KMSAN: kernel-infoleak in copyout lib/iov_iter.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have been fuzzing Linux 4.17 with KMSAN
(https://github.com/google/kmsan/)  and I found the following crash:

=======================================================
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter_iovec
lib/iov_iter.c:212 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter+0x754/0x1b70 lib/iov_iter.c:716
 CPU: 2 PID: 21280 Comm: syz-executor3 Not tainted 4.17.0+ #4 Hardware
name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x188/0x2a0
mm/kmsan/kmsan.c:1117 kmsan_internal_check_memory+0x17e/0x1f0
mm/kmsan/kmsan.c:1230 kmsan_copy_to_user+0x7a/0x160
mm/kmsan/kmsan.c:1253 copyout lib/iov_iter.c:140 [inline]
copy_page_to_iter_iovec lib/iov_iter.c:212 [inline]
copy_page_to_iter+0x754/0x1b70 lib/iov_iter.c:716 process_vm_rw_pages
mm/process_vm_access.c:53 [inline] process_vm_rw_single_vec
mm/process_vm_access.c:124 [inline] process_vm_rw_core+0xf6a/0x1930
mm/process_vm_access.c:220 process_vm_rw+0x3d0/0x500
mm/process_vm_access.c:288 __do_sys_process_vm_readv
mm/process_vm_access.c:302 [inline] __se_sys_process_vm_readv
mm/process_vm_access.c:298 [inline]
__x64_sys_process_vm_readv+0x1a0/0x200 mm/process_vm_access.c:298
do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9RIP: 0033:0x455a09RSP:
002b:00007f621260ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000136RAX:
ffffffffffffffda RBX: 00007f621260f6d4 RCX: 0000000000455a09RDX:
0000000000000007 RSI: 0000000020001b00 RDI: 000000000000070aRBP:
000000000072bea0 R08: 0000000000000001 R09: 0000000000000000R10:
0000000020001c80 R11: 0000000000000246 R12: 00000000ffffffffR13:
0000000000000524 R14: 00000000006fbc00 R15: 0000000000000000

Uninit was created at: kmsan_save_stack_with_flags
mm/kmsan/kmsan.c:279 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0
mm/kmsan/kmsan.c:815 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:885
__alloc_pages_nodemask+0xe02/0x5c80 mm/page_alloc.c:4402 __alloc_pages
include/linux/gfp.h:458 [inline] __alloc_pages_node
include/linux/gfp.h:471 [inline]
alloc_pages_vma+0x1555/0x17f0 mm/mempolicy.c:2049
do_huge_pmd_wp_page+0x3026/0x4f50 mm/huge_memory.c:1296 wp_huge_pmd
mm/memory.c:3866 [inline]
__handle_mm_fault mm/memory.c:4079 [inline]
handle_mm_fault+0x22aa/0x7c40 mm/memory.c:4126
__do_page_fault+0xec6/0x1a10 arch/x86/mm/fault.c:1400
do_page_fault+0xb7/0x250 arch/x86/mm/fault.c:1477 page_fault+0x1e/0x30
arch/x86/entry/entry_64.S:1160
Bytes 0-204 of 205 are uninitialized
Memory access starts at ffff880029601b80
==================================================================

I am able to reliably reproduce the crash using ./syz-repro on the
following program:

r0 = gettid()
process_vm_readv(r0, &(0x7f0000001b00)=[{&(0x7f00000006c0)=""/221,
0xdd}, {&(0x7f00000007c0)=""/248, 0xf8}, {&(0x7f00000008c0)=""/254,
0xfe}, {&(0x7f00000009c0)=""/4096, 0x1000}, {&(0x7f00000019c0)},
{&(0x7f0000001a00)=""/184, 0xb8}, {&(0x7f0000001ac0)=""/26, 0x1a}],
0x7, &(0x7f0000001c80)=[{&(0x7f0000001b80)=""/205, 0xcd}], 0x1, 0x0)
r1 = socket$inet(0x2, 0x1, 0x0)
fcntl$setown(r1, 0x8, 0xffffffffffffffff)
fcntl$getownex(r1, 0x10, &(0x7f00000000c0)={0x0,<r2=>0x0})
process_vm_writev(r2, &(0x7f0000000080)=[{&(0x7f0000000000)=""/99,
0x63}], 0x1, &(0x7f00000003c0)=[{&(0x7f0000000100)=""/157, 0x9d},
{&(0x7f00000001c0)=""/22, 0x16}, {&(0x7f0000000200)=""/137, 0x89},
{&(0x7f00000002c0)=""/51, 0x33}, {&(0x7f0000000300)=""/134, 0x86}],
0x5, 0x0)

Here is a C program that can (inconsistently) trigger the crash:
https://pastebin.com/pRBptS9X
My kernel configs are here: https://pastebin.com/KGjTG2Yd
Log context around crash: https://pastebin.com/f5BsDUpV


Regards,
Shankara Pailoor




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux