix memory
> leak in video_usercopy"), which rewrote that function partly and might
> fix the problem.
>
> > > Local variable sbuf@video_usercopy created at:
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > =
> > > =
> > > BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070
> > > drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB
> > > 5.11.0-rc7-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:79 [inline]
> > > dump_stack+0x21c/0x280 lib/dump_stack.c:120
> > > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> > > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
> > > check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963
> > > v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107
> > > __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993
> > > video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345
> > > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391
> > > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360
> > > v4l2_compat_ioctl32+0x2c6/0x370
> > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248
> > > __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> > > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> > > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> > > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> > > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> > > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> > > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> > > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > > RIP: 0023:0xf7fec549
> > > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01
> > > 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3
> > > 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > > RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036
> > > RAX: ffda RBX: 0003 RCX: c050565d
> > > RDX: RSI: RDI:
> > > RBP: R08: R09:
> > > R10: R11: R12:
> > > R13: R14: R15:
> > >
> > > Local variable sbuf@video_usercopy created at:
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > > =
> >
> > I did not get to the very bottom of this, but I looked at this a bit.
> > It seems to be related to some unfortunate interaction of compat
> > syscall and CONFIG_COMPAT_32BIT_TIME. It seems that in this case
> > nothing at all is copied from userspace because cmd gets messed up or
> > something. Perhaps VIDIOC_QUERYBUF is translated into
> > VIDIOC_QUERYBUF_TIME32 instead of VIDIOC_QUERYBUF32_TIME32 and then
> > this gets into compat syscall path and v4l2_compat_get_user does not
> > recognize the command, copies nothing but returns 0.
>
> User space would be calling VIDIOC_QUERYBUF32_TIME32 here,
> if it's built against glibc, though with a musl based user space, you
> would get called with VIDIOC_QUERYBUF32.
Or somebody fetching somebody else's credit card number will be
calling VIDIOC_QUERYBUF_TIME32 directly ;)
> What I notice in get_v4l2_buffer32_time32(), is that we do a full
> copy_from_user() to the stack of this function, and then copy the
> members individually to the output v4l2_buffer structure:
>
> struct v4l2_buffer32_time32 vb32;
> if (copy_from_user(, arg, sizeof(vb32)))
> return -EFAULT;
> *vb = (struct v4l2_buffer) {
> .index = vb32.index,
> .type = vb32.type,
> .bytesused = vb32.bytesused,
> .flags = vb32.flags,
> .field = vb32.field,
> .timestamp.tv_sec = vb32.timestamp.tv_sec,
> .timestamp.tv_usec = vb32.timestamp.tv_usec,
> .timecode = vb32.timecode,
>
Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On Tue, Mar 16, 2021 at 11:44 AM Dmitry Vyukov wrote:
>
> On Tue, Mar 16, 2021 at 11:18 AM syzbot
> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h
This tree seems to be missing fb18802a338b ("media: v4l: ioctl: Fix memory
leak in video_usercopy"), which rewrote that function partly and might
fix the problem.
> > Local variable sbuf@video_usercopy created at:
> > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > =
> > =
> > BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070
> > drivers/media/v4l2-core/v4l2-ioctl.c:963
> > CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB
> > 5.11.0-rc7-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:79 [inline]
> > dump_stack+0x21c/0x280 lib/dump_stack.c:120
> > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
> > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
> > check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963
> > v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107
> > __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993
> > video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345
> > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391
> > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360
> > v4l2_compat_ioctl32+0x2c6/0x370
> > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248
> > __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
> > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793
> > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793
> > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline]
> > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141
> > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166
> > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209
> > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > RIP: 0023:0xf7fec549
> > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10
> > 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
> > 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036
> > RAX: ffda RBX: 0003 RCX: c050565d
> > RDX: RSI: RDI:
> > RBP: R08: R09:
> > R10: R11: R12:
> > R13: R14: R15:
> >
> > Local variable sbuf@video_usercopy created at:
> > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285
> > =
>
> I did not get to the very bottom of this, but I looked at this a bit.
> It seems to be related to some unfortunate interaction of compat
> syscall and CONFIG_COMPAT_32BIT_TIME. It seems that in this case
> nothing at all is copied from userspace because cmd gets messed up or
> something. Perhaps VIDIOC_QUERYBUF is translated into
> VIDIOC_QUERYBUF_TIME32 instead of VIDIOC_QUERYBUF32_TIME32 and then
> this gets into compat syscall path and v4l2_compat_get_user does not
> recognize the command, copies nothing but returns 0.
User space would be calling VIDIOC_QUERYBUF32_TIME32 here,
if it's built against glibc, though with a musl based user space, you
would get called with VIDIOC_QUERYBUF32.
What I notice in get_v4l2_buffer32_time32(), is that we do a full
copy_from_user() to the stack of this function, and then copy the
members individually to the output v4l2_buffer structure:
struct v4l2_buffer32_time32 vb32;
if (copy_from_user(, arg, sizeof(vb32)))
return -EFAULT;
*vb = (struct v4l2_buffer) {
.index = vb32.index,
.type = vb32.type,
.bytesused = vb32.bytesused,
.flags = vb32.flags,
.field = vb32.field,
.timestamp.tv_sec = vb32.timestamp.tv_sec,
.timestamp.tv_usec = vb32.timestamp.tv_usec,
.timecode = vb32.timecode,
.sequence = vb32.sequence,
.memory = vb32.memory,
.m.offset = vb32.m.offset,
.length = vb32.length,
.request_fd = vb32.request_fd,
};
This struct assignment will however leave any padding
fields uninitialized. There is padding between
Re: [syzbot] KMSAN: uninit-value in video_usercopy (2)
On Tue, Mar 16, 2021 at 11:18 AM syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h > git tree: https://github.com/google/kmsan.git master > console output: https://syzkaller.appspot.com/x/log.txt?x=102502dcd0 > kernel config: https://syzkaller.appspot.com/x/.config?x=8b976581f6bd1e7d > dashboard link: https://syzkaller.appspot.com/bug?extid=142888ffec98ab194028 > compiler: Debian clang version 11.0.1-2 > userspace arch: i386 > > Unfortunately, I don't have any reproducer for this issue yet. > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+142888ffec98ab194...@syzkaller.appspotmail.com > > = > BUG: KMSAN: uninit-value in check_array_args > drivers/media/v4l2-core/v4l2-ioctl.c:3041 [inline] > BUG: KMSAN: uninit-value in video_usercopy+0x1631/0x3d30 > drivers/media/v4l2-core/v4l2-ioctl.c:3315 > CPU: 0 PID: 19595 Comm: syz-executor.4 Not tainted 5.11.0-rc7-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0x21c/0x280 lib/dump_stack.c:120 > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 > check_array_args drivers/media/v4l2-core/v4l2-ioctl.c:3041 [inline] > video_usercopy+0x1631/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3315 > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391 > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360 > v4l2_compat_ioctl32+0x2c6/0x370 > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248 > __do_compat_sys_ioctl fs/ioctl.c:842 [inline] > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c > RIP: 0023:0xf7fec549 > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 > 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 > 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 > RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036 > RAX: ffda RBX: 0003 RCX: c050565d > RDX: RSI: RDI: > RBP: R08: R09: > R10: R11: R12: > R13: R14: R15: > > Local variable sbuf@video_usercopy created at: > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285 > video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285 > = > = > BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070 > drivers/media/v4l2-core/v4l2-ioctl.c:963 > CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB > 5.11.0-rc7-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0x21c/0x280 lib/dump_stack.c:120 > kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 > __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 > check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963 > v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107 > __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993 > video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345 > video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391 > v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360 > v4l2_compat_ioctl32+0x2c6/0x370 > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248 > __do_compat_sys_ioctl fs/ioctl.c:842 [inline] > __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 > __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 > do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] > __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 > do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 > do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c > RIP: 0023:0xf7fec549 > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 0
[syzbot] KMSAN: uninit-value in video_usercopy (2)
Hello, syzbot found the following issue on: HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=102502dcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=8b976581f6bd1e7d dashboard link: https://syzkaller.appspot.com/bug?extid=142888ffec98ab194028 compiler: Debian clang version 11.0.1-2 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+142888ffec98ab194...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in check_array_args drivers/media/v4l2-core/v4l2-ioctl.c:3041 [inline] BUG: KMSAN: uninit-value in video_usercopy+0x1631/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3315 CPU: 0 PID: 19595 Comm: syz-executor.4 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 check_array_args drivers/media/v4l2-core/v4l2-ioctl.c:3041 [inline] video_usercopy+0x1631/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3315 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391 v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360 v4l2_compat_ioctl32+0x2c6/0x370 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248 __do_compat_sys_ioctl fs/ioctl.c:842 [inline] __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7fec549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: c050565d RDX: RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Local variable sbuf@video_usercopy created at: video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285 video_usercopy+0xaa/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3285 = = BUG: KMSAN: uninit-value in check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963 CPU: 0 PID: 19595 Comm: syz-executor.4 Tainted: GB 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 check_fmt+0x864/0x1070 drivers/media/v4l2-core/v4l2-ioctl.c:963 v4l_prepare_buf+0xbf/0x1d0 drivers/media/v4l2-core/v4l2-ioctl.c:2107 __video_do_ioctl+0x15cd/0x1d20 drivers/media/v4l2-core/v4l2-ioctl.c:2993 video_usercopy+0x2313/0x3d30 drivers/media/v4l2-core/v4l2-ioctl.c:3345 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3391 v4l2_ioctl+0x255/0x290 drivers/media/v4l2-core/v4l2-dev.c:360 v4l2_compat_ioctl32+0x2c6/0x370 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1248 __do_compat_sys_ioctl fs/ioctl.c:842 [inline] __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7fec549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:f55e65fc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: c050565d RDX: RSI: RDI: RBP: R08: R09: R10: R11: R12: R13:
KMSAN: uninit-value in video_usercopy
Hello, syzbot found the following issue on: HEAD commit:14525656 compiler.h: reinstate missing KMSAN_INIT git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=15be838090 kernel config: https://syzkaller.appspot.com/x/.config?x=c534a9fad6323722 dashboard link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17eb93d090 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116da33b10 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+79d751604cb6f29fb...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428 CPU: 0 PID: 8471 Comm: syz-executor794 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1df/0x240 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423 kmsan_check_memory+0xd/0x10 mm/kmsan/kmsan_hooks.c:428 instrument_copy_to_user include/linux/instrumented.h:91 [inline] _copy_to_user+0x100/0x1d0 lib/usercopy.c:30 copy_to_user include/linux/uaccess.h:161 [inline] video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3226 [inline] video_usercopy+0x248a/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325 video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3335 v4l2_ioctl+0x23f/0x270 drivers/media/v4l2-core/v4l2-dev.c:360 vfs_ioctl fs/ioctl.c:48 [inline] ksys_ioctl fs/ioctl.c:753 [inline] __do_sys_ioctl fs/ioctl.c:762 [inline] __se_sys_ioctl+0x2e9/0x410 fs/ioctl.c:760 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:760 do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x444009 Code: Bad RIP value. RSP: 002b:7ffd83706aa8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 004002e0 RCX: 00444009 RDX: 2100 RSI: c0505611 RDI: 0003 RBP: 006ce018 R08: 004002e0 R09: 004002e0 R10: R11: 0246 R12: 00401c90 R13: 00401d20 R14: R15: Local variable vb32.i@video_usercopy created at: video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3210 [inline] video_usercopy+0x20bd/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325 video_put_user drivers/media/v4l2-core/v4l2-ioctl.c:3210 [inline] video_usercopy+0x20bd/0x2c00 drivers/media/v4l2-core/v4l2-ioctl.c:3325 Bytes 52-55 of 80 are uninitialized Memory access of size 80 starts at a41d80dcfce0 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
