KMSAN: kernel-infoleak in sctp_getsockopt (3)
Hello, syzbot found the following crash on: HEAD commit:c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r.. git tree: kmsan console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d20 kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f compiler: clang version 8.0.0 (trunk 350509) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d20 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+86b5c7c236a22616a...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 == BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636 kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline] sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950 __sys_getsockopt+0x489/0x550 net/socket.c:1938 __do_sys_getsockopt net/socket.c:1949 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x458209 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fdbef191c78 EFLAGS: 0246 ORIG_RAX: 0037 RAX: ffda RBX: 0005 RCX: 00458209 RDX: 006c RSI: 0084 RDI: 0004 RBP: 0073bf00 R08: 2300 R09: R10: 2280 R11: 0246 R12: 7fdbef1926d4 R13: 004c96c8 R14: 004d0310 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline] kmsan_save_stack mm/kmsan/kmsan.c:220 [inline] kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426 kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139 sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline] sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950 __sys_getsockopt+0x489/0x550 net/socket.c:1938 __do_sys_getsockopt net/socket.c:1949 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline] kmsan_save_stack mm/kmsan/kmsan.c:220 [inline] kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426 kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139 sctp_transport_init net/sctp/transport.c:61 [inline] sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115 sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637 sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline] sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361 sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline] sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191 sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074 sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95 sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354 sk_backlog_rcv include/net/sock.h:936 [inline] __release_sock+0x281/0x5f0 net/core/sock.c:2284 release_sock+0x99/0x2a0 net/core/sock.c:2800 sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751 sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967 sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113 inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg net/socket.c:632 [inline] ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:
Re: KMSAN: kernel-infoleak in sctp_getsockopt
t; > > 0037 > > > > > > > RAX: ffda RBX: 0005 RCX: 00457569 > > > > > > > RDX: 006d RSI: 0084 RDI: 0003 > > > > > > > RBP: 0072bf00 R08: 2140 R09: > > > > > > > R10: 20001100 R11: 0246 R12: 7f49918876d4 > > > > > > > R13: 004c7d88 R14: 004ce348 R15: > > > > > > > > > > > > > > Uninit was stored to memory at: > > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline] > > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477 > > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > > > > > > > > > Uninit was stored to memory at: > > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline] > > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477 > > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > > > > > > > > > Uninit was created at: > > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170 > > > > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186 > > > > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825 > > > > > > > kmalloc include/linux/slab.h:551 [inline] > > > > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100 > > > > > > > notifier_call_chain kernel/notifier.c:93 [inline] > > > > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline] > > > > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193 > > > > > > > inet6addr_notifier_call_chain+0x76/0x90 > > > > > > > net/ipv6/addrconf_core.c:107 > > > > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115 > > > > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912 > > > > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750 > > > > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlin
KMSAN: kernel-infoleak in sctp_getsockopt (2)
Hello, syzbot found the following crash on: HEAD commit:02f2d5aea531 kmsan: (presumably) fix dma_map_page_attrs() git tree: kmsan console output: https://syzkaller.appspot.com/x/log.txt?x=164291d8c0 kernel config: https://syzkaller.appspot.com/x/.config?x=52c9737ec5618f82 dashboard link: https://syzkaller.appspot.com/bug?extid=ae0c70c0c2d40c51bb92 compiler: clang version 8.0.0 (trunk 350509) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1753eaf740 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b22a3740 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ae0c70c0c2d40c51b...@syzkaller.appspotmail.com == BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 1 PID: 10740 Comm: syz-executor064 Not tainted 5.0.0-rc1+ #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600 kmsan_internal_check_memory+0x465/0xb10 mm/kmsan/kmsan.c:663 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] sctp_getsockopt_local_addrs net/sctp/socket.c:6056 [inline] sctp_getsockopt+0x1309a/0x17f70 net/sctp/socket.c:7566 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950 __sys_getsockopt+0x489/0x550 net/socket.c:1939 __do_sys_getsockopt net/socket.c:1950 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x445679 Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fa7633b9db8 EFLAGS: 0246 ORIG_RAX: 0037 RAX: ffda RBX: 006dac38 RCX: 00445679 RDX: 006d RSI: 0084 RDI: 0004 RBP: 006dac30 R08: 20c0 R09: R10: 2200 R11: 0246 R12: 006dac3c R13: 7ffc3e29873f R14: 7fa7633ba9c0 R15: 006dad2c Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline] kmsan_save_stack mm/kmsan/kmsan.c:220 [inline] kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426 kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139 sctp_copy_laddrs net/sctp/socket.c:5959 [inline] sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline] sctp_getsockopt+0x13887/0x17f70 net/sctp/socket.c:7566 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950 __sys_getsockopt+0x489/0x550 net/socket.c:1939 __do_sys_getsockopt net/socket.c:1950 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline] kmsan_save_stack mm/kmsan/kmsan.c:220 [inline] kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426 kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324 __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139 sctp_copy_laddrs net/sctp/socket.c:5948 [inline] sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline] sctp_getsockopt+0x13733/0x17f70 net/sctp/socket.c:7566 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950 __sys_getsockopt+0x489/0x550 net/socket.c:1939 __do_sys_getsockopt net/socket.c:1950 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline] kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 kmem_cache_alloc_trace+0x55d/0xb40 mm/slub.c:2784 kmalloc include/linux/slab.h:545 [inline] sctp_inetaddr_event+0x47b/0xa90 net/sctp/protocol.c:779 notifier_call_chain kernel/notifier.c:93 [inline] __blocking_notifier_call_chain kernel/notifier.c:317 [inline] blocking_notifier_call_chain+0x1a5/0x2f0 kernel/notifier.c:328 __inet_insert_ifa+0xfaa/0x1200 net/ipv4/devinet.c:529 inet_insert_ifa net/ipv4/devinet.c:536 [inline] inetdev_event+0x1ced/0x1d80 net/ipv4/devinet.c:1520 notifier_call_chain kernel/notifier.c:93 [inline] __raw_notifier_call_chain k
Re: KMSAN: kernel-infoleak in sctp_getsockopt
On Mon, Jan 14, 2019 at 10:56 AM Xin Long wrote: > > On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko wrote: > > > > On Mon, Dec 10, 2018 at 9:56 AM Xin Long wrote: > > > > > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner > > > wrote: > > > > > > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote: > > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot > > > > > wrote: > > > > > > > > > > > > Hello, > > > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > > > HEAD commit:fffec98ae2a6 net: proper support for > > > > > > CONFIG_GENERIC_CSUM o.. > > > > > > git tree: https://github.com/google/kmsan.git/master > > > > > > console output: > > > > > > https://syzkaller.appspot.com/x/log.txt?x=12e84a4740 > > > > > > kernel config: > > > > > > https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516 > > > > > > dashboard link: > > > > > > https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be > > > > > > compiler: clang version 8.0.0 (trunk 343298) > > > > > > syz repro: > > > > > > https://syzkaller.appspot.com/x/repro.syz?x=103cd22540 > > > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > > > commit: > > > > > > Reported-by: syzbot+ad5d327e6936a2e28...@syzkaller.appspotmail.com > > > > > > > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > > == > > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 > > > > > > lib/usercopy.c:33 > > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 > > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > > > > > BIOS > > > > > > Google 01/01/2011 > > > > > > Call Trace: > > > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113 > > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 > > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 > > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 > > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > > > > > > copy_to_user include/linux/uaccess.h:183 [inline] > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] > > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > RIP: 0033:0x457569 > > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 > > > > > > 48 89 f7 > > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > > > > > > f0 ff > > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > > > > RSP: 002b:7f4991886c78 EFLAGS: 0246 ORIG_RAX: > > > > > > 0037 > > > > > > RAX: ffda RBX: 0005 RCX: 00457569 > > > > > > RDX: 006d RSI: 0084 RDI: 0003 > > > > > > RBP: 0072bf00 R08: 2140 R09: > > > > > > R10: 20001100 R11: 0246 R12: 7f49918876d4 > > > > > > R13: 004c7d88 R14: 004ce348 R15: > > > > > > > > > > > > Uninit was stored to memory at: > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline] > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477 > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > > > > > > > Uninit was stored to memory at: > > > > > > kmsan_s
Re: KMSAN: kernel-infoleak in sctp_getsockopt
On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko wrote: > > On Mon, Dec 10, 2018 at 9:56 AM Xin Long wrote: > > > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner > > wrote: > > > > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote: > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot > > > > wrote: > > > > > > > > > > Hello, > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > HEAD commit:fffec98ae2a6 net: proper support for > > > > > CONFIG_GENERIC_CSUM o.. > > > > > git tree: https://github.com/google/kmsan.git/master > > > > > console output: > > > > > https://syzkaller.appspot.com/x/log.txt?x=12e84a4740 > > > > > kernel config: > > > > > https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516 > > > > > dashboard link: > > > > > https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be > > > > > compiler: clang version 8.0.0 (trunk 343298) > > > > > syz repro: > > > > > https://syzkaller.appspot.com/x/repro.syz?x=103cd22540 > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > > commit: > > > > > Reported-by: syzbot+ad5d327e6936a2e28...@syzkaller.appspotmail.com > > > > > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > > == > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 > > > > > lib/usercopy.c:33 > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > > > > BIOS > > > > > Google 01/01/2011 > > > > > Call Trace: > > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113 > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > > > > > copy_to_user include/linux/uaccess.h:183 [inline] > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > RIP: 0033:0x457569 > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 > > > > > 89 f7 > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > > > > > f0 ff > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > > > RSP: 002b:7f4991886c78 EFLAGS: 0246 ORIG_RAX: 0037 > > > > > RAX: ffda RBX: 0005 RCX: 00457569 > > > > > RDX: 006d RSI: 0084 RDI: 0003 > > > > > RBP: 0072bf00 R08: 2140 R09: > > > > > R10: 20001100 R11: 0246 R12: 7f49918876d4 > > > > > R13: 004c7d88 R14: 004ce348 R15: > > > > > > > > > > Uninit was stored to memory at: > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline] > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477 > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > > > > > Uninit was stored to memory at: > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan
Re: KMSAN: kernel-infoleak in sctp_getsockopt
On Mon, Dec 10, 2018 at 9:56 AM Xin Long wrote: > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner > wrote: > > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote: > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot > > > wrote: > > > > > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit:fffec98ae2a6 net: proper support for > > > > CONFIG_GENERIC_CSUM o.. > > > > git tree: https://github.com/google/kmsan.git/master > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a4740 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516 > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be > > > > compiler: clang version 8.0.0 (trunk 343298) > > > > syz repro: > > > > https://syzkaller.appspot.com/x/repro.syz?x=103cd22540 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+ad5d327e6936a2e28...@syzkaller.appspotmail.com > > > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > > == > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 > > > > lib/usercopy.c:33 > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > > Google 01/01/2011 > > > > Call Trace: > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113 > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > > > > copy_to_user include/linux/uaccess.h:183 [inline] > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > RIP: 0033:0x457569 > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 > > > > f7 > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 > > > > ff > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > > RSP: 002b:7f4991886c78 EFLAGS: 0246 ORIG_RAX: 0037 > > > > RAX: ffda RBX: 0005 RCX: 00457569 > > > > RDX: 006d RSI: 0084 RDI: 0003 > > > > RBP: 0072bf00 R08: 2140 R09: > > > > R10: 20001100 R11: 0246 R12: 7f49918876d4 > > > > R13: 004c7d88 R14: 004ce348 R15: > > > > > > > > Uninit was stored to memory at: > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline] > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477 > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > > > Uninit was stored to memory at: > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline] > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > >
Re: KMSAN: kernel-infoleak in sctp_getsockopt
On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner wrote: > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote: > > On Wed, Dec 5, 2018 at 8:31 PM syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit:fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM > > > o.. > > > git tree: https://github.com/google/kmsan.git/master > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a4740 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516 > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be > > > compiler: clang version 8.0.0 (trunk 343298) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd22540 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+ad5d327e6936a2e28...@syzkaller.appspotmail.com > > > > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > 8021q: adding VLAN 0 to HW filter on device team0 > > > == > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113 > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > > > copy_to_user include/linux/uaccess.h:183 [inline] > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > RIP: 0033:0x457569 > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > RSP: 002b:7f4991886c78 EFLAGS: 0246 ORIG_RAX: 0037 > > > RAX: ffda RBX: 0005 RCX: 00457569 > > > RDX: 006d RSI: 0084 RDI: 0003 > > > RBP: 0072bf00 R08: 2140 R09: > > > R10: 20001100 R11: 0246 R12: 7f49918876d4 > > > R13: 004c7d88 R14: 004ce348 R15: > > > > > > Uninit was stored to memory at: > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline] > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477 > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > > > Uninit was stored to memory at: > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline] > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline] > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477 > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > > > __do_sys_getsockopt net/socket.c:1950 [inline] > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1
