* KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-05 19:31 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2018-12-05 19:31 UTC (permalink / raw)
To: davem, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
compiler: clang version 8.0.0 (trunk 343298)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x32d/0x480 lib/dump_stack.c:113
kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
_copy_to_user+0x19a/0x230 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:183 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
__kmalloc+0x14c/0x4d0 mm/slub.c:3825
kmalloc include/linux/slab.h:551 [inline]
sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
notifier_call_chain kernel/notifier.c:93 [inline]
__atomic_notifier_call_chain kernel/notifier.c:183 [inline]
atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Bytes 32-35 of 2100 are uninitialized
Memory access of size 2100 starts at ffff888185d8b000
Data copied to user address 0000000020001108
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-05 19:31 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2018-12-05 19:31 UTC (permalink / raw)
To: davem, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x\x12e84a47400000
kernel config: https://syzkaller.appspot.com/x/.config?xVb48b46dafe4516
dashboard link: https://syzkaller.appspot.com/bug?extid5d327e6936a2e284be
compiler: clang version 8.0.0 (trunk 343298)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x103cd225400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
=================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x32d/0x480 lib/dump_stack.c:113
kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
_copy_to_user+0x19a/0x230 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:183 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
__kmalloc+0x14c/0x4d0 mm/slub.c:3825
kmalloc include/linux/slab.h:551 [inline]
sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
notifier_call_chain kernel/notifier.c:93 [inline]
__atomic_notifier_call_chain kernel/notifier.c:183 [inline]
atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Bytes 32-35 of 2100 are uninitialized
Memory access of size 2100 starts at ffff888185d8b000
Data copied to user address 0000000020001108
=================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2018-12-05 19:31 ` syzbot
@ 2018-12-06 10:36 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2018-12-06 10:36 UTC (permalink / raw)
To: syzbot+ad5d327e6936a2e284be
Cc: David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
[-- Attachment #1: Type: text/plain, Size: 8207 bytes --]
On Wed, Dec 5, 2018 at 8:31 PM syzbot
<syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> git tree: https://github.com/google/kmsan.git/master
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> compiler: clang version 8.0.0 (trunk 343298)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
>
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x32d/0x480 lib/dump_stack.c:113
> kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> copy_to_user include/linux/uaccess.h:183 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x457569
> Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was created at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> kmalloc include/linux/slab.h:551 [inline]
> sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> notifier_call_chain kernel/notifier.c:93 [inline]
> __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> sock_sendmsg_nosec net/socket.c:621 [inline]
> sock_sendmsg net/socket.c:631 [inline]
> ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> __sys_sendmsg net/socket.c:2154 [inline]
> __do_sys_sendmsg net/socket.c:2163 [inline]
> __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Bytes 32-35 of 2100 are uninitialized
> Memory access of size 2100 starts at ffff888185d8b000
> Data copied to user address 0000000020001108
> ==================================================================
When a network device goes up and sctp_inetaddr_event() is called, it
allocates a partially initialized struct sctp_sockaddr_entry to hold
the newly created address.
The attached reproducer can be then used to read up to 8 uninit bytes
for each of the local addresses.
I guess the devices aren't created so often that this can pose any
security risk, but we probably still need to allocate this structure
with __GFP_ZERO.
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> For more options, visit https://groups.google.com/d/optout.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
[-- Attachment #2: dump_buf.h --]
[-- Type: text/x-chdr, Size: 1701 bytes --]
#ifndef DUMP_BUF_H
#define DUMP_BUF_H
#ifndef DUMP_MIN_STRLEN
#define DUMP_MIN_STRLEN 1
#endif
#ifndef DUMP_PARALLEL
#define DUMP_PARALLEL 0
#endif
#ifndef DUMP_PRINT_BUF_ADDR
#define DUMP_PRINT_BUF_ADDR 0
#endif
#ifndef DUMP_PRINT_HEX
#define DUMP_PRINT_HEX 0
#endif
#ifndef DUMP_PRINT_STRING
#define DUMP_PRINT_STRING 0
#endif
#if DUMP_PARALLEL
pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
#endif
void dump_buf(unsigned char *buf, int len) {
int i, nz = 0;
for (i = 0; i < len; i++) {
if (buf[i]) {
nz = 1;
break;
}
}
if (!nz) {
// The buffer is empty.
return;
} else {
#if DUMP_PARALLEL
pthread_mutex_lock(&out_mutex);
#endif
#if DUMP_PRINT_BUF_ADDR
fprintf(stderr, "nonempty buffer at %p\n", buf);
#endif
#if DUMP_PRINT_HEX
for (i=0; i < len; i++) {
if (buf[i]) {
fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
}
}
#endif // DUMP_PRINT_HEX
#if DUMP_PARALLEL
pthread_mutex_unlock(&out_mutex);
#endif
}
#if DUMP_PARALLEL
pthread_mutex_lock(&out_mutex);
#endif
#if DUMP_PRINT_STRING
for (i = 0; i < len; i++) {
if (buf[i]) {
int str_len = strlen(&buf[i]);
// Short string pieces are too boring.
if (str_len >= DUMP_MIN_STRLEN) {
unsigned char *c;
for (c = &buf[i]; c < &buf[i + str_len]; c++) {
if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
*c = ' ';
continue;
}
}
// Dump the buffer.
fprintf(stderr, "%s\n", &buf[i]);
}
i += str_len;
}
}
#endif // DUMP_PRINT_STRING
#if DUMP_PARALLEL
pthread_mutex_unlock(&out_mutex);
#endif
}
#endif
[-- Attachment #3: getsockopt.c --]
[-- Type: text/x-csrc, Size: 1168 bytes --]
#include <stdio.h>
#include <pthread.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <unistd.h>
#define DUMP_PARALLEL 1
#define DUMP_PRINT_BUF_ADDR 1
#define DUMP_PRINT_STRING 1
#define DUMP_PRINT_HEX 1
#include "dump_buf.h"
void *setsockopt_fn(void *arg) {
int sock = (int)arg;
struct sockaddr addr;
memset(&addr, 0, sizeof(addr));
addr.sa_family = 2;
addr.sa_data[2] = 0xac;
addr.sa_data[3] = 0x14;
addr.sa_data[4] = 0x14;
setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
}
#define BUFLEN (0x2c2)
void *getsockopt_fn(void *arg) {
int sock = (int)arg;
char buf[BUFLEN];
memset(buf, 0, BUFLEN);
int socklen = BUFLEN;
getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
dump_buf(&(buf[8]), 32);
}
void do_work(int sock) {
pthread_t t1, t2;
for (int i = 0; i < 10; i++) {
pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
usleep(100);
}
}
int main(int argc, char *argv[]) {
int res;
int pid = fork();
if (pid == 0) {
int sock = socket(0x2, 0x1, 0x84);
do_work(sock);
}
sleep(10);
return 0;
}
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-06 10:36 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2018-12-06 10:36 UTC (permalink / raw)
To: syzbot+ad5d327e6936a2e284be
Cc: David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
[-- Attachment #1: Type: text/plain, Size: 8207 bytes --]
On Wed, Dec 5, 2018 at 8:31 PM syzbot
<syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> git tree: https://github.com/google/kmsan.git/master
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> compiler: clang version 8.0.0 (trunk 343298)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
>
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x32d/0x480 lib/dump_stack.c:113
> kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> copy_to_user include/linux/uaccess.h:183 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x457569
> Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> __sys_getsockopt+0x489/0x550 net/socket.c:1939
> __do_sys_getsockopt net/socket.c:1950 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was created at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> kmalloc include/linux/slab.h:551 [inline]
> sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> notifier_call_chain kernel/notifier.c:93 [inline]
> __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> sock_sendmsg_nosec net/socket.c:621 [inline]
> sock_sendmsg net/socket.c:631 [inline]
> ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> __sys_sendmsg net/socket.c:2154 [inline]
> __do_sys_sendmsg net/socket.c:2163 [inline]
> __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Bytes 32-35 of 2100 are uninitialized
> Memory access of size 2100 starts at ffff888185d8b000
> Data copied to user address 0000000020001108
> ==================================================================
When a network device goes up and sctp_inetaddr_event() is called, it
allocates a partially initialized struct sctp_sockaddr_entry to hold
the newly created address.
The attached reproducer can be then used to read up to 8 uninit bytes
for each of the local addresses.
I guess the devices aren't created so often that this can pose any
security risk, but we probably still need to allocate this structure
with __GFP_ZERO.
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> For more options, visit https://groups.google.com/d/optout.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
[-- Attachment #2: dump_buf.h --]
[-- Type: text/x-chdr, Size: 1701 bytes --]
#ifndef DUMP_BUF_H
#define DUMP_BUF_H
#ifndef DUMP_MIN_STRLEN
#define DUMP_MIN_STRLEN 1
#endif
#ifndef DUMP_PARALLEL
#define DUMP_PARALLEL 0
#endif
#ifndef DUMP_PRINT_BUF_ADDR
#define DUMP_PRINT_BUF_ADDR 0
#endif
#ifndef DUMP_PRINT_HEX
#define DUMP_PRINT_HEX 0
#endif
#ifndef DUMP_PRINT_STRING
#define DUMP_PRINT_STRING 0
#endif
#if DUMP_PARALLEL
pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
#endif
void dump_buf(unsigned char *buf, int len) {
int i, nz = 0;
for (i = 0; i < len; i++) {
if (buf[i]) {
nz = 1;
break;
}
}
if (!nz) {
// The buffer is empty.
return;
} else {
#if DUMP_PARALLEL
pthread_mutex_lock(&out_mutex);
#endif
#if DUMP_PRINT_BUF_ADDR
fprintf(stderr, "nonempty buffer at %p\n", buf);
#endif
#if DUMP_PRINT_HEX
for (i=0; i < len; i++) {
if (buf[i]) {
fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
}
}
#endif // DUMP_PRINT_HEX
#if DUMP_PARALLEL
pthread_mutex_unlock(&out_mutex);
#endif
}
#if DUMP_PARALLEL
pthread_mutex_lock(&out_mutex);
#endif
#if DUMP_PRINT_STRING
for (i = 0; i < len; i++) {
if (buf[i]) {
int str_len = strlen(&buf[i]);
// Short string pieces are too boring.
if (str_len >= DUMP_MIN_STRLEN) {
unsigned char *c;
for (c = &buf[i]; c < &buf[i + str_len]; c++) {
if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
*c = ' ';
continue;
}
}
// Dump the buffer.
fprintf(stderr, "%s\n", &buf[i]);
}
i += str_len;
}
}
#endif // DUMP_PRINT_STRING
#if DUMP_PARALLEL
pthread_mutex_unlock(&out_mutex);
#endif
}
#endif
[-- Attachment #3: getsockopt.c --]
[-- Type: text/x-csrc, Size: 1168 bytes --]
#include <stdio.h>
#include <pthread.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <unistd.h>
#define DUMP_PARALLEL 1
#define DUMP_PRINT_BUF_ADDR 1
#define DUMP_PRINT_STRING 1
#define DUMP_PRINT_HEX 1
#include "dump_buf.h"
void *setsockopt_fn(void *arg) {
int sock = (int)arg;
struct sockaddr addr;
memset(&addr, 0, sizeof(addr));
addr.sa_family = 2;
addr.sa_data[2] = 0xac;
addr.sa_data[3] = 0x14;
addr.sa_data[4] = 0x14;
setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
}
#define BUFLEN (0x2c2)
void *getsockopt_fn(void *arg) {
int sock = (int)arg;
char buf[BUFLEN];
memset(buf, 0, BUFLEN);
int socklen = BUFLEN;
getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
dump_buf(&(buf[8]), 32);
}
void do_work(int sock) {
pthread_t t1, t2;
for (int i = 0; i < 10; i++) {
pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
usleep(100);
}
}
int main(int argc, char *argv[]) {
int res;
int pid = fork();
if (pid == 0) {
int sock = socket(0x2, 0x1, 0x84);
do_work(sock);
}
sleep(10);
return 0;
}
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2018-12-06 10:36 ` Alexander Potapenko
@ 2018-12-06 11:06 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 34+ messages in thread
From: Marcelo Ricardo Leitner @ 2018-12-06 11:06 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzbot+ad5d327e6936a2e284be, David Miller, LKML, linux-sctp,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> On Wed, Dec 5, 2018 at 8:31 PM syzbot
> <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > git tree: https://github.com/google/kmsan.git/master
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > compiler: clang version 8.0.0 (trunk 343298)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> >
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > ==================================================================
> > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > copy_to_user include/linux/uaccess.h:183 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x457569
> > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was created at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > kmalloc include/linux/slab.h:551 [inline]
> > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > notifier_call_chain kernel/notifier.c:93 [inline]
> > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > sock_sendmsg_nosec net/socket.c:621 [inline]
> > sock_sendmsg net/socket.c:631 [inline]
> > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > __sys_sendmsg net/socket.c:2154 [inline]
> > __do_sys_sendmsg net/socket.c:2163 [inline]
> > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Bytes 32-35 of 2100 are uninitialized
> > Memory access of size 2100 starts at ffff888185d8b000
> > Data copied to user address 0000000020001108
> > ==================================================================
> When a network device goes up and sctp_inetaddr_event() is called, it
> allocates a partially initialized struct sctp_sockaddr_entry to hold
> the newly created address.
> The attached reproducer can be then used to read up to 8 uninit bytes
> for each of the local addresses.
> I guess the devices aren't created so often that this can pose any
> security risk, but we probably still need to allocate this structure
> with __GFP_ZERO.
Agree. Thanks Alexander.
Looks like this is the last/only place left with this issue.
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> #ifndef DUMP_BUF_H
> #define DUMP_BUF_H
>
> #ifndef DUMP_MIN_STRLEN
> #define DUMP_MIN_STRLEN 1
> #endif
>
> #ifndef DUMP_PARALLEL
> #define DUMP_PARALLEL 0
> #endif
>
> #ifndef DUMP_PRINT_BUF_ADDR
> #define DUMP_PRINT_BUF_ADDR 0
> #endif
>
> #ifndef DUMP_PRINT_HEX
> #define DUMP_PRINT_HEX 0
> #endif
>
> #ifndef DUMP_PRINT_STRING
> #define DUMP_PRINT_STRING 0
> #endif
>
> #if DUMP_PARALLEL
> pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> #endif
>
> void dump_buf(unsigned char *buf, int len) {
> int i, nz = 0;
> for (i = 0; i < len; i++) {
> if (buf[i]) {
> nz = 1;
> break;
> }
> }
> if (!nz) {
> // The buffer is empty.
> return;
> } else {
> #if DUMP_PARALLEL
> pthread_mutex_lock(&out_mutex);
> #endif
> #if DUMP_PRINT_BUF_ADDR
> fprintf(stderr, "nonempty buffer at %p\n", buf);
> #endif
> #if DUMP_PRINT_HEX
> for (i=0; i < len; i++) {
> if (buf[i]) {
> fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> }
> }
> #endif // DUMP_PRINT_HEX
> #if DUMP_PARALLEL
> pthread_mutex_unlock(&out_mutex);
> #endif
> }
> #if DUMP_PARALLEL
> pthread_mutex_lock(&out_mutex);
> #endif
> #if DUMP_PRINT_STRING
> for (i = 0; i < len; i++) {
> if (buf[i]) {
> int str_len = strlen(&buf[i]);
> // Short string pieces are too boring.
> if (str_len >= DUMP_MIN_STRLEN) {
> unsigned char *c;
> for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> *c = ' ';
> continue;
> }
> }
> // Dump the buffer.
> fprintf(stderr, "%s\n", &buf[i]);
> }
> i += str_len;
> }
> }
> #endif // DUMP_PRINT_STRING
> #if DUMP_PARALLEL
> pthread_mutex_unlock(&out_mutex);
> #endif
> }
>
> #endif
> #include <stdio.h>
> #include <pthread.h>
> #include <sys/types.h> /* See NOTES */
> #include <sys/socket.h>
> #include <unistd.h>
>
> #define DUMP_PARALLEL 1
> #define DUMP_PRINT_BUF_ADDR 1
> #define DUMP_PRINT_STRING 1
> #define DUMP_PRINT_HEX 1
> #include "dump_buf.h"
>
> void *setsockopt_fn(void *arg) {
> int sock = (int)arg;
> struct sockaddr addr;
> memset(&addr, 0, sizeof(addr));
> addr.sa_family = 2;
> addr.sa_data[2] = 0xac;
> addr.sa_data[3] = 0x14;
> addr.sa_data[4] = 0x14;
> setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> }
>
> #define BUFLEN (0x2c2)
> void *getsockopt_fn(void *arg) {
> int sock = (int)arg;
> char buf[BUFLEN];
> memset(buf, 0, BUFLEN);
> int socklen = BUFLEN;
> getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> dump_buf(&(buf[8]), 32);
> }
>
> void do_work(int sock) {
> pthread_t t1, t2;
> for (int i = 0; i < 10; i++) {
> pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> usleep(100);
> }
> }
>
> int main(int argc, char *argv[]) {
> int res;
> int pid = fork();
> if (pid == 0) {
> int sock = socket(0x2, 0x1, 0x84);
> do_work(sock);
> }
> sleep(10);
> return 0;
> }
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-06 11:06 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 34+ messages in thread
From: Marcelo Ricardo Leitner @ 2018-12-06 11:06 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzbot+ad5d327e6936a2e284be, David Miller, LKML, linux-sctp,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> On Wed, Dec 5, 2018 at 8:31 PM syzbot
> <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > git tree: https://github.com/google/kmsan.git/master
> > console output: https://syzkaller.appspot.com/x/log.txt?x\x12e84a47400000
> > kernel config: https://syzkaller.appspot.com/x/.config?xVb48b46dafe4516
> > dashboard link: https://syzkaller.appspot.com/bug?extid5d327e6936a2e284be
> > compiler: clang version 8.0.0 (trunk 343298)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x103cd225400000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> >
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > 8021q: adding VLAN 0 to HW filter on device team0
> > =================================
> > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > copy_to_user include/linux/uaccess.h:183 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x457569
> > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > __do_sys_getsockopt net/socket.c:1950 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was created at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > kmalloc include/linux/slab.h:551 [inline]
> > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > notifier_call_chain kernel/notifier.c:93 [inline]
> > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > sock_sendmsg_nosec net/socket.c:621 [inline]
> > sock_sendmsg net/socket.c:631 [inline]
> > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > __sys_sendmsg net/socket.c:2154 [inline]
> > __do_sys_sendmsg net/socket.c:2163 [inline]
> > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Bytes 32-35 of 2100 are uninitialized
> > Memory access of size 2100 starts at ffff888185d8b000
> > Data copied to user address 0000000020001108
> > =================================
> When a network device goes up and sctp_inetaddr_event() is called, it
> allocates a partially initialized struct sctp_sockaddr_entry to hold
> the newly created address.
> The attached reproducer can be then used to read up to 8 uninit bytes
> for each of the local addresses.
> I guess the devices aren't created so often that this can pose any
> security risk, but we probably still need to allocate this structure
> with __GFP_ZERO.
Agree. Thanks Alexander.
Looks like this is the last/only place left with this issue.
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> #ifndef DUMP_BUF_H
> #define DUMP_BUF_H
>
> #ifndef DUMP_MIN_STRLEN
> #define DUMP_MIN_STRLEN 1
> #endif
>
> #ifndef DUMP_PARALLEL
> #define DUMP_PARALLEL 0
> #endif
>
> #ifndef DUMP_PRINT_BUF_ADDR
> #define DUMP_PRINT_BUF_ADDR 0
> #endif
>
> #ifndef DUMP_PRINT_HEX
> #define DUMP_PRINT_HEX 0
> #endif
>
> #ifndef DUMP_PRINT_STRING
> #define DUMP_PRINT_STRING 0
> #endif
>
> #if DUMP_PARALLEL
> pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> #endif
>
> void dump_buf(unsigned char *buf, int len) {
> int i, nz = 0;
> for (i = 0; i < len; i++) {
> if (buf[i]) {
> nz = 1;
> break;
> }
> }
> if (!nz) {
> // The buffer is empty.
> return;
> } else {
> #if DUMP_PARALLEL
> pthread_mutex_lock(&out_mutex);
> #endif
> #if DUMP_PRINT_BUF_ADDR
> fprintf(stderr, "nonempty buffer at %p\n", buf);
> #endif
> #if DUMP_PRINT_HEX
> for (i=0; i < len; i++) {
> if (buf[i]) {
> fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> }
> }
> #endif // DUMP_PRINT_HEX
> #if DUMP_PARALLEL
> pthread_mutex_unlock(&out_mutex);
> #endif
> }
> #if DUMP_PARALLEL
> pthread_mutex_lock(&out_mutex);
> #endif
> #if DUMP_PRINT_STRING
> for (i = 0; i < len; i++) {
> if (buf[i]) {
> int str_len = strlen(&buf[i]);
> // Short string pieces are too boring.
> if (str_len >= DUMP_MIN_STRLEN) {
> unsigned char *c;
> for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> *c = ' ';
> continue;
> }
> }
> // Dump the buffer.
> fprintf(stderr, "%s\n", &buf[i]);
> }
> i += str_len;
> }
> }
> #endif // DUMP_PRINT_STRING
> #if DUMP_PARALLEL
> pthread_mutex_unlock(&out_mutex);
> #endif
> }
>
> #endif
> #include <stdio.h>
> #include <pthread.h>
> #include <sys/types.h> /* See NOTES */
> #include <sys/socket.h>
> #include <unistd.h>
>
> #define DUMP_PARALLEL 1
> #define DUMP_PRINT_BUF_ADDR 1
> #define DUMP_PRINT_STRING 1
> #define DUMP_PRINT_HEX 1
> #include "dump_buf.h"
>
> void *setsockopt_fn(void *arg) {
> int sock = (int)arg;
> struct sockaddr addr;
> memset(&addr, 0, sizeof(addr));
> addr.sa_family = 2;
> addr.sa_data[2] = 0xac;
> addr.sa_data[3] = 0x14;
> addr.sa_data[4] = 0x14;
> setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> }
>
> #define BUFLEN (0x2c2)
> void *getsockopt_fn(void *arg) {
> int sock = (int)arg;
> char buf[BUFLEN];
> memset(buf, 0, BUFLEN);
> int socklen = BUFLEN;
> getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> dump_buf(&(buf[8]), 32);
> }
>
> void do_work(int sock) {
> pthread_t t1, t2;
> for (int i = 0; i < 10; i++) {
> pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> usleep(100);
> }
> }
>
> int main(int argc, char *argv[]) {
> int res;
> int pid = fork();
> if (pid = 0) {
> int sock = socket(0x2, 0x1, 0x84);
> do_work(sock);
> }
> sleep(10);
> return 0;
> }
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2018-12-06 11:06 ` Marcelo Ricardo Leitner
@ 2018-12-06 11:35 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2018-12-06 11:35 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: syzbot+ad5d327e6936a2e284be, David Miller, LKML, linux-sctp,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
On Thu, Dec 6, 2018 at 12:06 PM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > git tree: https://github.com/google/kmsan.git/master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > compiler: clang version 8.0.0 (trunk 343298)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > >
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > ==================================================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x457569
> > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was created at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > kmalloc include/linux/slab.h:551 [inline]
> > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > sock_sendmsg net/socket.c:631 [inline]
> > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > __sys_sendmsg net/socket.c:2154 [inline]
> > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Bytes 32-35 of 2100 are uninitialized
> > > Memory access of size 2100 starts at ffff888185d8b000
> > > Data copied to user address 0000000020001108
> > > ==================================================================
> > When a network device goes up and sctp_inetaddr_event() is called, it
> > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > the newly created address.
> > The attached reproducer can be then used to read up to 8 uninit bytes
> > for each of the local addresses.
> > I guess the devices aren't created so often that this can pose any
> > security risk, but we probably still need to allocate this structure
> > with __GFP_ZERO.
>
> Agree. Thanks Alexander.
> Looks like this is the last/only place left with this issue.
It also turns out that a non-privileged user is allowed to create
network devices within a namespace, which makes it easier to generate
more uninitialized data.
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
>
> > #ifndef DUMP_BUF_H
> > #define DUMP_BUF_H
> >
> > #ifndef DUMP_MIN_STRLEN
> > #define DUMP_MIN_STRLEN 1
> > #endif
> >
> > #ifndef DUMP_PARALLEL
> > #define DUMP_PARALLEL 0
> > #endif
> >
> > #ifndef DUMP_PRINT_BUF_ADDR
> > #define DUMP_PRINT_BUF_ADDR 0
> > #endif
> >
> > #ifndef DUMP_PRINT_HEX
> > #define DUMP_PRINT_HEX 0
> > #endif
> >
> > #ifndef DUMP_PRINT_STRING
> > #define DUMP_PRINT_STRING 0
> > #endif
> >
> > #if DUMP_PARALLEL
> > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > #endif
> >
> > void dump_buf(unsigned char *buf, int len) {
> > int i, nz = 0;
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > nz = 1;
> > break;
> > }
> > }
> > if (!nz) {
> > // The buffer is empty.
> > return;
> > } else {
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_BUF_ADDR
> > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > #endif
> > #if DUMP_PRINT_HEX
> > for (i=0; i < len; i++) {
> > if (buf[i]) {
> > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > }
> > }
> > #endif // DUMP_PRINT_HEX
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_STRING
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > int str_len = strlen(&buf[i]);
> > // Short string pieces are too boring.
> > if (str_len >= DUMP_MIN_STRLEN) {
> > unsigned char *c;
> > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > *c = ' ';
> > continue;
> > }
> > }
> > // Dump the buffer.
> > fprintf(stderr, "%s\n", &buf[i]);
> > }
> > i += str_len;
> > }
> > }
> > #endif // DUMP_PRINT_STRING
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> >
> > #endif
>
> > #include <stdio.h>
> > #include <pthread.h>
> > #include <sys/types.h> /* See NOTES */
> > #include <sys/socket.h>
> > #include <unistd.h>
> >
> > #define DUMP_PARALLEL 1
> > #define DUMP_PRINT_BUF_ADDR 1
> > #define DUMP_PRINT_STRING 1
> > #define DUMP_PRINT_HEX 1
> > #include "dump_buf.h"
> >
> > void *setsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > struct sockaddr addr;
> > memset(&addr, 0, sizeof(addr));
> > addr.sa_family = 2;
> > addr.sa_data[2] = 0xac;
> > addr.sa_data[3] = 0x14;
> > addr.sa_data[4] = 0x14;
> > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > }
> >
> > #define BUFLEN (0x2c2)
> > void *getsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > char buf[BUFLEN];
> > memset(buf, 0, BUFLEN);
> > int socklen = BUFLEN;
> > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > dump_buf(&(buf[8]), 32);
> > }
> >
> > void do_work(int sock) {
> > pthread_t t1, t2;
> > for (int i = 0; i < 10; i++) {
> > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > usleep(100);
> > }
> > }
> >
> > int main(int argc, char *argv[]) {
> > int res;
> > int pid = fork();
> > if (pid == 0) {
> > int sock = socket(0x2, 0x1, 0x84);
> > do_work(sock);
> > }
> > sleep(10);
> > return 0;
> > }
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-06 11:35 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2018-12-06 11:35 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: syzbot+ad5d327e6936a2e284be, David Miller, LKML, linux-sctp,
Networking, nhorman, syzkaller-bugs, Vladislav Yasevich
On Thu, Dec 6, 2018 at 12:06 PM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > git tree: https://github.com/google/kmsan.git/master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > compiler: clang version 8.0.0 (trunk 343298)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > >
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > ==================================================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x457569
> > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was created at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > kmalloc include/linux/slab.h:551 [inline]
> > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > sock_sendmsg net/socket.c:631 [inline]
> > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > __sys_sendmsg net/socket.c:2154 [inline]
> > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Bytes 32-35 of 2100 are uninitialized
> > > Memory access of size 2100 starts at ffff888185d8b000
> > > Data copied to user address 0000000020001108
> > > ==================================================================
> > When a network device goes up and sctp_inetaddr_event() is called, it
> > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > the newly created address.
> > The attached reproducer can be then used to read up to 8 uninit bytes
> > for each of the local addresses.
> > I guess the devices aren't created so often that this can pose any
> > security risk, but we probably still need to allocate this structure
> > with __GFP_ZERO.
>
> Agree. Thanks Alexander.
> Looks like this is the last/only place left with this issue.
It also turns out that a non-privileged user is allowed to create
network devices within a namespace, which makes it easier to generate
more uninitialized data.
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
>
> > #ifndef DUMP_BUF_H
> > #define DUMP_BUF_H
> >
> > #ifndef DUMP_MIN_STRLEN
> > #define DUMP_MIN_STRLEN 1
> > #endif
> >
> > #ifndef DUMP_PARALLEL
> > #define DUMP_PARALLEL 0
> > #endif
> >
> > #ifndef DUMP_PRINT_BUF_ADDR
> > #define DUMP_PRINT_BUF_ADDR 0
> > #endif
> >
> > #ifndef DUMP_PRINT_HEX
> > #define DUMP_PRINT_HEX 0
> > #endif
> >
> > #ifndef DUMP_PRINT_STRING
> > #define DUMP_PRINT_STRING 0
> > #endif
> >
> > #if DUMP_PARALLEL
> > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > #endif
> >
> > void dump_buf(unsigned char *buf, int len) {
> > int i, nz = 0;
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > nz = 1;
> > break;
> > }
> > }
> > if (!nz) {
> > // The buffer is empty.
> > return;
> > } else {
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_BUF_ADDR
> > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > #endif
> > #if DUMP_PRINT_HEX
> > for (i=0; i < len; i++) {
> > if (buf[i]) {
> > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > }
> > }
> > #endif // DUMP_PRINT_HEX
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_STRING
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > int str_len = strlen(&buf[i]);
> > // Short string pieces are too boring.
> > if (str_len >= DUMP_MIN_STRLEN) {
> > unsigned char *c;
> > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > *c = ' ';
> > continue;
> > }
> > }
> > // Dump the buffer.
> > fprintf(stderr, "%s\n", &buf[i]);
> > }
> > i += str_len;
> > }
> > }
> > #endif // DUMP_PRINT_STRING
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> >
> > #endif
>
> > #include <stdio.h>
> > #include <pthread.h>
> > #include <sys/types.h> /* See NOTES */
> > #include <sys/socket.h>
> > #include <unistd.h>
> >
> > #define DUMP_PARALLEL 1
> > #define DUMP_PRINT_BUF_ADDR 1
> > #define DUMP_PRINT_STRING 1
> > #define DUMP_PRINT_HEX 1
> > #include "dump_buf.h"
> >
> > void *setsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > struct sockaddr addr;
> > memset(&addr, 0, sizeof(addr));
> > addr.sa_family = 2;
> > addr.sa_data[2] = 0xac;
> > addr.sa_data[3] = 0x14;
> > addr.sa_data[4] = 0x14;
> > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > }
> >
> > #define BUFLEN (0x2c2)
> > void *getsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > char buf[BUFLEN];
> > memset(buf, 0, BUFLEN);
> > int socklen = BUFLEN;
> > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > dump_buf(&(buf[8]), 32);
> > }
> >
> > void do_work(int sock) {
> > pthread_t t1, t2;
> > for (int i = 0; i < 10; i++) {
> > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > usleep(100);
> > }
> > }
> >
> > int main(int argc, char *argv[]) {
> > int res;
> > int pid = fork();
> > if (pid == 0) {
> > int sock = socket(0x2, 0x1, 0x84);
> > do_work(sock);
> > }
> > sleep(10);
> > return 0;
> > }
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2018-12-06 11:06 ` Marcelo Ricardo Leitner
@ 2018-12-10 8:56 ` Xin Long
-1 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2018-12-10 8:56 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: Alexander Potapenko, syzbot+ad5d327e6936a2e284be, davem, LKML,
linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > git tree: https://github.com/google/kmsan.git/master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > compiler: clang version 8.0.0 (trunk 343298)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > >
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > ==================================================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x457569
> > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was created at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > kmalloc include/linux/slab.h:551 [inline]
> > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > sock_sendmsg net/socket.c:631 [inline]
> > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > __sys_sendmsg net/socket.c:2154 [inline]
> > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Bytes 32-35 of 2100 are uninitialized
> > > Memory access of size 2100 starts at ffff888185d8b000
> > > Data copied to user address 0000000020001108
> > > ==================================================================
> > When a network device goes up and sctp_inetaddr_event() is called, it
> > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > the newly created address.
> > The attached reproducer can be then used to read up to 8 uninit bytes
> > for each of the local addresses.
> > I guess the devices aren't created so often that this can pose any
> > security risk, but we probably still need to allocate this structure
> > with __GFP_ZERO.
>
> Agree. Thanks Alexander.
> Looks like this is the last/only place left with this issue.
This field is not really used by sctp, I will just set it to 0.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index fc6c5e4bffa5..7f0539db5604 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
notifier_block *this, unsigned long ev,
if (addr) {
addr->a.v6.sin6_family = AF_INET6;
addr->a.v6.sin6_port = 0;
+ addr->a.v6.sin6_flowinfo = 0;
addr->a.v6.sin6_addr = ifa->addr;
addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
addr->valid = 1;
>
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
>
> > #ifndef DUMP_BUF_H
> > #define DUMP_BUF_H
> >
> > #ifndef DUMP_MIN_STRLEN
> > #define DUMP_MIN_STRLEN 1
> > #endif
> >
> > #ifndef DUMP_PARALLEL
> > #define DUMP_PARALLEL 0
> > #endif
> >
> > #ifndef DUMP_PRINT_BUF_ADDR
> > #define DUMP_PRINT_BUF_ADDR 0
> > #endif
> >
> > #ifndef DUMP_PRINT_HEX
> > #define DUMP_PRINT_HEX 0
> > #endif
> >
> > #ifndef DUMP_PRINT_STRING
> > #define DUMP_PRINT_STRING 0
> > #endif
> >
> > #if DUMP_PARALLEL
> > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > #endif
> >
> > void dump_buf(unsigned char *buf, int len) {
> > int i, nz = 0;
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > nz = 1;
> > break;
> > }
> > }
> > if (!nz) {
> > // The buffer is empty.
> > return;
> > } else {
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_BUF_ADDR
> > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > #endif
> > #if DUMP_PRINT_HEX
> > for (i=0; i < len; i++) {
> > if (buf[i]) {
> > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > }
> > }
> > #endif // DUMP_PRINT_HEX
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_STRING
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > int str_len = strlen(&buf[i]);
> > // Short string pieces are too boring.
> > if (str_len >= DUMP_MIN_STRLEN) {
> > unsigned char *c;
> > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > *c = ' ';
> > continue;
> > }
> > }
> > // Dump the buffer.
> > fprintf(stderr, "%s\n", &buf[i]);
> > }
> > i += str_len;
> > }
> > }
> > #endif // DUMP_PRINT_STRING
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> >
> > #endif
>
> > #include <stdio.h>
> > #include <pthread.h>
> > #include <sys/types.h> /* See NOTES */
> > #include <sys/socket.h>
> > #include <unistd.h>
> >
> > #define DUMP_PARALLEL 1
> > #define DUMP_PRINT_BUF_ADDR 1
> > #define DUMP_PRINT_STRING 1
> > #define DUMP_PRINT_HEX 1
> > #include "dump_buf.h"
> >
> > void *setsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > struct sockaddr addr;
> > memset(&addr, 0, sizeof(addr));
> > addr.sa_family = 2;
> > addr.sa_data[2] = 0xac;
> > addr.sa_data[3] = 0x14;
> > addr.sa_data[4] = 0x14;
> > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > }
> >
> > #define BUFLEN (0x2c2)
> > void *getsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > char buf[BUFLEN];
> > memset(buf, 0, BUFLEN);
> > int socklen = BUFLEN;
> > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > dump_buf(&(buf[8]), 32);
> > }
> >
> > void do_work(int sock) {
> > pthread_t t1, t2;
> > for (int i = 0; i < 10; i++) {
> > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > usleep(100);
> > }
> > }
> >
> > int main(int argc, char *argv[]) {
> > int res;
> > int pid = fork();
> > if (pid == 0) {
> > int sock = socket(0x2, 0x1, 0x84);
> > do_work(sock);
> > }
> > sleep(10);
> > return 0;
> > }
>
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2018-12-10 8:56 ` Xin Long
0 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2018-12-10 8:56 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: Alexander Potapenko, syzbot+ad5d327e6936a2e284be, davem, LKML,
linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > git tree: https://github.com/google/kmsan.git/master
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > compiler: clang version 8.0.0 (trunk 343298)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > >
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > 8021q: adding VLAN 0 to HW filter on device team0
> > > ==================================================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x457569
> > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was created at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > kmalloc include/linux/slab.h:551 [inline]
> > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > sock_sendmsg net/socket.c:631 [inline]
> > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > __sys_sendmsg net/socket.c:2154 [inline]
> > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Bytes 32-35 of 2100 are uninitialized
> > > Memory access of size 2100 starts at ffff888185d8b000
> > > Data copied to user address 0000000020001108
> > > ==================================================================
> > When a network device goes up and sctp_inetaddr_event() is called, it
> > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > the newly created address.
> > The attached reproducer can be then used to read up to 8 uninit bytes
> > for each of the local addresses.
> > I guess the devices aren't created so often that this can pose any
> > security risk, but we probably still need to allocate this structure
> > with __GFP_ZERO.
>
> Agree. Thanks Alexander.
> Looks like this is the last/only place left with this issue.
This field is not really used by sctp, I will just set it to 0.
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index fc6c5e4bffa5..7f0539db5604 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
notifier_block *this, unsigned long ev,
if (addr) {
addr->a.v6.sin6_family = AF_INET6;
addr->a.v6.sin6_port = 0;
+ addr->a.v6.sin6_flowinfo = 0;
addr->a.v6.sin6_addr = ifa->addr;
addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
addr->valid = 1;
>
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
>
> > #ifndef DUMP_BUF_H
> > #define DUMP_BUF_H
> >
> > #ifndef DUMP_MIN_STRLEN
> > #define DUMP_MIN_STRLEN 1
> > #endif
> >
> > #ifndef DUMP_PARALLEL
> > #define DUMP_PARALLEL 0
> > #endif
> >
> > #ifndef DUMP_PRINT_BUF_ADDR
> > #define DUMP_PRINT_BUF_ADDR 0
> > #endif
> >
> > #ifndef DUMP_PRINT_HEX
> > #define DUMP_PRINT_HEX 0
> > #endif
> >
> > #ifndef DUMP_PRINT_STRING
> > #define DUMP_PRINT_STRING 0
> > #endif
> >
> > #if DUMP_PARALLEL
> > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > #endif
> >
> > void dump_buf(unsigned char *buf, int len) {
> > int i, nz = 0;
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > nz = 1;
> > break;
> > }
> > }
> > if (!nz) {
> > // The buffer is empty.
> > return;
> > } else {
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_BUF_ADDR
> > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > #endif
> > #if DUMP_PRINT_HEX
> > for (i=0; i < len; i++) {
> > if (buf[i]) {
> > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > }
> > }
> > #endif // DUMP_PRINT_HEX
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> > #if DUMP_PARALLEL
> > pthread_mutex_lock(&out_mutex);
> > #endif
> > #if DUMP_PRINT_STRING
> > for (i = 0; i < len; i++) {
> > if (buf[i]) {
> > int str_len = strlen(&buf[i]);
> > // Short string pieces are too boring.
> > if (str_len >= DUMP_MIN_STRLEN) {
> > unsigned char *c;
> > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > *c = ' ';
> > continue;
> > }
> > }
> > // Dump the buffer.
> > fprintf(stderr, "%s\n", &buf[i]);
> > }
> > i += str_len;
> > }
> > }
> > #endif // DUMP_PRINT_STRING
> > #if DUMP_PARALLEL
> > pthread_mutex_unlock(&out_mutex);
> > #endif
> > }
> >
> > #endif
>
> > #include <stdio.h>
> > #include <pthread.h>
> > #include <sys/types.h> /* See NOTES */
> > #include <sys/socket.h>
> > #include <unistd.h>
> >
> > #define DUMP_PARALLEL 1
> > #define DUMP_PRINT_BUF_ADDR 1
> > #define DUMP_PRINT_STRING 1
> > #define DUMP_PRINT_HEX 1
> > #include "dump_buf.h"
> >
> > void *setsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > struct sockaddr addr;
> > memset(&addr, 0, sizeof(addr));
> > addr.sa_family = 2;
> > addr.sa_data[2] = 0xac;
> > addr.sa_data[3] = 0x14;
> > addr.sa_data[4] = 0x14;
> > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > }
> >
> > #define BUFLEN (0x2c2)
> > void *getsockopt_fn(void *arg) {
> > int sock = (int)arg;
> > char buf[BUFLEN];
> > memset(buf, 0, BUFLEN);
> > int socklen = BUFLEN;
> > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > dump_buf(&(buf[8]), 32);
> > }
> >
> > void do_work(int sock) {
> > pthread_t t1, t2;
> > for (int i = 0; i < 10; i++) {
> > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > usleep(100);
> > }
> > }
> >
> > int main(int argc, char *argv[]) {
> > int res;
> > int pid = fork();
> > if (pid == 0) {
> > int sock = socket(0x2, 0x1, 0x84);
> > do_work(sock);
> > }
> > sleep(10);
> > return 0;
> > }
>
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2018-12-10 8:56 ` Xin Long
@ 2019-01-14 9:34 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-01-14 9:34 UTC (permalink / raw)
To: Xin Long
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
> >
> > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > git tree: https://github.com/google/kmsan.git/master
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > >
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > ==================================================================
> > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > RIP: 0033:0x457569
> > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was created at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > kmalloc include/linux/slab.h:551 [inline]
> > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > sock_sendmsg net/socket.c:631 [inline]
> > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Bytes 32-35 of 2100 are uninitialized
> > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > Data copied to user address 0000000020001108
> > > > ==================================================================
> > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > the newly created address.
> > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > for each of the local addresses.
> > > I guess the devices aren't created so often that this can pose any
> > > security risk, but we probably still need to allocate this structure
> > > with __GFP_ZERO.
> >
> > Agree. Thanks Alexander.
> > Looks like this is the last/only place left with this issue.
Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index d5878ae55840..f1cbfb4d0c39 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
notifier_block *this, unsigned long ev,
case NETDEV_UP:
addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
if (addr) {
+ memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
addr->a.v4.sin_family = AF_INET;
addr->a.v4.sin_port = 0;
addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> This field is not really used by sctp, I will just set it to 0.
>
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index fc6c5e4bffa5..7f0539db5604 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> notifier_block *this, unsigned long ev,
> if (addr) {
> addr->a.v6.sin6_family = AF_INET6;
> addr->a.v6.sin6_port = 0;
> + addr->a.v6.sin6_flowinfo = 0;
> addr->a.v6.sin6_addr = ifa->addr;
> addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> addr->valid = 1;
>
> >
> > > >
> > > > ---
> > > > This bug is generated by a bot. It may contain errors.
> > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > >
> > > > syzbot will keep track of this bug report. See:
> > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > syzbot.
> > > > syzbot can test patches for this bug, for details see:
> > > > https://goo.gl/tpsmEJ#testing-patches
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Alexander Potapenko
> > > Software Engineer
> > >
> > > Google Germany GmbH
> > > Erika-Mann-Straße, 33
> > > 80636 München
> > >
> > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > Registergericht und -nummer: Hamburg, HRB 86891
> > > Sitz der Gesellschaft: Hamburg
> >
> > > #ifndef DUMP_BUF_H
> > > #define DUMP_BUF_H
> > >
> > > #ifndef DUMP_MIN_STRLEN
> > > #define DUMP_MIN_STRLEN 1
> > > #endif
> > >
> > > #ifndef DUMP_PARALLEL
> > > #define DUMP_PARALLEL 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_BUF_ADDR
> > > #define DUMP_PRINT_BUF_ADDR 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_HEX
> > > #define DUMP_PRINT_HEX 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_STRING
> > > #define DUMP_PRINT_STRING 0
> > > #endif
> > >
> > > #if DUMP_PARALLEL
> > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > #endif
> > >
> > > void dump_buf(unsigned char *buf, int len) {
> > > int i, nz = 0;
> > > for (i = 0; i < len; i++) {
> > > if (buf[i]) {
> > > nz = 1;
> > > break;
> > > }
> > > }
> > > if (!nz) {
> > > // The buffer is empty.
> > > return;
> > > } else {
> > > #if DUMP_PARALLEL
> > > pthread_mutex_lock(&out_mutex);
> > > #endif
> > > #if DUMP_PRINT_BUF_ADDR
> > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > #endif
> > > #if DUMP_PRINT_HEX
> > > for (i=0; i < len; i++) {
> > > if (buf[i]) {
> > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > }
> > > }
> > > #endif // DUMP_PRINT_HEX
> > > #if DUMP_PARALLEL
> > > pthread_mutex_unlock(&out_mutex);
> > > #endif
> > > }
> > > #if DUMP_PARALLEL
> > > pthread_mutex_lock(&out_mutex);
> > > #endif
> > > #if DUMP_PRINT_STRING
> > > for (i = 0; i < len; i++) {
> > > if (buf[i]) {
> > > int str_len = strlen(&buf[i]);
> > > // Short string pieces are too boring.
> > > if (str_len >= DUMP_MIN_STRLEN) {
> > > unsigned char *c;
> > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > *c = ' ';
> > > continue;
> > > }
> > > }
> > > // Dump the buffer.
> > > fprintf(stderr, "%s\n", &buf[i]);
> > > }
> > > i += str_len;
> > > }
> > > }
> > > #endif // DUMP_PRINT_STRING
> > > #if DUMP_PARALLEL
> > > pthread_mutex_unlock(&out_mutex);
> > > #endif
> > > }
> > >
> > > #endif
> >
> > > #include <stdio.h>
> > > #include <pthread.h>
> > > #include <sys/types.h> /* See NOTES */
> > > #include <sys/socket.h>
> > > #include <unistd.h>
> > >
> > > #define DUMP_PARALLEL 1
> > > #define DUMP_PRINT_BUF_ADDR 1
> > > #define DUMP_PRINT_STRING 1
> > > #define DUMP_PRINT_HEX 1
> > > #include "dump_buf.h"
> > >
> > > void *setsockopt_fn(void *arg) {
> > > int sock = (int)arg;
> > > struct sockaddr addr;
> > > memset(&addr, 0, sizeof(addr));
> > > addr.sa_family = 2;
> > > addr.sa_data[2] = 0xac;
> > > addr.sa_data[3] = 0x14;
> > > addr.sa_data[4] = 0x14;
> > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > }
> > >
> > > #define BUFLEN (0x2c2)
> > > void *getsockopt_fn(void *arg) {
> > > int sock = (int)arg;
> > > char buf[BUFLEN];
> > > memset(buf, 0, BUFLEN);
> > > int socklen = BUFLEN;
> > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > dump_buf(&(buf[8]), 32);
> > > }
> > >
> > > void do_work(int sock) {
> > > pthread_t t1, t2;
> > > for (int i = 0; i < 10; i++) {
> > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > usleep(100);
> > > }
> > > }
> > >
> > > int main(int argc, char *argv[]) {
> > > int res;
> > > int pid = fork();
> > > if (pid == 0) {
> > > int sock = socket(0x2, 0x1, 0x84);
> > > do_work(sock);
> > > }
> > > sleep(10);
> > > return 0;
> > > }
> >
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2019-01-14 9:34 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-01-14 9:34 UTC (permalink / raw)
To: Xin Long
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
> >
> > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > git tree: https://github.com/google/kmsan.git/master
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > >
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > ==================================================================
> > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > RIP: 0033:0x457569
> > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was created at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > kmalloc include/linux/slab.h:551 [inline]
> > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > sock_sendmsg net/socket.c:631 [inline]
> > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Bytes 32-35 of 2100 are uninitialized
> > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > Data copied to user address 0000000020001108
> > > > ==================================================================
> > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > the newly created address.
> > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > for each of the local addresses.
> > > I guess the devices aren't created so often that this can pose any
> > > security risk, but we probably still need to allocate this structure
> > > with __GFP_ZERO.
> >
> > Agree. Thanks Alexander.
> > Looks like this is the last/only place left with this issue.
Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index d5878ae55840..f1cbfb4d0c39 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
notifier_block *this, unsigned long ev,
case NETDEV_UP:
addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
if (addr) {
+ memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
addr->a.v4.sin_family = AF_INET;
addr->a.v4.sin_port = 0;
addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> This field is not really used by sctp, I will just set it to 0.
>
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index fc6c5e4bffa5..7f0539db5604 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> notifier_block *this, unsigned long ev,
> if (addr) {
> addr->a.v6.sin6_family = AF_INET6;
> addr->a.v6.sin6_port = 0;
> + addr->a.v6.sin6_flowinfo = 0;
> addr->a.v6.sin6_addr = ifa->addr;
> addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> addr->valid = 1;
>
> >
> > > >
> > > > ---
> > > > This bug is generated by a bot. It may contain errors.
> > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > >
> > > > syzbot will keep track of this bug report. See:
> > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > syzbot.
> > > > syzbot can test patches for this bug, for details see:
> > > > https://goo.gl/tpsmEJ#testing-patches
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Alexander Potapenko
> > > Software Engineer
> > >
> > > Google Germany GmbH
> > > Erika-Mann-Straße, 33
> > > 80636 München
> > >
> > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > Registergericht und -nummer: Hamburg, HRB 86891
> > > Sitz der Gesellschaft: Hamburg
> >
> > > #ifndef DUMP_BUF_H
> > > #define DUMP_BUF_H
> > >
> > > #ifndef DUMP_MIN_STRLEN
> > > #define DUMP_MIN_STRLEN 1
> > > #endif
> > >
> > > #ifndef DUMP_PARALLEL
> > > #define DUMP_PARALLEL 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_BUF_ADDR
> > > #define DUMP_PRINT_BUF_ADDR 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_HEX
> > > #define DUMP_PRINT_HEX 0
> > > #endif
> > >
> > > #ifndef DUMP_PRINT_STRING
> > > #define DUMP_PRINT_STRING 0
> > > #endif
> > >
> > > #if DUMP_PARALLEL
> > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > #endif
> > >
> > > void dump_buf(unsigned char *buf, int len) {
> > > int i, nz = 0;
> > > for (i = 0; i < len; i++) {
> > > if (buf[i]) {
> > > nz = 1;
> > > break;
> > > }
> > > }
> > > if (!nz) {
> > > // The buffer is empty.
> > > return;
> > > } else {
> > > #if DUMP_PARALLEL
> > > pthread_mutex_lock(&out_mutex);
> > > #endif
> > > #if DUMP_PRINT_BUF_ADDR
> > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > #endif
> > > #if DUMP_PRINT_HEX
> > > for (i=0; i < len; i++) {
> > > if (buf[i]) {
> > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > }
> > > }
> > > #endif // DUMP_PRINT_HEX
> > > #if DUMP_PARALLEL
> > > pthread_mutex_unlock(&out_mutex);
> > > #endif
> > > }
> > > #if DUMP_PARALLEL
> > > pthread_mutex_lock(&out_mutex);
> > > #endif
> > > #if DUMP_PRINT_STRING
> > > for (i = 0; i < len; i++) {
> > > if (buf[i]) {
> > > int str_len = strlen(&buf[i]);
> > > // Short string pieces are too boring.
> > > if (str_len >= DUMP_MIN_STRLEN) {
> > > unsigned char *c;
> > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > *c = ' ';
> > > continue;
> > > }
> > > }
> > > // Dump the buffer.
> > > fprintf(stderr, "%s\n", &buf[i]);
> > > }
> > > i += str_len;
> > > }
> > > }
> > > #endif // DUMP_PRINT_STRING
> > > #if DUMP_PARALLEL
> > > pthread_mutex_unlock(&out_mutex);
> > > #endif
> > > }
> > >
> > > #endif
> >
> > > #include <stdio.h>
> > > #include <pthread.h>
> > > #include <sys/types.h> /* See NOTES */
> > > #include <sys/socket.h>
> > > #include <unistd.h>
> > >
> > > #define DUMP_PARALLEL 1
> > > #define DUMP_PRINT_BUF_ADDR 1
> > > #define DUMP_PRINT_STRING 1
> > > #define DUMP_PRINT_HEX 1
> > > #include "dump_buf.h"
> > >
> > > void *setsockopt_fn(void *arg) {
> > > int sock = (int)arg;
> > > struct sockaddr addr;
> > > memset(&addr, 0, sizeof(addr));
> > > addr.sa_family = 2;
> > > addr.sa_data[2] = 0xac;
> > > addr.sa_data[3] = 0x14;
> > > addr.sa_data[4] = 0x14;
> > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > }
> > >
> > > #define BUFLEN (0x2c2)
> > > void *getsockopt_fn(void *arg) {
> > > int sock = (int)arg;
> > > char buf[BUFLEN];
> > > memset(buf, 0, BUFLEN);
> > > int socklen = BUFLEN;
> > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > dump_buf(&(buf[8]), 32);
> > > }
> > >
> > > void do_work(int sock) {
> > > pthread_t t1, t2;
> > > for (int i = 0; i < 10; i++) {
> > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > usleep(100);
> > > }
> > > }
> > >
> > > int main(int argc, char *argv[]) {
> > > int res;
> > > int pid = fork();
> > > if (pid == 0) {
> > > int sock = socket(0x2, 0x1, 0x84);
> > > do_work(sock);
> > > }
> > > sleep(10);
> > > return 0;
> > > }
> >
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2019-01-14 9:34 ` Alexander Potapenko
@ 2019-01-14 9:55 ` Xin Long
-1 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2019-01-14 9:55 UTC (permalink / raw)
To: Alexander Potapenko
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
>
> On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> >
> > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
> > >
> > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > >
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > >
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > ==================================================================
> > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > Google 01/01/2011
> > > > > Call Trace:
> > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > RIP: 0033:0x457569
> > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was created at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > Data copied to user address 0000000020001108
> > > > > ==================================================================
> > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > the newly created address.
> > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > for each of the local addresses.
> > > > I guess the devices aren't created so often that this can pose any
> > > > security risk, but we probably still need to allocate this structure
> > > > with __GFP_ZERO.
> > >
> > > Agree. Thanks Alexander.
> > > Looks like this is the last/only place left with this issue.
> Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
seems right, because of __pad of struct sockaddr_in.
Do you have any reproducer for this?
We should use kzalloc for all sctp_sockaddr_entry allocations.
Thanks.
>
> diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> index d5878ae55840..f1cbfb4d0c39 100644
> --- a/net/sctp/protocol.c
> +++ b/net/sctp/protocol.c
> @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> notifier_block *this, unsigned long ev,
> case NETDEV_UP:
> addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> if (addr) {
> + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> addr->a.v4.sin_family = AF_INET;
> addr->a.v4.sin_port = 0;
> addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
>
>
> > This field is not really used by sctp, I will just set it to 0.
> >
> > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > index fc6c5e4bffa5..7f0539db5604 100644
> > --- a/net/sctp/ipv6.c
> > +++ b/net/sctp/ipv6.c
> > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > notifier_block *this, unsigned long ev,
> > if (addr) {
> > addr->a.v6.sin6_family = AF_INET6;
> > addr->a.v6.sin6_port = 0;
> > + addr->a.v6.sin6_flowinfo = 0;
> > addr->a.v6.sin6_addr = ifa->addr;
> > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > addr->valid = 1;
> >
> > >
> > > > >
> > > > > ---
> > > > > This bug is generated by a bot. It may contain errors.
> > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > >
> > > > > syzbot will keep track of this bug report. See:
> > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > syzbot.
> > > > > syzbot can test patches for this bug, for details see:
> > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > >
> > > > > --
> > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > >
> > > >
> > > > --
> > > > Alexander Potapenko
> > > > Software Engineer
> > > >
> > > > Google Germany GmbH
> > > > Erika-Mann-Straße, 33
> > > > 80636 München
> > > >
> > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > Sitz der Gesellschaft: Hamburg
> > >
> > > > #ifndef DUMP_BUF_H
> > > > #define DUMP_BUF_H
> > > >
> > > > #ifndef DUMP_MIN_STRLEN
> > > > #define DUMP_MIN_STRLEN 1
> > > > #endif
> > > >
> > > > #ifndef DUMP_PARALLEL
> > > > #define DUMP_PARALLEL 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_HEX
> > > > #define DUMP_PRINT_HEX 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_STRING
> > > > #define DUMP_PRINT_STRING 0
> > > > #endif
> > > >
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > #endif
> > > >
> > > > void dump_buf(unsigned char *buf, int len) {
> > > > int i, nz = 0;
> > > > for (i = 0; i < len; i++) {
> > > > if (buf[i]) {
> > > > nz = 1;
> > > > break;
> > > > }
> > > > }
> > > > if (!nz) {
> > > > // The buffer is empty.
> > > > return;
> > > > } else {
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_lock(&out_mutex);
> > > > #endif
> > > > #if DUMP_PRINT_BUF_ADDR
> > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > #endif
> > > > #if DUMP_PRINT_HEX
> > > > for (i=0; i < len; i++) {
> > > > if (buf[i]) {
> > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > }
> > > > }
> > > > #endif // DUMP_PRINT_HEX
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_unlock(&out_mutex);
> > > > #endif
> > > > }
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_lock(&out_mutex);
> > > > #endif
> > > > #if DUMP_PRINT_STRING
> > > > for (i = 0; i < len; i++) {
> > > > if (buf[i]) {
> > > > int str_len = strlen(&buf[i]);
> > > > // Short string pieces are too boring.
> > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > unsigned char *c;
> > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > *c = ' ';
> > > > continue;
> > > > }
> > > > }
> > > > // Dump the buffer.
> > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > }
> > > > i += str_len;
> > > > }
> > > > }
> > > > #endif // DUMP_PRINT_STRING
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_unlock(&out_mutex);
> > > > #endif
> > > > }
> > > >
> > > > #endif
> > >
> > > > #include <stdio.h>
> > > > #include <pthread.h>
> > > > #include <sys/types.h> /* See NOTES */
> > > > #include <sys/socket.h>
> > > > #include <unistd.h>
> > > >
> > > > #define DUMP_PARALLEL 1
> > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > #define DUMP_PRINT_STRING 1
> > > > #define DUMP_PRINT_HEX 1
> > > > #include "dump_buf.h"
> > > >
> > > > void *setsockopt_fn(void *arg) {
> > > > int sock = (int)arg;
> > > > struct sockaddr addr;
> > > > memset(&addr, 0, sizeof(addr));
> > > > addr.sa_family = 2;
> > > > addr.sa_data[2] = 0xac;
> > > > addr.sa_data[3] = 0x14;
> > > > addr.sa_data[4] = 0x14;
> > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > }
> > > >
> > > > #define BUFLEN (0x2c2)
> > > > void *getsockopt_fn(void *arg) {
> > > > int sock = (int)arg;
> > > > char buf[BUFLEN];
> > > > memset(buf, 0, BUFLEN);
> > > > int socklen = BUFLEN;
> > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > dump_buf(&(buf[8]), 32);
> > > > }
> > > >
> > > > void do_work(int sock) {
> > > > pthread_t t1, t2;
> > > > for (int i = 0; i < 10; i++) {
> > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > usleep(100);
> > > > }
> > > > }
> > > >
> > > > int main(int argc, char *argv[]) {
> > > > int res;
> > > > int pid = fork();
> > > > if (pid == 0) {
> > > > int sock = socket(0x2, 0x1, 0x84);
> > > > do_work(sock);
> > > > }
> > > > sleep(10);
> > > > return 0;
> > > > }
> > >
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2019-01-14 9:55 ` Xin Long
0 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2019-01-14 9:55 UTC (permalink / raw)
To: Alexander Potapenko
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
>
> On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> >
> > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
> > >
> > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > >
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > >
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > ==================================================================
> > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > Google 01/01/2011
> > > > > Call Trace:
> > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > RIP: 0033:0x457569
> > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was created at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > Data copied to user address 0000000020001108
> > > > > ==================================================================
> > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > the newly created address.
> > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > for each of the local addresses.
> > > > I guess the devices aren't created so often that this can pose any
> > > > security risk, but we probably still need to allocate this structure
> > > > with __GFP_ZERO.
> > >
> > > Agree. Thanks Alexander.
> > > Looks like this is the last/only place left with this issue.
> Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
seems right, because of __pad of struct sockaddr_in.
Do you have any reproducer for this?
We should use kzalloc for all sctp_sockaddr_entry allocations.
Thanks.
>
> diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> index d5878ae55840..f1cbfb4d0c39 100644
> --- a/net/sctp/protocol.c
> +++ b/net/sctp/protocol.c
> @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> notifier_block *this, unsigned long ev,
> case NETDEV_UP:
> addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> if (addr) {
> + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> addr->a.v4.sin_family = AF_INET;
> addr->a.v4.sin_port = 0;
> addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
>
>
> > This field is not really used by sctp, I will just set it to 0.
> >
> > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > index fc6c5e4bffa5..7f0539db5604 100644
> > --- a/net/sctp/ipv6.c
> > +++ b/net/sctp/ipv6.c
> > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > notifier_block *this, unsigned long ev,
> > if (addr) {
> > addr->a.v6.sin6_family = AF_INET6;
> > addr->a.v6.sin6_port = 0;
> > + addr->a.v6.sin6_flowinfo = 0;
> > addr->a.v6.sin6_addr = ifa->addr;
> > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > addr->valid = 1;
> >
> > >
> > > > >
> > > > > ---
> > > > > This bug is generated by a bot. It may contain errors.
> > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > >
> > > > > syzbot will keep track of this bug report. See:
> > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > syzbot.
> > > > > syzbot can test patches for this bug, for details see:
> > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > >
> > > > > --
> > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > >
> > > >
> > > >
> > > > --
> > > > Alexander Potapenko
> > > > Software Engineer
> > > >
> > > > Google Germany GmbH
> > > > Erika-Mann-Straße, 33
> > > > 80636 München
> > > >
> > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > Sitz der Gesellschaft: Hamburg
> > >
> > > > #ifndef DUMP_BUF_H
> > > > #define DUMP_BUF_H
> > > >
> > > > #ifndef DUMP_MIN_STRLEN
> > > > #define DUMP_MIN_STRLEN 1
> > > > #endif
> > > >
> > > > #ifndef DUMP_PARALLEL
> > > > #define DUMP_PARALLEL 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_HEX
> > > > #define DUMP_PRINT_HEX 0
> > > > #endif
> > > >
> > > > #ifndef DUMP_PRINT_STRING
> > > > #define DUMP_PRINT_STRING 0
> > > > #endif
> > > >
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > #endif
> > > >
> > > > void dump_buf(unsigned char *buf, int len) {
> > > > int i, nz = 0;
> > > > for (i = 0; i < len; i++) {
> > > > if (buf[i]) {
> > > > nz = 1;
> > > > break;
> > > > }
> > > > }
> > > > if (!nz) {
> > > > // The buffer is empty.
> > > > return;
> > > > } else {
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_lock(&out_mutex);
> > > > #endif
> > > > #if DUMP_PRINT_BUF_ADDR
> > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > #endif
> > > > #if DUMP_PRINT_HEX
> > > > for (i=0; i < len; i++) {
> > > > if (buf[i]) {
> > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > }
> > > > }
> > > > #endif // DUMP_PRINT_HEX
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_unlock(&out_mutex);
> > > > #endif
> > > > }
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_lock(&out_mutex);
> > > > #endif
> > > > #if DUMP_PRINT_STRING
> > > > for (i = 0; i < len; i++) {
> > > > if (buf[i]) {
> > > > int str_len = strlen(&buf[i]);
> > > > // Short string pieces are too boring.
> > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > unsigned char *c;
> > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > *c = ' ';
> > > > continue;
> > > > }
> > > > }
> > > > // Dump the buffer.
> > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > }
> > > > i += str_len;
> > > > }
> > > > }
> > > > #endif // DUMP_PRINT_STRING
> > > > #if DUMP_PARALLEL
> > > > pthread_mutex_unlock(&out_mutex);
> > > > #endif
> > > > }
> > > >
> > > > #endif
> > >
> > > > #include <stdio.h>
> > > > #include <pthread.h>
> > > > #include <sys/types.h> /* See NOTES */
> > > > #include <sys/socket.h>
> > > > #include <unistd.h>
> > > >
> > > > #define DUMP_PARALLEL 1
> > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > #define DUMP_PRINT_STRING 1
> > > > #define DUMP_PRINT_HEX 1
> > > > #include "dump_buf.h"
> > > >
> > > > void *setsockopt_fn(void *arg) {
> > > > int sock = (int)arg;
> > > > struct sockaddr addr;
> > > > memset(&addr, 0, sizeof(addr));
> > > > addr.sa_family = 2;
> > > > addr.sa_data[2] = 0xac;
> > > > addr.sa_data[3] = 0x14;
> > > > addr.sa_data[4] = 0x14;
> > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > }
> > > >
> > > > #define BUFLEN (0x2c2)
> > > > void *getsockopt_fn(void *arg) {
> > > > int sock = (int)arg;
> > > > char buf[BUFLEN];
> > > > memset(buf, 0, BUFLEN);
> > > > int socklen = BUFLEN;
> > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > dump_buf(&(buf[8]), 32);
> > > > }
> > > >
> > > > void do_work(int sock) {
> > > > pthread_t t1, t2;
> > > > for (int i = 0; i < 10; i++) {
> > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > usleep(100);
> > > > }
> > > > }
> > > >
> > > > int main(int argc, char *argv[]) {
> > > > int res;
> > > > int pid = fork();
> > > > if (pid == 0) {
> > > > int sock = socket(0x2, 0x1, 0x84);
> > > > do_work(sock);
> > > > }
> > > > sleep(10);
> > > > return 0;
> > > > }
> > >
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2019-01-14 9:55 ` Xin Long
@ 2019-01-14 9:58 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-01-14 9:58 UTC (permalink / raw)
To: Xin Long
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Jan 14, 2019 at 10:56 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
> >
> > On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> > >
> > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > > <marcelo.leitner@gmail.com> wrote:
> > > >
> > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > > >
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > ==================================================================
> > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > Google 01/01/2011
> > > > > > Call Trace:
> > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > RIP: 0033:0x457569
> > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was created at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > > Data copied to user address 0000000020001108
> > > > > > ==================================================================
> > > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > > the newly created address.
> > > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > > for each of the local addresses.
> > > > > I guess the devices aren't created so often that this can pose any
> > > > > security risk, but we probably still need to allocate this structure
> > > > > with __GFP_ZERO.
> > > >
> > > > Agree. Thanks Alexander.
> > > > Looks like this is the last/only place left with this issue.
> > Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
> seems right, because of __pad of struct sockaddr_in.
> Do you have any reproducer for this?
I just took the above reproducer. Not sure what changed (perhaps the
configuration of my VM), but now the uninitialized data is allocated
by sctp_inetaddr_event()
> We should use kzalloc for all sctp_sockaddr_entry allocations.
>
> Thanks.
>
> >
> > diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> > index d5878ae55840..f1cbfb4d0c39 100644
> > --- a/net/sctp/protocol.c
> > +++ b/net/sctp/protocol.c
> > @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> > notifier_block *this, unsigned long ev,
> > case NETDEV_UP:
> > addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> > if (addr) {
> > + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> > addr->a.v4.sin_family = AF_INET;
> > addr->a.v4.sin_port = 0;
> > addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> >
> >
> > > This field is not really used by sctp, I will just set it to 0.
> > >
> > > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > > index fc6c5e4bffa5..7f0539db5604 100644
> > > --- a/net/sctp/ipv6.c
> > > +++ b/net/sctp/ipv6.c
> > > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > > notifier_block *this, unsigned long ev,
> > > if (addr) {
> > > addr->a.v6.sin6_family = AF_INET6;
> > > addr->a.v6.sin6_port = 0;
> > > + addr->a.v6.sin6_flowinfo = 0;
> > > addr->a.v6.sin6_addr = ifa->addr;
> > > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > > addr->valid = 1;
> > >
> > > >
> > > > > >
> > > > > > ---
> > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > >
> > > > > > syzbot will keep track of this bug report. See:
> > > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > > syzbot.
> > > > > > syzbot can test patches for this bug, for details see:
> > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > >
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Alexander Potapenko
> > > > > Software Engineer
> > > > >
> > > > > Google Germany GmbH
> > > > > Erika-Mann-Straße, 33
> > > > > 80636 München
> > > > >
> > > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > > Sitz der Gesellschaft: Hamburg
> > > >
> > > > > #ifndef DUMP_BUF_H
> > > > > #define DUMP_BUF_H
> > > > >
> > > > > #ifndef DUMP_MIN_STRLEN
> > > > > #define DUMP_MIN_STRLEN 1
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PARALLEL
> > > > > #define DUMP_PARALLEL 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_HEX
> > > > > #define DUMP_PRINT_HEX 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_STRING
> > > > > #define DUMP_PRINT_STRING 0
> > > > > #endif
> > > > >
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > > #endif
> > > > >
> > > > > void dump_buf(unsigned char *buf, int len) {
> > > > > int i, nz = 0;
> > > > > for (i = 0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > nz = 1;
> > > > > break;
> > > > > }
> > > > > }
> > > > > if (!nz) {
> > > > > // The buffer is empty.
> > > > > return;
> > > > > } else {
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_lock(&out_mutex);
> > > > > #endif
> > > > > #if DUMP_PRINT_BUF_ADDR
> > > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > > #endif
> > > > > #if DUMP_PRINT_HEX
> > > > > for (i=0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > > }
> > > > > }
> > > > > #endif // DUMP_PRINT_HEX
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_unlock(&out_mutex);
> > > > > #endif
> > > > > }
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_lock(&out_mutex);
> > > > > #endif
> > > > > #if DUMP_PRINT_STRING
> > > > > for (i = 0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > int str_len = strlen(&buf[i]);
> > > > > // Short string pieces are too boring.
> > > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > > unsigned char *c;
> > > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > > *c = ' ';
> > > > > continue;
> > > > > }
> > > > > }
> > > > > // Dump the buffer.
> > > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > > }
> > > > > i += str_len;
> > > > > }
> > > > > }
> > > > > #endif // DUMP_PRINT_STRING
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_unlock(&out_mutex);
> > > > > #endif
> > > > > }
> > > > >
> > > > > #endif
> > > >
> > > > > #include <stdio.h>
> > > > > #include <pthread.h>
> > > > > #include <sys/types.h> /* See NOTES */
> > > > > #include <sys/socket.h>
> > > > > #include <unistd.h>
> > > > >
> > > > > #define DUMP_PARALLEL 1
> > > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > > #define DUMP_PRINT_STRING 1
> > > > > #define DUMP_PRINT_HEX 1
> > > > > #include "dump_buf.h"
> > > > >
> > > > > void *setsockopt_fn(void *arg) {
> > > > > int sock = (int)arg;
> > > > > struct sockaddr addr;
> > > > > memset(&addr, 0, sizeof(addr));
> > > > > addr.sa_family = 2;
> > > > > addr.sa_data[2] = 0xac;
> > > > > addr.sa_data[3] = 0x14;
> > > > > addr.sa_data[4] = 0x14;
> > > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > > }
> > > > >
> > > > > #define BUFLEN (0x2c2)
> > > > > void *getsockopt_fn(void *arg) {
> > > > > int sock = (int)arg;
> > > > > char buf[BUFLEN];
> > > > > memset(buf, 0, BUFLEN);
> > > > > int socklen = BUFLEN;
> > > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > > dump_buf(&(buf[8]), 32);
> > > > > }
> > > > >
> > > > > void do_work(int sock) {
> > > > > pthread_t t1, t2;
> > > > > for (int i = 0; i < 10; i++) {
> > > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > > usleep(100);
> > > > > }
> > > > > }
> > > > >
> > > > > int main(int argc, char *argv[]) {
> > > > > int res;
> > > > > int pid = fork();
> > > > > if (pid == 0) {
> > > > > int sock = socket(0x2, 0x1, 0x84);
> > > > > do_work(sock);
> > > > > }
> > > > > sleep(10);
> > > > > return 0;
> > > > > }
> > > >
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2019-01-14 9:58 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-01-14 9:58 UTC (permalink / raw)
To: Xin Long
Cc: Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be, davem,
LKML, linux-sctp, network dev, Neil Horman, syzkaller-bugs,
Vlad Yasevich
On Mon, Jan 14, 2019 at 10:56 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
> >
> > On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> > >
> > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > > <marcelo.leitner@gmail.com> wrote:
> > > >
> > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > > >
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > ==================================================================
> > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > Google 01/01/2011
> > > > > > Call Trace:
> > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > RIP: 0033:0x457569
> > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was created at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > > Data copied to user address 0000000020001108
> > > > > > ==================================================================
> > > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > > the newly created address.
> > > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > > for each of the local addresses.
> > > > > I guess the devices aren't created so often that this can pose any
> > > > > security risk, but we probably still need to allocate this structure
> > > > > with __GFP_ZERO.
> > > >
> > > > Agree. Thanks Alexander.
> > > > Looks like this is the last/only place left with this issue.
> > Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
> seems right, because of __pad of struct sockaddr_in.
> Do you have any reproducer for this?
I just took the above reproducer. Not sure what changed (perhaps the
configuration of my VM), but now the uninitialized data is allocated
by sctp_inetaddr_event()
> We should use kzalloc for all sctp_sockaddr_entry allocations.
>
> Thanks.
>
> >
> > diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> > index d5878ae55840..f1cbfb4d0c39 100644
> > --- a/net/sctp/protocol.c
> > +++ b/net/sctp/protocol.c
> > @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> > notifier_block *this, unsigned long ev,
> > case NETDEV_UP:
> > addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> > if (addr) {
> > + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> > addr->a.v4.sin_family = AF_INET;
> > addr->a.v4.sin_port = 0;
> > addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> >
> >
> > > This field is not really used by sctp, I will just set it to 0.
> > >
> > > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > > index fc6c5e4bffa5..7f0539db5604 100644
> > > --- a/net/sctp/ipv6.c
> > > +++ b/net/sctp/ipv6.c
> > > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > > notifier_block *this, unsigned long ev,
> > > if (addr) {
> > > addr->a.v6.sin6_family = AF_INET6;
> > > addr->a.v6.sin6_port = 0;
> > > + addr->a.v6.sin6_flowinfo = 0;
> > > addr->a.v6.sin6_addr = ifa->addr;
> > > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > > addr->valid = 1;
> > >
> > > >
> > > > > >
> > > > > > ---
> > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > >
> > > > > > syzbot will keep track of this bug report. See:
> > > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > > syzbot.
> > > > > > syzbot can test patches for this bug, for details see:
> > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > >
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Alexander Potapenko
> > > > > Software Engineer
> > > > >
> > > > > Google Germany GmbH
> > > > > Erika-Mann-Straße, 33
> > > > > 80636 München
> > > > >
> > > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > > Sitz der Gesellschaft: Hamburg
> > > >
> > > > > #ifndef DUMP_BUF_H
> > > > > #define DUMP_BUF_H
> > > > >
> > > > > #ifndef DUMP_MIN_STRLEN
> > > > > #define DUMP_MIN_STRLEN 1
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PARALLEL
> > > > > #define DUMP_PARALLEL 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_HEX
> > > > > #define DUMP_PRINT_HEX 0
> > > > > #endif
> > > > >
> > > > > #ifndef DUMP_PRINT_STRING
> > > > > #define DUMP_PRINT_STRING 0
> > > > > #endif
> > > > >
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > > #endif
> > > > >
> > > > > void dump_buf(unsigned char *buf, int len) {
> > > > > int i, nz = 0;
> > > > > for (i = 0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > nz = 1;
> > > > > break;
> > > > > }
> > > > > }
> > > > > if (!nz) {
> > > > > // The buffer is empty.
> > > > > return;
> > > > > } else {
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_lock(&out_mutex);
> > > > > #endif
> > > > > #if DUMP_PRINT_BUF_ADDR
> > > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > > #endif
> > > > > #if DUMP_PRINT_HEX
> > > > > for (i=0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > > }
> > > > > }
> > > > > #endif // DUMP_PRINT_HEX
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_unlock(&out_mutex);
> > > > > #endif
> > > > > }
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_lock(&out_mutex);
> > > > > #endif
> > > > > #if DUMP_PRINT_STRING
> > > > > for (i = 0; i < len; i++) {
> > > > > if (buf[i]) {
> > > > > int str_len = strlen(&buf[i]);
> > > > > // Short string pieces are too boring.
> > > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > > unsigned char *c;
> > > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > > *c = ' ';
> > > > > continue;
> > > > > }
> > > > > }
> > > > > // Dump the buffer.
> > > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > > }
> > > > > i += str_len;
> > > > > }
> > > > > }
> > > > > #endif // DUMP_PRINT_STRING
> > > > > #if DUMP_PARALLEL
> > > > > pthread_mutex_unlock(&out_mutex);
> > > > > #endif
> > > > > }
> > > > >
> > > > > #endif
> > > >
> > > > > #include <stdio.h>
> > > > > #include <pthread.h>
> > > > > #include <sys/types.h> /* See NOTES */
> > > > > #include <sys/socket.h>
> > > > > #include <unistd.h>
> > > > >
> > > > > #define DUMP_PARALLEL 1
> > > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > > #define DUMP_PRINT_STRING 1
> > > > > #define DUMP_PRINT_HEX 1
> > > > > #include "dump_buf.h"
> > > > >
> > > > > void *setsockopt_fn(void *arg) {
> > > > > int sock = (int)arg;
> > > > > struct sockaddr addr;
> > > > > memset(&addr, 0, sizeof(addr));
> > > > > addr.sa_family = 2;
> > > > > addr.sa_data[2] = 0xac;
> > > > > addr.sa_data[3] = 0x14;
> > > > > addr.sa_data[4] = 0x14;
> > > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > > }
> > > > >
> > > > > #define BUFLEN (0x2c2)
> > > > > void *getsockopt_fn(void *arg) {
> > > > > int sock = (int)arg;
> > > > > char buf[BUFLEN];
> > > > > memset(buf, 0, BUFLEN);
> > > > > int socklen = BUFLEN;
> > > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > > dump_buf(&(buf[8]), 32);
> > > > > }
> > > > >
> > > > > void do_work(int sock) {
> > > > > pthread_t t1, t2;
> > > > > for (int i = 0; i < 10; i++) {
> > > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > > usleep(100);
> > > > > }
> > > > > }
> > > > >
> > > > > int main(int argc, char *argv[]) {
> > > > > int res;
> > > > > int pid = fork();
> > > > > if (pid == 0) {
> > > > > int sock = socket(0x2, 0x1, 0x84);
> > > > > do_work(sock);
> > > > > }
> > > > > sleep(10);
> > > > > return 0;
> > > > > }
> > > >
> >
> >
> >
> > --
> > Alexander Potapenko
> > Software Engineer
> >
> > Google Germany GmbH
> > Erika-Mann-Straße, 33
> > 80636 München
> >
> > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* KMSAN: kernel-infoleak in sctp_getsockopt (2)
2018-12-05 19:31 ` syzbot
@ 2019-01-14 11:08 ` syzbot
-1 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2019-01-14 11:08 UTC (permalink / raw)
To: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: 02f2d5aea531 kmsan: (presumably) fix dma_map_page_attrs()
git tree: kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x=164291d8c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=52c9737ec5618f82
dashboard link: https://syzkaller.appspot.com/bug?extid=ae0c70c0c2d40c51bb92
compiler: clang version 8.0.0 (trunk 350509)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1753eaf7400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b22a37400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
==================================================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10740 Comm: syz-executor064 Not tainted 5.0.0-rc1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
kmsan_internal_check_memory+0x465/0xb10 mm/kmsan/kmsan.c:663
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6056 [inline]
sctp_getsockopt+0x1309a/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445679
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa7633b9db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445679
RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000004
RBP: 00000000006dac30 R08: 00000000200000c0 R09: 0000000000000000
R10: 0000000020000200 R11: 0000000000000246 R12: 00000000006dac3c
R13: 00007ffc3e29873f R14: 00007fa7633ba9c0 R15: 00000000006dad2c
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_copy_laddrs net/sctp/socket.c:5959 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline]
sctp_getsockopt+0x13887/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_copy_laddrs net/sctp/socket.c:5948 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline]
sctp_getsockopt+0x13733/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmem_cache_alloc_trace+0x55d/0xb40 mm/slub.c:2784
kmalloc include/linux/slab.h:545 [inline]
sctp_inetaddr_event+0x47b/0xa90 net/sctp/protocol.c:779
notifier_call_chain kernel/notifier.c:93 [inline]
__blocking_notifier_call_chain kernel/notifier.c:317 [inline]
blocking_notifier_call_chain+0x1a5/0x2f0 kernel/notifier.c:328
__inet_insert_ifa+0xfaa/0x1200 net/ipv4/devinet.c:529
inet_insert_ifa net/ipv4/devinet.c:536 [inline]
inetdev_event+0x1ced/0x1d80 net/ipv4/devinet.c:1520
notifier_call_chain kernel/notifier.c:93 [inline]
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
__dev_notify_flags+0x3d3/0x830 net/core/dev.c:1739
dev_change_flags+0x1d6/0x260 net/core/dev.c:7643
do_setlink+0x16a4/0x5df0 net/core/rtnetlink.c:2492
__rtnl_newlink net/core/rtnetlink.c:3115 [inline]
rtnl_newlink+0x2d68/0x37a0 net/core/rtnetlink.c:3240
rtnetlink_rcv_msg+0x115b/0x1550 net/core/rtnetlink.c:5130
netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5148
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Bytes 8-15 of 32 are uninitialized
Memory access of size 32 starts at ffff88810b2dac00
Data copied to user address 0000000020000208
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* KMSAN: kernel-infoleak in sctp_getsockopt (2)
@ 2019-01-14 11:08 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2019-01-14 11:08 UTC (permalink / raw)
To: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: 02f2d5aea531 kmsan: (presumably) fix dma_map_page_attrs()
git tree: kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x\x164291d8c00000
kernel config: https://syzkaller.appspot.com/x/.config?xRc9737ec5618f82
dashboard link: https://syzkaller.appspot.com/bug?extid®0c70c0c2d40c51bb92
compiler: clang version 8.0.0 (trunk 350509)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1753eaf7400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x11b22a37400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
=================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10740 Comm: syz-executor064 Not tainted 5.0.0-rc1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
kmsan_internal_check_memory+0x465/0xb10 mm/kmsan/kmsan.c:663
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6056 [inline]
sctp_getsockopt+0x1309a/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445679
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa7633b9db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445679
RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000004
RBP: 00000000006dac30 R08: 00000000200000c0 R09: 0000000000000000
R10: 0000000020000200 R11: 0000000000000246 R12: 00000000006dac3c
R13: 00007ffc3e29873f R14: 00007fa7633ba9c0 R15: 00000000006dad2c
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_copy_laddrs net/sctp/socket.c:5959 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline]
sctp_getsockopt+0x13887/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xcf2/0xf10 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_copy_laddrs net/sctp/socket.c:5948 [inline]
sctp_getsockopt_local_addrs net/sctp/socket.c:6025 [inline]
sctp_getsockopt+0x13733/0x17f70 net/sctp/socket.c:7566
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1939
__do_sys_getsockopt net/socket.c:1950 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:159
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmem_cache_alloc_trace+0x55d/0xb40 mm/slub.c:2784
kmalloc include/linux/slab.h:545 [inline]
sctp_inetaddr_event+0x47b/0xa90 net/sctp/protocol.c:779
notifier_call_chain kernel/notifier.c:93 [inline]
__blocking_notifier_call_chain kernel/notifier.c:317 [inline]
blocking_notifier_call_chain+0x1a5/0x2f0 kernel/notifier.c:328
__inet_insert_ifa+0xfaa/0x1200 net/ipv4/devinet.c:529
inet_insert_ifa net/ipv4/devinet.c:536 [inline]
inetdev_event+0x1ced/0x1d80 net/ipv4/devinet.c:1520
notifier_call_chain kernel/notifier.c:93 [inline]
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
__dev_notify_flags+0x3d3/0x830 net/core/dev.c:1739
dev_change_flags+0x1d6/0x260 net/core/dev.c:7643
do_setlink+0x16a4/0x5df0 net/core/rtnetlink.c:2492
__rtnl_newlink net/core/rtnetlink.c:3115 [inline]
rtnl_newlink+0x2d68/0x37a0 net/core/rtnetlink.c:3240
rtnetlink_rcv_msg+0x115b/0x1550 net/core/rtnetlink.c:5130
netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5148
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
__sys_sendmsg net/socket.c:2154 [inline]
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Bytes 8-15 of 32 are uninitialized
Memory access of size 32 starts at ffff88810b2dac00
Data copied to user address 0000000020000208
=================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
2019-01-14 9:58 ` Alexander Potapenko
@ 2019-01-14 11:09 ` Dmitry Vyukov
-1 siblings, 0 replies; 34+ messages in thread
From: Dmitry Vyukov @ 2019-01-14 11:09 UTC (permalink / raw)
To: Alexander Potapenko
Cc: Xin Long, Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be,
davem, LKML, linux-sctp, network dev, Neil Horman,
syzkaller-bugs, Vlad Yasevich
On Mon, Jan 14, 2019 at 10:58 AM 'Alexander Potapenko' via
syzkaller-bugs <syzkaller-bugs@googlegroups.com> wrote:
>
> On Mon, Jan 14, 2019 at 10:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> >
> > On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
> > >
> > > On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> > > >
> > > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > > > <marcelo.leitner@gmail.com> wrote:
> > > > >
> > > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > syzbot found the following crash on:
> > > > > > >
> > > > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > > > >
> > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > > > >
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > ==================================================================
> > > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > > Google 01/01/2011
> > > > > > > Call Trace:
> > > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > > RIP: 0033:0x457569
> > > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > > > >
> > > > > > > Uninit was stored to memory at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Uninit was stored to memory at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Uninit was created at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > > > Data copied to user address 0000000020001108
> > > > > > > ==================================================================
> > > > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > > > the newly created address.
> > > > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > > > for each of the local addresses.
> > > > > > I guess the devices aren't created so often that this can pose any
> > > > > > security risk, but we probably still need to allocate this structure
> > > > > > with __GFP_ZERO.
> > > > >
> > > > > Agree. Thanks Alexander.
> > > > > Looks like this is the last/only place left with this issue.
> > > Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
> > seems right, because of __pad of struct sockaddr_in.
> > Do you have any reproducer for this?
> I just took the above reproducer. Not sure what changed (perhaps the
> configuration of my VM), but now the uninitialized data is allocated
> by sctp_inetaddr_event()
> > We should use kzalloc for all sctp_sockaddr_entry allocations.
The second version was just reported as:
KMSAN: kernel-infoleak in sctp_getsockopt (2)
https://groups.google.com/forum/#!topic/syzkaller-bugs/eOTX3BR1O4s
> >
> > Thanks.
> >
> > >
> > > diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> > > index d5878ae55840..f1cbfb4d0c39 100644
> > > --- a/net/sctp/protocol.c
> > > +++ b/net/sctp/protocol.c
> > > @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> > > notifier_block *this, unsigned long ev,
> > > case NETDEV_UP:
> > > addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> > > if (addr) {
> > > + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> > > addr->a.v4.sin_family = AF_INET;
> > > addr->a.v4.sin_port = 0;
> > > addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> > >
> > >
> > > > This field is not really used by sctp, I will just set it to 0.
> > > >
> > > > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > > > index fc6c5e4bffa5..7f0539db5604 100644
> > > > --- a/net/sctp/ipv6.c
> > > > +++ b/net/sctp/ipv6.c
> > > > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > > > notifier_block *this, unsigned long ev,
> > > > if (addr) {
> > > > addr->a.v6.sin6_family = AF_INET6;
> > > > addr->a.v6.sin6_port = 0;
> > > > + addr->a.v6.sin6_flowinfo = 0;
> > > > addr->a.v6.sin6_addr = ifa->addr;
> > > > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > > > addr->valid = 1;
> > > >
> > > > >
> > > > > > >
> > > > > > > ---
> > > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > > >
> > > > > > > syzbot will keep track of this bug report. See:
> > > > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > > > syzbot.
> > > > > > > syzbot can test patches for this bug, for details see:
> > > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > > >
> > > > > > > --
> > > > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Alexander Potapenko
> > > > > > Software Engineer
> > > > > >
> > > > > > Google Germany GmbH
> > > > > > Erika-Mann-Straße, 33
> > > > > > 80636 München
> > > > > >
> > > > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > > > Sitz der Gesellschaft: Hamburg
> > > > >
> > > > > > #ifndef DUMP_BUF_H
> > > > > > #define DUMP_BUF_H
> > > > > >
> > > > > > #ifndef DUMP_MIN_STRLEN
> > > > > > #define DUMP_MIN_STRLEN 1
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PARALLEL
> > > > > > #define DUMP_PARALLEL 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_HEX
> > > > > > #define DUMP_PRINT_HEX 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_STRING
> > > > > > #define DUMP_PRINT_STRING 0
> > > > > > #endif
> > > > > >
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > > > #endif
> > > > > >
> > > > > > void dump_buf(unsigned char *buf, int len) {
> > > > > > int i, nz = 0;
> > > > > > for (i = 0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > nz = 1;
> > > > > > break;
> > > > > > }
> > > > > > }
> > > > > > if (!nz) {
> > > > > > // The buffer is empty.
> > > > > > return;
> > > > > > } else {
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_lock(&out_mutex);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_BUF_ADDR
> > > > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_HEX
> > > > > > for (i=0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > > > }
> > > > > > }
> > > > > > #endif // DUMP_PRINT_HEX
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_unlock(&out_mutex);
> > > > > > #endif
> > > > > > }
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_lock(&out_mutex);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_STRING
> > > > > > for (i = 0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > int str_len = strlen(&buf[i]);
> > > > > > // Short string pieces are too boring.
> > > > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > > > unsigned char *c;
> > > > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > > > *c = ' ';
> > > > > > continue;
> > > > > > }
> > > > > > }
> > > > > > // Dump the buffer.
> > > > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > > > }
> > > > > > i += str_len;
> > > > > > }
> > > > > > }
> > > > > > #endif // DUMP_PRINT_STRING
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_unlock(&out_mutex);
> > > > > > #endif
> > > > > > }
> > > > > >
> > > > > > #endif
> > > > >
> > > > > > #include <stdio.h>
> > > > > > #include <pthread.h>
> > > > > > #include <sys/types.h> /* See NOTES */
> > > > > > #include <sys/socket.h>
> > > > > > #include <unistd.h>
> > > > > >
> > > > > > #define DUMP_PARALLEL 1
> > > > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > > > #define DUMP_PRINT_STRING 1
> > > > > > #define DUMP_PRINT_HEX 1
> > > > > > #include "dump_buf.h"
> > > > > >
> > > > > > void *setsockopt_fn(void *arg) {
> > > > > > int sock = (int)arg;
> > > > > > struct sockaddr addr;
> > > > > > memset(&addr, 0, sizeof(addr));
> > > > > > addr.sa_family = 2;
> > > > > > addr.sa_data[2] = 0xac;
> > > > > > addr.sa_data[3] = 0x14;
> > > > > > addr.sa_data[4] = 0x14;
> > > > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > > > }
> > > > > >
> > > > > > #define BUFLEN (0x2c2)
> > > > > > void *getsockopt_fn(void *arg) {
> > > > > > int sock = (int)arg;
> > > > > > char buf[BUFLEN];
> > > > > > memset(buf, 0, BUFLEN);
> > > > > > int socklen = BUFLEN;
> > > > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > > > dump_buf(&(buf[8]), 32);
> > > > > > }
> > > > > >
> > > > > > void do_work(int sock) {
> > > > > > pthread_t t1, t2;
> > > > > > for (int i = 0; i < 10; i++) {
> > > > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > > > usleep(100);
> > > > > > }
> > > > > > }
> > > > > >
> > > > > > int main(int argc, char *argv[]) {
> > > > > > int res;
> > > > > > int pid = fork();
> > > > > > if (pid == 0) {
> > > > > > int sock = socket(0x2, 0x1, 0x84);
> > > > > > do_work(sock);
> > > > > > }
> > > > > > sleep(10);
> > > > > > return 0;
> > > > > > }
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt
@ 2019-01-14 11:09 ` Dmitry Vyukov
0 siblings, 0 replies; 34+ messages in thread
From: Dmitry Vyukov @ 2019-01-14 11:09 UTC (permalink / raw)
To: Alexander Potapenko
Cc: Xin Long, Marcelo Ricardo Leitner, syzbot+ad5d327e6936a2e284be,
davem, LKML, linux-sctp, network dev, Neil Horman,
syzkaller-bugs, Vlad Yasevich
On Mon, Jan 14, 2019 at 10:58 AM 'Alexander Potapenko' via
syzkaller-bugs <syzkaller-bugs@googlegroups.com> wrote:
>
> On Mon, Jan 14, 2019 at 10:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> >
> > On Mon, Jan 14, 2019 at 5:34 PM Alexander Potapenko <glider@google.com> wrote:
> > >
> > > On Mon, Dec 10, 2018 at 9:56 AM Xin Long <lucien.xin@gmail.com> wrote:
> > > >
> > > > On Thu, Dec 6, 2018 at 8:08 PM Marcelo Ricardo Leitner
> > > > <marcelo.leitner@gmail.com> wrote:
> > > > >
> > > > > On Thu, Dec 06, 2018 at 11:36:08AM +0100, Alexander Potapenko wrote:
> > > > > > On Wed, Dec 5, 2018 at 8:31 PM syzbot
> > > > > > <syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com> wrote:
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > syzbot found the following crash on:
> > > > > > >
> > > > > > > HEAD commit: fffec98ae2a6 net: proper support for CONFIG_GENERIC_CSUM o..
> > > > > > > git tree: https://github.com/google/kmsan.git/master
> > > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12e84a47400000
> > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=56b48b46dafe4516
> > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ad5d327e6936a2e284be
> > > > > > > compiler: clang version 8.0.0 (trunk 343298)
> > > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103cd225400000
> > > > > > >
> > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
> > > > > > >
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > 8021q: adding VLAN 0 to HW filter on device team0
> > > > > > > ==================================================================
> > > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
> > > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > > Google 01/01/2011
> > > > > > > Call Trace:
> > > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > > dump_stack+0x32d/0x480 lib/dump_stack.c:113
> > > > > > > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
> > > > > > > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
> > > > > > > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
> > > > > > > _copy_to_user+0x19a/0x230 lib/usercopy.c:33
> > > > > > > copy_to_user include/linux/uaccess.h:183 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
> > > > > > > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > > RIP: 0033:0x457569
> > > > > > > Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> > > > > > > ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > > RSP: 002b:00007f4991886c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
> > > > > > > RDX: 000000000000006d RSI: 0000000000000084 RDI: 0000000000000003
> > > > > > > RBP: 000000000072bf00 R08: 0000000020000140 R09: 0000000000000000
> > > > > > > R10: 0000000020001100 R11: 0000000000000246 R12: 00007f49918876d4
> > > > > > > R13: 00000000004c7d88 R14: 00000000004ce348 R15: 00000000ffffffff
> > > > > > >
> > > > > > > Uninit was stored to memory at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > > sctp_copy_laddrs net/sctp/socket.c:5901 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > > sctp_getsockopt+0x14f41/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Uninit was stored to memory at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
> > > > > > > kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
> > > > > > > kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
> > > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
> > > > > > > __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
> > > > > > > sctp_copy_laddrs net/sctp/socket.c:5890 [inline]
> > > > > > > sctp_getsockopt_local_addrs net/sctp/socket.c:5967 [inline]
> > > > > > > sctp_getsockopt+0x14de8/0x186f0 net/sctp/socket.c:7477
> > > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
> > > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1939
> > > > > > > __do_sys_getsockopt net/socket.c:1950 [inline]
> > > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
> > > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Uninit was created at:
> > > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
> > > > > > > kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
> > > > > > > kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
> > > > > > > __kmalloc+0x14c/0x4d0 mm/slub.c:3825
> > > > > > > kmalloc include/linux/slab.h:551 [inline]
> > > > > > > sctp_inet6addr_event+0x60e/0xbd0 net/sctp/ipv6.c:100
> > > > > > > notifier_call_chain kernel/notifier.c:93 [inline]
> > > > > > > __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> > > > > > > atomic_notifier_call_chain+0x13d/0x240 kernel/notifier.c:193
> > > > > > > inet6addr_notifier_call_chain+0x76/0x90 net/ipv6/addrconf_core.c:107
> > > > > > > ipv6_add_addr+0x2597/0x2890 net/ipv6/addrconf.c:1115
> > > > > > > inet6_addr_add+0xc86/0x1c10 net/ipv6/addrconf.c:2912
> > > > > > > inet6_rtm_newaddr+0x167e/0x3d20 net/ipv6/addrconf.c:4750
> > > > > > > rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
> > > > > > > netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
> > > > > > > rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
> > > > > > > netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> > > > > > > netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
> > > > > > > netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
> > > > > > > sock_sendmsg_nosec net/socket.c:621 [inline]
> > > > > > > sock_sendmsg net/socket.c:631 [inline]
> > > > > > > ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
> > > > > > > __sys_sendmsg net/socket.c:2154 [inline]
> > > > > > > __do_sys_sendmsg net/socket.c:2163 [inline]
> > > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
> > > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
> > > > > > > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
> > > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > >
> > > > > > > Bytes 32-35 of 2100 are uninitialized
> > > > > > > Memory access of size 2100 starts at ffff888185d8b000
> > > > > > > Data copied to user address 0000000020001108
> > > > > > > ==================================================================
> > > > > > When a network device goes up and sctp_inetaddr_event() is called, it
> > > > > > allocates a partially initialized struct sctp_sockaddr_entry to hold
> > > > > > the newly created address.
> > > > > > The attached reproducer can be then used to read up to 8 uninit bytes
> > > > > > for each of the local addresses.
> > > > > > I guess the devices aren't created so often that this can pose any
> > > > > > security risk, but we probably still need to allocate this structure
> > > > > > with __GFP_ZERO.
> > > > >
> > > > > Agree. Thanks Alexander.
> > > > > Looks like this is the last/only place left with this issue.
> > > Actually there's still a similar bug in IPv4. Memsetting addr->av4 should help:
> > seems right, because of __pad of struct sockaddr_in.
> > Do you have any reproducer for this?
> I just took the above reproducer. Not sure what changed (perhaps the
> configuration of my VM), but now the uninitialized data is allocated
> by sctp_inetaddr_event()
> > We should use kzalloc for all sctp_sockaddr_entry allocations.
The second version was just reported as:
KMSAN: kernel-infoleak in sctp_getsockopt (2)
https://groups.google.com/forum/#!topic/syzkaller-bugs/eOTX3BR1O4s
> >
> > Thanks.
> >
> > >
> > > diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
> > > index d5878ae55840..f1cbfb4d0c39 100644
> > > --- a/net/sctp/protocol.c
> > > +++ b/net/sctp/protocol.c
> > > @@ -778,6 +778,7 @@ static int sctp_inetaddr_event(struct
> > > notifier_block *this, unsigned long ev,
> > > case NETDEV_UP:
> > > addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
> > > if (addr) {
> > > + memset(&addr->a.v4, 0, sizeof(struct sockaddr_in));
> > > addr->a.v4.sin_family = AF_INET;
> > > addr->a.v4.sin_port = 0;
> > > addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
> > >
> > >
> > > > This field is not really used by sctp, I will just set it to 0.
> > > >
> > > > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> > > > index fc6c5e4bffa5..7f0539db5604 100644
> > > > --- a/net/sctp/ipv6.c
> > > > +++ b/net/sctp/ipv6.c
> > > > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct
> > > > notifier_block *this, unsigned long ev,
> > > > if (addr) {
> > > > addr->a.v6.sin6_family = AF_INET6;
> > > > addr->a.v6.sin6_port = 0;
> > > > + addr->a.v6.sin6_flowinfo = 0;
> > > > addr->a.v6.sin6_addr = ifa->addr;
> > > > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
> > > > addr->valid = 1;
> > > >
> > > > >
> > > > > > >
> > > > > > > ---
> > > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > > >
> > > > > > > syzbot will keep track of this bug report. See:
> > > > > > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > > > > > > syzbot.
> > > > > > > syzbot can test patches for this bug, for details see:
> > > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > > >
> > > > > > > --
> > > > > > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > > > > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > > > > > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000311344057c4b6cc3%40google.com.
> > > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Alexander Potapenko
> > > > > > Software Engineer
> > > > > >
> > > > > > Google Germany GmbH
> > > > > > Erika-Mann-Straße, 33
> > > > > > 80636 München
> > > > > >
> > > > > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> > > > > > Registergericht und -nummer: Hamburg, HRB 86891
> > > > > > Sitz der Gesellschaft: Hamburg
> > > > >
> > > > > > #ifndef DUMP_BUF_H
> > > > > > #define DUMP_BUF_H
> > > > > >
> > > > > > #ifndef DUMP_MIN_STRLEN
> > > > > > #define DUMP_MIN_STRLEN 1
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PARALLEL
> > > > > > #define DUMP_PARALLEL 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_BUF_ADDR
> > > > > > #define DUMP_PRINT_BUF_ADDR 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_HEX
> > > > > > #define DUMP_PRINT_HEX 0
> > > > > > #endif
> > > > > >
> > > > > > #ifndef DUMP_PRINT_STRING
> > > > > > #define DUMP_PRINT_STRING 0
> > > > > > #endif
> > > > > >
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_t out_mutex = PTHREAD_MUTEX_INITIALIZER;
> > > > > > #endif
> > > > > >
> > > > > > void dump_buf(unsigned char *buf, int len) {
> > > > > > int i, nz = 0;
> > > > > > for (i = 0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > nz = 1;
> > > > > > break;
> > > > > > }
> > > > > > }
> > > > > > if (!nz) {
> > > > > > // The buffer is empty.
> > > > > > return;
> > > > > > } else {
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_lock(&out_mutex);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_BUF_ADDR
> > > > > > fprintf(stderr, "nonempty buffer at %p\n", buf);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_HEX
> > > > > > for (i=0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > fprintf(stderr, "buf[%d]: %x (%p)\n", i, buf[i], *(void**)&buf[i]);
> > > > > > }
> > > > > > }
> > > > > > #endif // DUMP_PRINT_HEX
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_unlock(&out_mutex);
> > > > > > #endif
> > > > > > }
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_lock(&out_mutex);
> > > > > > #endif
> > > > > > #if DUMP_PRINT_STRING
> > > > > > for (i = 0; i < len; i++) {
> > > > > > if (buf[i]) {
> > > > > > int str_len = strlen(&buf[i]);
> > > > > > // Short string pieces are too boring.
> > > > > > if (str_len >= DUMP_MIN_STRLEN) {
> > > > > > unsigned char *c;
> > > > > > for (c = &buf[i]; c < &buf[i + str_len]; c++) {
> > > > > > if ((*c > 127) || ((*c < 32) && (*c != 10) && (*c != 13))) {
> > > > > > *c = ' ';
> > > > > > continue;
> > > > > > }
> > > > > > }
> > > > > > // Dump the buffer.
> > > > > > fprintf(stderr, "%s\n", &buf[i]);
> > > > > > }
> > > > > > i += str_len;
> > > > > > }
> > > > > > }
> > > > > > #endif // DUMP_PRINT_STRING
> > > > > > #if DUMP_PARALLEL
> > > > > > pthread_mutex_unlock(&out_mutex);
> > > > > > #endif
> > > > > > }
> > > > > >
> > > > > > #endif
> > > > >
> > > > > > #include <stdio.h>
> > > > > > #include <pthread.h>
> > > > > > #include <sys/types.h> /* See NOTES */
> > > > > > #include <sys/socket.h>
> > > > > > #include <unistd.h>
> > > > > >
> > > > > > #define DUMP_PARALLEL 1
> > > > > > #define DUMP_PRINT_BUF_ADDR 1
> > > > > > #define DUMP_PRINT_STRING 1
> > > > > > #define DUMP_PRINT_HEX 1
> > > > > > #include "dump_buf.h"
> > > > > >
> > > > > > void *setsockopt_fn(void *arg) {
> > > > > > int sock = (int)arg;
> > > > > > struct sockaddr addr;
> > > > > > memset(&addr, 0, sizeof(addr));
> > > > > > addr.sa_family = 2;
> > > > > > addr.sa_data[2] = 0xac;
> > > > > > addr.sa_data[3] = 0x14;
> > > > > > addr.sa_data[4] = 0x14;
> > > > > > setsockopt(sock, 0x84, 0x6e, &addr, 0x10);
> > > > > > }
> > > > > >
> > > > > > #define BUFLEN (0x2c2)
> > > > > > void *getsockopt_fn(void *arg) {
> > > > > > int sock = (int)arg;
> > > > > > char buf[BUFLEN];
> > > > > > memset(buf, 0, BUFLEN);
> > > > > > int socklen = BUFLEN;
> > > > > > getsockopt(sock, 0x84, /*SCTP_GET_LOCAL_ADDRS*/0x6d, buf, &socklen);
> > > > > > dump_buf(&(buf[8]), 32);
> > > > > > }
> > > > > >
> > > > > > void do_work(int sock) {
> > > > > > pthread_t t1, t2;
> > > > > > for (int i = 0; i < 10; i++) {
> > > > > > pthread_create(&t1, NULL, getsockopt_fn, (void*)sock);
> > > > > > pthread_create(&t2, NULL, setsockopt_fn, (void*)sock);
> > > > > > usleep(100);
> > > > > > }
> > > > > > }
> > > > > >
> > > > > > int main(int argc, char *argv[]) {
> > > > > > int res;
> > > > > > int pid = fork();
> > > > > > if (pid == 0) {
> > > > > > int sock = socket(0x2, 0x1, 0x84);
> > > > > > do_work(sock);
> > > > > > }
> > > > > > sleep(10);
> > > > > > return 0;
> > > > > > }
^ permalink raw reply [flat|nested] 34+ messages in thread
* KMSAN: kernel-infoleak in sctp_getsockopt (3)
2018-12-05 19:31 ` syzbot
@ 2019-03-28 16:25 ` syzbot
-1 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2019-03-28 16:25 UTC (permalink / raw)
To: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
git tree: kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
compiler: clang version 8.0.0 (trunk 350509)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x458209
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_transport_init net/sctp/transport.c:61 [inline]
sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
sk_backlog_rcv include/net/sock.h:936 [inline]
__release_sock+0x281/0x5f0 net/core/sock.c:2284
release_sock+0x99/0x2a0 net/core/sock.c:2800
sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg net/socket.c:632 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2160
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Local variable description: ----addr.i@sctp_process_init
Variable was created at:
sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
Bytes 8-15 of 16 are uninitialized
Memory access of size 16 starts at ffff88809511fc28
Data copied to user address 0000000020000298
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-28 16:25 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2019-03-28 16:25 UTC (permalink / raw)
To: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
nhorman, syzkaller-bugs, vyasevich
Hello,
syzbot found the following crash on:
HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
git tree: kmsan
console output: https://syzkaller.appspot.com/x/log.txt?x\x107d3c7d200000
kernel config: https://syzkaller.appspot.com/x/.config?x¥675814e8eae69e
dashboard link: https://syzkaller.appspot.com/bug?extid†b5c7c236a22616a72f
compiler: clang version 8.0.0 (trunk 350509)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1252834d200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
=================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x458209
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
__sys_getsockopt+0x489/0x550 net/socket.c:1938
__do_sys_getsockopt net/socket.c:1949 [inline]
__se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
__x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
__msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
sctp_transport_init net/sctp/transport.c:61 [inline]
sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
sk_backlog_rcv include/net/sock.h:936 [inline]
__release_sock+0x281/0x5f0 net/core/sock.c:2284
release_sock+0x99/0x2a0 net/core/sock.c:2800
sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg net/socket.c:632 [inline]
___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
__sys_sendmsg net/socket.c:2153 [inline]
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2160
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Local variable description: ----addr.i@sctp_process_init
Variable was created at:
sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
Bytes 8-15 of 16 are uninitialized
Memory access of size 16 starts at ffff88809511fc28
Data copied to user address 0000000020000298
=================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-28 16:25 ` syzbot
@ 2019-03-29 14:50 ` Neil Horman
-1 siblings, 0 replies; 34+ messages in thread
From: Neil Horman @ 2019-03-29 14:50 UTC (permalink / raw)
To: syzbot
Cc: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
syzkaller-bugs, vyasevich
On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> compiler: clang version 8.0.0 (trunk 350509)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
>
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device batadv0
> 8021q: adding VLAN 0 to HW filter on device batadv0
> ==================================================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> copy_to_user include/linux/uaccess.h:174 [inline]
> sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> __sys_getsockopt+0x489/0x550 net/socket.c:1938
> __do_sys_getsockopt net/socket.c:1949 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x458209
> Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> __sys_getsockopt+0x489/0x550 net/socket.c:1938
> __do_sys_getsockopt net/socket.c:1949 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> sctp_transport_init net/sctp/transport.c:61 [inline]
> sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> sk_backlog_rcv include/net/sock.h:936 [inline]
> __release_sock+0x281/0x5f0 net/core/sock.c:2284
> release_sock+0x99/0x2a0 net/core/sock.c:2800
> sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> sock_sendmsg_nosec net/socket.c:622 [inline]
> sock_sendmsg net/socket.c:632 [inline]
> ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> __sys_sendmsg net/socket.c:2153 [inline]
> __do_sys_sendmsg net/socket.c:2162 [inline]
> __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Local variable description: ----addr.i@sctp_process_init
> Variable was created at:
> sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
>
> Bytes 8-15 of 16 are uninitialized
> Memory access of size 16 starts at ffff88809511fc28
> Data copied to user address 0000000020000298
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
>
Hmm, odd. I see where we are doing the copy_to_user call in
getsockopt_peer_addrs, but the length we copy should always be equal to or less
than what was memcopied to the temp variable. False positive?
Neil
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-29 14:50 ` Neil Horman
0 siblings, 0 replies; 34+ messages in thread
From: Neil Horman @ 2019-03-29 14:50 UTC (permalink / raw)
To: syzbot
Cc: davem, glider, linux-kernel, linux-sctp, marcelo.leitner, netdev,
syzkaller-bugs, vyasevich
On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> git tree: kmsan
> console output: https://syzkaller.appspot.com/x/log.txt?x\x107d3c7d200000
> kernel config: https://syzkaller.appspot.com/x/.config?x¥675814e8eae69e
> dashboard link: https://syzkaller.appspot.com/bug?extid†b5c7c236a22616a72f
> compiler: clang version 8.0.0 (trunk 350509)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1252834d200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
>
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device batadv0
> 8021q: adding VLAN 0 to HW filter on device batadv0
> =================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> copy_to_user include/linux/uaccess.h:174 [inline]
> sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> __sys_getsockopt+0x489/0x550 net/socket.c:1938
> __do_sys_getsockopt net/socket.c:1949 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
> RIP: 0033:0x458209
> Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> __sys_getsockopt+0x489/0x550 net/socket.c:1938
> __do_sys_getsockopt net/socket.c:1949 [inline]
> __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> sctp_transport_init net/sctp/transport.c:61 [inline]
> sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> sk_backlog_rcv include/net/sock.h:936 [inline]
> __release_sock+0x281/0x5f0 net/core/sock.c:2284
> release_sock+0x99/0x2a0 net/core/sock.c:2800
> sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> sock_sendmsg_nosec net/socket.c:622 [inline]
> sock_sendmsg net/socket.c:632 [inline]
> ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> __sys_sendmsg net/socket.c:2153 [inline]
> __do_sys_sendmsg net/socket.c:2162 [inline]
> __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x63/0xe7
>
> Local variable description: ----addr.i@sctp_process_init
> Variable was created at:
> sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
>
> Bytes 8-15 of 16 are uninitialized
> Memory access of size 16 starts at ffff88809511fc28
> Data copied to user address 0000000020000298
> =================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
>
Hmm, odd. I see where we are doing the copy_to_user call in
getsockopt_peer_addrs, but the length we copy should always be equal to or less
than what was memcopied to the temp variable. False positive?
Neil
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-29 14:50 ` Neil Horman
@ 2019-03-29 17:35 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-03-29 17:35 UTC (permalink / raw)
To: Neil Horman
Cc: syzbot, David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, syzkaller-bugs, Vladislav Yasevich
On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > git tree: kmsan
> > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > compiler: clang version 8.0.0 (trunk 350509)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> >
> > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > 8021q: adding VLAN 0 to HW filter on device batadv0
> > 8021q: adding VLAN 0 to HW filter on device batadv0
> > ==================================================================
> > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > copy_to_user include/linux/uaccess.h:174 [inline]
> > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > __do_sys_getsockopt net/socket.c:1949 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x458209
> > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > __do_sys_getsockopt net/socket.c:1949 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > sctp_transport_init net/sctp/transport.c:61 [inline]
> > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > sk_backlog_rcv include/net/sock.h:936 [inline]
> > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > sock_sendmsg_nosec net/socket.c:622 [inline]
> > sock_sendmsg net/socket.c:632 [inline]
> > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > __sys_sendmsg net/socket.c:2153 [inline]
> > __do_sys_sendmsg net/socket.c:2162 [inline]
> > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Local variable description: ----addr.i@sctp_process_init
> > Variable was created at:
> > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> >
> > Bytes 8-15 of 16 are uninitialized
> > Memory access of size 16 starts at ffff88809511fc28
> > Data copied to user address 0000000020000298
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
> >
> >
>
>
> Hmm, odd. I see where we are doing the copy_to_user call in
> getsockopt_peer_addrs, but the length we copy should always be equal to or less
> than what was memcopied to the temp variable. False positive?
I'll take a closer look next week.
The bug is reproducible with the following syzkaller program:
r0 = socket$inet(0x2, 0x80001, 0x84)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
@loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
0x1}, 0x0)
getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
&(0x7f0000000000)={<r5=>0x0, 0x38,
"41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
&(0x7f0000000040)=0x40)
Just need to check where the uninitializedness comes from.
> Neil
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-29 17:35 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-03-29 17:35 UTC (permalink / raw)
To: Neil Horman
Cc: syzbot, David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, syzkaller-bugs, Vladislav Yasevich
On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > git tree: kmsan
> > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > compiler: clang version 8.0.0 (trunk 350509)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> >
> > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > 8021q: adding VLAN 0 to HW filter on device batadv0
> > 8021q: adding VLAN 0 to HW filter on device batadv0
> > ==================================================================
> > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > copy_to_user include/linux/uaccess.h:174 [inline]
> > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > __do_sys_getsockopt net/socket.c:1949 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > RIP: 0033:0x458209
> > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > __do_sys_getsockopt net/socket.c:1949 [inline]
> > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Uninit was stored to memory at:
> > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > sctp_transport_init net/sctp/transport.c:61 [inline]
> > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > sk_backlog_rcv include/net/sock.h:936 [inline]
> > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > sock_sendmsg_nosec net/socket.c:622 [inline]
> > sock_sendmsg net/socket.c:632 [inline]
> > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > __sys_sendmsg net/socket.c:2153 [inline]
> > __do_sys_sendmsg net/socket.c:2162 [inline]
> > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> >
> > Local variable description: ----addr.i@sctp_process_init
> > Variable was created at:
> > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> >
> > Bytes 8-15 of 16 are uninitialized
> > Memory access of size 16 starts at ffff88809511fc28
> > Data copied to user address 0000000020000298
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
> >
> >
>
>
> Hmm, odd. I see where we are doing the copy_to_user call in
> getsockopt_peer_addrs, but the length we copy should always be equal to or less
> than what was memcopied to the temp variable. False positive?
I'll take a closer look next week.
The bug is reproducible with the following syzkaller program:
r0 = socket$inet(0x2, 0x80001, 0x84)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
@loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
0x1}, 0x0)
getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
&(0x7f0000000000)={<r5=>0x0, 0x38,
"41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
&(0x7f0000000040)=0x40)
Just need to check where the uninitializedness comes from.
> Neil
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-29 17:35 ` Alexander Potapenko
@ 2019-03-29 18:30 ` Neil Horman
-1 siblings, 0 replies; 34+ messages in thread
From: Neil Horman @ 2019-03-29 18:30 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzbot, David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, syzkaller-bugs, Vladislav Yasevich
On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> >
> > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > git tree: kmsan
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > > compiler: clang version 8.0.0 (trunk 350509)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > >
> > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > ==================================================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x458209
> > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > sock_sendmsg net/socket.c:632 [inline]
> > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > __sys_sendmsg net/socket.c:2153 [inline]
> > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Local variable description: ----addr.i@sctp_process_init
> > > Variable was created at:
> > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > >
> > > Bytes 8-15 of 16 are uninitialized
> > > Memory access of size 16 starts at ffff88809511fc28
> > > Data copied to user address 0000000020000298
> > > ==================================================================
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > >
> >
> >
> > Hmm, odd. I see where we are doing the copy_to_user call in
> > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > than what was memcopied to the temp variable. False positive?
> I'll take a closer look next week.
> The bug is reproducible with the following syzkaller program:
>
> r0 = socket$inet(0x2, 0x80001, 0x84)
> bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> 0x1}, 0x0)
> getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> &(0x7f0000000000)={<r5=>0x0, 0x38,
> "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> &(0x7f0000000040)=0x40)
>
> Just need to check where the uninitializedness comes from.
my only guess would be if we somehow copied an ipv4 address worth of data to the
buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
copied an ipv6 address worth of data to userspace, but I don't yet see how that
can happen.
Neil
> > Neil
> >
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
>
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-29 18:30 ` Neil Horman
0 siblings, 0 replies; 34+ messages in thread
From: Neil Horman @ 2019-03-29 18:30 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzbot, David Miller, LKML, linux-sctp, Marcelo Ricardo Leitner,
Networking, syzkaller-bugs, Vladislav Yasevich
On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> >
> > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > git tree: kmsan
> > > console output: https://syzkaller.appspot.com/x/log.txt?x\x107d3c7d200000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x¥675814e8eae69e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid†b5c7c236a22616a72f
> > > compiler: clang version 8.0.0 (trunk 350509)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1252834d200000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > >
> > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > =================================
> > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > RIP: 0033:0x458209
> > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Uninit was stored to memory at:
> > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > sock_sendmsg net/socket.c:632 [inline]
> > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > __sys_sendmsg net/socket.c:2153 [inline]
> > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > >
> > > Local variable description: ----addr.i@sctp_process_init
> > > Variable was created at:
> > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > >
> > > Bytes 8-15 of 16 are uninitialized
> > > Memory access of size 16 starts at ffff88809511fc28
> > > Data copied to user address 0000000020000298
> > > =================================
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> > >
> > >
> >
> >
> > Hmm, odd. I see where we are doing the copy_to_user call in
> > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > than what was memcopied to the temp variable. False positive?
> I'll take a closer look next week.
> The bug is reproducible with the following syzkaller program:
>
> r0 = socket$inet(0x2, 0x80001, 0x84)
> bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> 0x1}, 0x0)
> getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> &(0x7f0000000000)={<r5=>0x0, 0x38,
> "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> &(0x7f0000000040)=0x40)
>
> Just need to check where the uninitializedness comes from.
my only guess would be if we somehow copied an ipv4 address worth of data to the
buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
copied an ipv6 address worth of data to userspace, but I don't yet see how that
can happen.
Neil
> > Neil
> >
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
>
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-29 18:30 ` Neil Horman
@ 2019-03-29 18:51 ` Dmitry Vyukov
-1 siblings, 0 replies; 34+ messages in thread
From: Dmitry Vyukov @ 2019-03-29 18:51 UTC (permalink / raw)
To: Neil Horman
Cc: Alexander Potapenko, syzbot, David Miller, LKML, linux-sctp,
Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > >
> > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > git tree: kmsan
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > >
> > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > ==================================================================
> > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > RIP: 0033:0x458209
> > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > sock_sendmsg net/socket.c:632 [inline]
> > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Local variable description: ----addr.i@sctp_process_init
> > > > Variable was created at:
> > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > >
> > > > Bytes 8-15 of 16 are uninitialized
> > > > Memory access of size 16 starts at ffff88809511fc28
> > > > Data copied to user address 0000000020000298
> > > > ==================================================================
> > > >
> > > >
> > > > ---
> > > > This bug is generated by a bot. It may contain errors.
> > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > >
> > > > syzbot will keep track of this bug report. See:
> > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > syzbot can test patches for this bug, for details see:
> > > > https://goo.gl/tpsmEJ#testing-patches
> > > >
> > > >
> > >
> > >
> > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > than what was memcopied to the temp variable. False positive?
> > I'll take a closer look next week.
> > The bug is reproducible with the following syzkaller program:
> >
> > r0 = socket$inet(0x2, 0x80001, 0x84)
> > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > 0x1}, 0x0)
> > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > &(0x7f0000000040)=0x40)
> >
> > Just need to check where the uninitializedness comes from.
> my only guess would be if we somehow copied an ipv4 address worth of data to the
> buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> copied an ipv6 address worth of data to userspace,
This seems to partially confirm this:
> Bytes 8-15 of 16 are uninitialized
Not 4 bytes are initialized, but still half of the ipv6 addr.
> but I don't yet see how that
> can happen.
The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
So I would assume there is a race somewhere.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-29 18:51 ` Dmitry Vyukov
0 siblings, 0 replies; 34+ messages in thread
From: Dmitry Vyukov @ 2019-03-29 18:51 UTC (permalink / raw)
To: Neil Horman
Cc: Alexander Potapenko, syzbot, David Miller, LKML, linux-sctp,
Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > >
> > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > git tree: kmsan
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x\x107d3c7d200000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x¥675814e8eae69e
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid†b5c7c236a22616a72f
> > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1252834d200000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > >
> > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > =================================
> > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > RIP: 0033:0x458209
> > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Uninit was stored to memory at:
> > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > sock_sendmsg net/socket.c:632 [inline]
> > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > >
> > > > Local variable description: ----addr.i@sctp_process_init
> > > > Variable was created at:
> > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > >
> > > > Bytes 8-15 of 16 are uninitialized
> > > > Memory access of size 16 starts at ffff88809511fc28
> > > > Data copied to user address 0000000020000298
> > > > =================================
> > > >
> > > >
> > > > ---
> > > > This bug is generated by a bot. It may contain errors.
> > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > >
> > > > syzbot will keep track of this bug report. See:
> > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > syzbot can test patches for this bug, for details see:
> > > > https://goo.gl/tpsmEJ#testing-patches
> > > >
> > > >
> > >
> > >
> > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > than what was memcopied to the temp variable. False positive?
> > I'll take a closer look next week.
> > The bug is reproducible with the following syzkaller program:
> >
> > r0 = socket$inet(0x2, 0x80001, 0x84)
> > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > 0x1}, 0x0)
> > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > &(0x7f0000000040)=0x40)
> >
> > Just need to check where the uninitializedness comes from.
> my only guess would be if we somehow copied an ipv4 address worth of data to the
> buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> copied an ipv6 address worth of data to userspace,
This seems to partially confirm this:
> Bytes 8-15 of 16 are uninitialized
Not 4 bytes are initialized, but still half of the ipv6 addr.
> but I don't yet see how that
> can happen.
The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
So I would assume there is a race somewhere.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-29 18:51 ` Dmitry Vyukov
@ 2019-03-30 7:20 ` Xin Long
-1 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2019-03-30 7:20 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Neil Horman, Alexander Potapenko, syzbot, David Miller, LKML,
linux-sctp, Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Sat, Mar 30, 2019 at 2:52 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> >
> > On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > > >
> > > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > > git tree: kmsan
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > > >
> > > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > ==================================================================
> > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > Google 01/01/2011
> > > > > Call Trace:
> > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > RIP: 0033:0x458209
> > > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > > sock_sendmsg net/socket.c:632 [inline]
> > > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Local variable description: ----addr.i@sctp_process_init
> > > > > Variable was created at:
> > > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > >
> > > > > Bytes 8-15 of 16 are uninitialized
> > > > > Memory access of size 16 starts at ffff88809511fc28
> > > > > Data copied to user address 0000000020000298
> > > > > ==================================================================
> > > > >
> > > > >
> > > > > ---
> > > > > This bug is generated by a bot. It may contain errors.
> > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > >
> > > > > syzbot will keep track of this bug report. See:
> > > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > > syzbot can test patches for this bug, for details see:
> > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > >
> > > > >
> > > >
> > > >
> > > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > > than what was memcopied to the temp variable. False positive?
> > > I'll take a closer look next week.
> > > The bug is reproducible with the following syzkaller program:
> > >
> > > r0 = socket$inet(0x2, 0x80001, 0x84)
> > > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > > 0x1}, 0x0)
> > > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > > &(0x7f0000000040)=0x40)
> > >
> > > Just need to check where the uninitializedness comes from.
> > my only guess would be if we somehow copied an ipv4 address worth of data to the
> > buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> > copied an ipv6 address worth of data to userspace,
>
> This seems to partially confirm this:
>
> > Bytes 8-15 of 16 are uninitialized
From the call trace, Uninit memory was stored in 'addr' when processing
SCTP_PARAM_IPV4_ADDRESS in sctp_process_param() by
af->from_addr_param/sctp_v4_from_addr_param, in which
addr->v4.sin_family/port/sin_addr was set, but not addr->v4._pad,
which maches, 8-15 of 16 are uninitialized.
Then it went to sctp_transport_init(), and set the addr directly to
peer->ipaddr and added the new transport into asoc->peer.transport_addr_list.
When dumping peer_addrs in sctp_getsockopt_peer_addrs():
memcpy(&temp, &from->ipaddr, sizeof(temp));
copy_to_user(to, &temp, addrlen),
addrlen is sizeof(struct sockaddr_in), 16 bytes, but only the first 8
bytes were inited.
So we should fix it by setting addr->v4._pad in sctp_v4_addr_to_user as
sctp_v6_addr_to_user does:
@@ -600,6 +600,7 @@ static struct sock
*sctp_v4_create_accept_sk(struct sock *sk,
static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
{
/* No address mapping for V4 sockets */
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
return sizeof(struct sockaddr_in);
}
>
> Not 4 bytes are initialized, but still half of the ipv6 addr.
>
>
> > but I don't yet see how that
> > can happen.
>
> The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
> So I would assume there is a race somewhere.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-03-30 7:20 ` Xin Long
0 siblings, 0 replies; 34+ messages in thread
From: Xin Long @ 2019-03-30 7:20 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Neil Horman, Alexander Potapenko, syzbot, David Miller, LKML,
linux-sctp, Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Sat, Mar 30, 2019 at 2:52 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> >
> > On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > > >
> > > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > > git tree: kmsan
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x\x107d3c7d200000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x¥675814e8eae69e
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid†b5c7c236a22616a72f
> > > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x1252834d200000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > > >
> > > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > =================================
> > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > Google 01/01/2011
> > > > > Call Trace:
> > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > RIP: 0033:0x458209
> > > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Uninit was stored to memory at:
> > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > > sock_sendmsg net/socket.c:632 [inline]
> > > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > >
> > > > > Local variable description: ----addr.i@sctp_process_init
> > > > > Variable was created at:
> > > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > >
> > > > > Bytes 8-15 of 16 are uninitialized
> > > > > Memory access of size 16 starts at ffff88809511fc28
> > > > > Data copied to user address 0000000020000298
> > > > > =================================
> > > > >
> > > > >
> > > > > ---
> > > > > This bug is generated by a bot. It may contain errors.
> > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > >
> > > > > syzbot will keep track of this bug report. See:
> > > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > > syzbot can test patches for this bug, for details see:
> > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > >
> > > > >
> > > >
> > > >
> > > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > > than what was memcopied to the temp variable. False positive?
> > > I'll take a closer look next week.
> > > The bug is reproducible with the following syzkaller program:
> > >
> > > r0 = socket$inet(0x2, 0x80001, 0x84)
> > > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > > 0x1}, 0x0)
> > > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > > &(0x7f0000000040)=0x40)
> > >
> > > Just need to check where the uninitializedness comes from.
> > my only guess would be if we somehow copied an ipv4 address worth of data to the
> > buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> > copied an ipv6 address worth of data to userspace,
>
> This seems to partially confirm this:
>
> > Bytes 8-15 of 16 are uninitialized
From the call trace, Uninit memory was stored in 'addr' when processing
SCTP_PARAM_IPV4_ADDRESS in sctp_process_param() by
af->from_addr_param/sctp_v4_from_addr_param, in which
addr->v4.sin_family/port/sin_addr was set, but not addr->v4._pad,
which maches, 8-15 of 16 are uninitialized.
Then it went to sctp_transport_init(), and set the addr directly to
peer->ipaddr and added the new transport into asoc->peer.transport_addr_list.
When dumping peer_addrs in sctp_getsockopt_peer_addrs():
memcpy(&temp, &from->ipaddr, sizeof(temp));
copy_to_user(to, &temp, addrlen),
addrlen is sizeof(struct sockaddr_in), 16 bytes, but only the first 8
bytes were inited.
So we should fix it by setting addr->v4._pad in sctp_v4_addr_to_user as
sctp_v6_addr_to_user does:
@@ -600,6 +600,7 @@ static struct sock
*sctp_v4_create_accept_sk(struct sock *sk,
static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
{
/* No address mapping for V4 sockets */
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
return sizeof(struct sockaddr_in);
}
>
> Not 4 bytes are initialized, but still half of the ipv6 addr.
>
>
> > but I don't yet see how that
> > can happen.
>
> The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
> So I would assume there is a race somewhere.
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
2019-03-30 7:20 ` Xin Long
@ 2019-04-01 8:42 ` Alexander Potapenko
-1 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-04-01 8:42 UTC (permalink / raw)
To: Xin Long
Cc: Dmitry Vyukov, Neil Horman, syzbot, David Miller, LKML,
linux-sctp, Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Sat, Mar 30, 2019 at 8:20 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Sat, Mar 30, 2019 at 2:52 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > >
> > > On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > > > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > > > >
> > > > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > > > git tree: kmsan
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > > > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > > > >
> > > > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > > ==================================================================
> > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > Google 01/01/2011
> > > > > > Call Trace:
> > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > RIP: 0033:0x458209
> > > > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > > > sock_sendmsg net/socket.c:632 [inline]
> > > > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Local variable description: ----addr.i@sctp_process_init
> > > > > > Variable was created at:
> > > > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > >
> > > > > > Bytes 8-15 of 16 are uninitialized
> > > > > > Memory access of size 16 starts at ffff88809511fc28
> > > > > > Data copied to user address 0000000020000298
> > > > > > ==================================================================
> > > > > >
> > > > > >
> > > > > > ---
> > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > >
> > > > > > syzbot will keep track of this bug report. See:
> > > > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > > > syzbot can test patches for this bug, for details see:
> > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > > > than what was memcopied to the temp variable. False positive?
> > > > I'll take a closer look next week.
> > > > The bug is reproducible with the following syzkaller program:
> > > >
> > > > r0 = socket$inet(0x2, 0x80001, 0x84)
> > > > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > > > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > > > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > > > 0x1}, 0x0)
> > > > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > > > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > > > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > > > &(0x7f0000000040)=0x40)
> > > >
> > > > Just need to check where the uninitializedness comes from.
> > > my only guess would be if we somehow copied an ipv4 address worth of data to the
> > > buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> > > copied an ipv6 address worth of data to userspace,
> >
> > This seems to partially confirm this:
> >
> > > Bytes 8-15 of 16 are uninitialized
> From the call trace, Uninit memory was stored in 'addr' when processing
> SCTP_PARAM_IPV4_ADDRESS in sctp_process_param() by
> af->from_addr_param/sctp_v4_from_addr_param, in which
> addr->v4.sin_family/port/sin_addr was set, but not addr->v4._pad,
> which maches, 8-15 of 16 are uninitialized.
>
> Then it went to sctp_transport_init(), and set the addr directly to
> peer->ipaddr and added the new transport into asoc->peer.transport_addr_list.
Thanks for the analysis!
> When dumping peer_addrs in sctp_getsockopt_peer_addrs():
>
> memcpy(&temp, &from->ipaddr, sizeof(temp));
> copy_to_user(to, &temp, addrlen),
>
> addrlen is sizeof(struct sockaddr_in), 16 bytes, but only the first 8
> bytes were inited.
>
> So we should fix it by setting addr->v4._pad in sctp_v4_addr_to_user as
> sctp_v6_addr_to_user does:
>
> @@ -600,6 +600,7 @@ static struct sock
> *sctp_v4_create_accept_sk(struct sock *sk,
> static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
> {
> /* No address mapping for V4 sockets */
> + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
> return sizeof(struct sockaddr_in);
> }
I can confirm this is a valid fix.
>
> >
> > Not 4 bytes are initialized, but still half of the ipv6 addr.
> >
> >
> > > but I don't yet see how that
> > > can happen.
> >
> > The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
> > So I would assume there is a race somewhere.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: KMSAN: kernel-infoleak in sctp_getsockopt (3)
@ 2019-04-01 8:42 ` Alexander Potapenko
0 siblings, 0 replies; 34+ messages in thread
From: Alexander Potapenko @ 2019-04-01 8:42 UTC (permalink / raw)
To: Xin Long
Cc: Dmitry Vyukov, Neil Horman, syzbot, David Miller, LKML,
linux-sctp, Marcelo Ricardo Leitner, Networking, syzkaller-bugs,
Vladislav Yasevich
On Sat, Mar 30, 2019 at 8:20 AM Xin Long <lucien.xin@gmail.com> wrote:
>
> On Sat, Mar 30, 2019 at 2:52 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Fri, Mar 29, 2019 at 7:31 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > >
> > > On Fri, Mar 29, 2019 at 06:35:40PM +0100, Alexander Potapenko wrote:
> > > > On Fri, Mar 29, 2019 at 3:51 PM Neil Horman <nhorman@tuxdriver.com> wrote:
> > > > >
> > > > > On Thu, Mar 28, 2019 at 09:25:06AM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: c10a026b kmsan: use __free_pages() in kmsan_iounmap_page_r..
> > > > > > git tree: kmsan
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=107d3c7d200000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a5675814e8eae69e
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=86b5c7c236a22616a72f
> > > > > > compiler: clang version 8.0.0 (trunk 350509)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1252834d200000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
> > > > > >
> > > > > > IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
> > > > > > IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
> > > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > > 8021q: adding VLAN 0 to HW filter on device batadv0
> > > > > > ==================================================================
> > > > > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > > CPU: 0 PID: 10131 Comm: syz-executor.4 Not tainted 5.0.0+ #16
> > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > > Google 01/01/2011
> > > > > > Call Trace:
> > > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > > dump_stack+0x173/0x1d0 lib/dump_stack.c:113
> > > > > > kmsan_report+0x131/0x2a0 mm/kmsan/kmsan.c:636
> > > > > > kmsan_internal_check_memory+0xaa1/0xbb0 mm/kmsan/kmsan.c:730
> > > > > > kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:485
> > > > > > _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
> > > > > > copy_to_user include/linux/uaccess.h:174 [inline]
> > > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
> > > > > > sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > > RIP: 0033:0x458209
> > > > > > Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> > > > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > > > > > 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > > > > RSP: 002b:00007fdbef191c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
> > > > > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458209
> > > > > > RDX: 000000000000006c RSI: 0000000000000084 RDI: 0000000000000004
> > > > > > RBP: 000000000073bf00 R08: 0000000020000300 R09: 0000000000000000
> > > > > > R10: 0000000020000280 R11: 0000000000000246 R12: 00007fdbef1926d4
> > > > > > R13: 00000000004c96c8 R14: 00000000004d0310 R15: 00000000ffffffff
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > > sctp_getsockopt_peer_addrs net/sctp/socket.c:5906 [inline]
> > > > > > sctp_getsockopt+0x16556/0x17f70 net/sctp/socket.c:7562
> > > > > > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2950
> > > > > > __sys_getsockopt+0x489/0x550 net/socket.c:1938
> > > > > > __do_sys_getsockopt net/socket.c:1949 [inline]
> > > > > > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1946
> > > > > > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1946
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Uninit was stored to memory at:
> > > > > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:205 [inline]
> > > > > > kmsan_save_stack mm/kmsan/kmsan.c:220 [inline]
> > > > > > kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:426
> > > > > > kmsan_memcpy_memmove_metadata+0xb5b/0xfe0 mm/kmsan/kmsan.c:304
> > > > > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:324
> > > > > > __msan_memcpy+0x58/0x70 mm/kmsan/kmsan_instr.c:139
> > > > > > sctp_transport_init net/sctp/transport.c:61 [inline]
> > > > > > sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
> > > > > > sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
> > > > > > sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
> > > > > > sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
> > > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1074
> > > > > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:95
> > > > > > sctp_backlog_rcv+0x20a/0xaf0 net/sctp/input.c:354
> > > > > > sk_backlog_rcv include/net/sock.h:936 [inline]
> > > > > > __release_sock+0x281/0x5f0 net/core/sock.c:2284
> > > > > > release_sock+0x99/0x2a0 net/core/sock.c:2800
> > > > > > sctp_wait_for_connect+0x3ee/0x860 net/sctp/socket.c:8751
> > > > > > sctp_sendmsg_to_asoc+0x2167/0x21a0 net/sctp/socket.c:1967
> > > > > > sctp_sendmsg+0x3fd7/0x6700 net/sctp/socket.c:2113
> > > > > > inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
> > > > > > sock_sendmsg_nosec net/socket.c:622 [inline]
> > > > > > sock_sendmsg net/socket.c:632 [inline]
> > > > > > ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2115
> > > > > > __sys_sendmsg net/socket.c:2153 [inline]
> > > > > > __do_sys_sendmsg net/socket.c:2162 [inline]
> > > > > > __se_sys_sendmsg+0x305/0x460 net/socket.c:2160
> > > > > > __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2160
> > > > > > do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
> > > > > > entry_SYSCALL_64_after_hwframe+0x63/0xe7
> > > > > >
> > > > > > Local variable description: ----addr.i@sctp_process_init
> > > > > > Variable was created at:
> > > > > > sctp_process_init+0xb5/0x3ed0 net/sctp/sm_make_chunk.c:2324
> > > > > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:682 [inline]
> > > > > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1410 [inline]
> > > > > > sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
> > > > > > sctp_do_sm+0x3cfc/0x9af0 net/sctp/sm_sideeffect.c:1191
> > > > > >
> > > > > > Bytes 8-15 of 16 are uninitialized
> > > > > > Memory access of size 16 starts at ffff88809511fc28
> > > > > > Data copied to user address 0000000020000298
> > > > > > ==================================================================
> > > > > >
> > > > > >
> > > > > > ---
> > > > > > This bug is generated by a bot. It may contain errors.
> > > > > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > > > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > > > > >
> > > > > > syzbot will keep track of this bug report. See:
> > > > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > > > > syzbot can test patches for this bug, for details see:
> > > > > > https://goo.gl/tpsmEJ#testing-patches
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > Hmm, odd. I see where we are doing the copy_to_user call in
> > > > > getsockopt_peer_addrs, but the length we copy should always be equal to or less
> > > > > than what was memcopied to the temp variable. False positive?
> > > > I'll take a closer look next week.
> > > > The bug is reproducible with the following syzkaller program:
> > > >
> > > > r0 = socket$inet(0x2, 0x80001, 0x84)
> > > > bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e20, @empty}, 0x10)
> > > > sendmsg(r0, &(0x7f0000000100)={&(0x7f0000006000)=@in={0x2, 0x4e20,
> > > > @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)="de", 0x1}],
> > > > 0x1}, 0x0)
> > > > getsockopt$inet_sctp_SCTP_GET_PEER_ADDRS(r0, 0x84, 0x6c,
> > > > &(0x7f0000000000)={<r5=>0x0, 0x38,
> > > > "41925f90e4121fadc9c1296dd22ae19d0b1b0942e46fc79e2ecec1056b23199f0ca008915d8dba1b3896c154f2244bbe859fe3423a4b437a"},
> > > > &(0x7f0000000040)=0x40)
> > > >
> > > > Just need to check where the uninitializedness comes from.
> > > my only guess would be if we somehow copied an ipv4 address worth of data to the
> > > buffer (which contains an enum for both ipv4 and ipv6 addresses), and then
> > > copied an ipv6 address worth of data to userspace,
> >
> > This seems to partially confirm this:
> >
> > > Bytes 8-15 of 16 are uninitialized
> From the call trace, Uninit memory was stored in 'addr' when processing
> SCTP_PARAM_IPV4_ADDRESS in sctp_process_param() by
> af->from_addr_param/sctp_v4_from_addr_param, in which
> addr->v4.sin_family/port/sin_addr was set, but not addr->v4._pad,
> which maches, 8-15 of 16 are uninitialized.
>
> Then it went to sctp_transport_init(), and set the addr directly to
> peer->ipaddr and added the new transport into asoc->peer.transport_addr_list.
Thanks for the analysis!
> When dumping peer_addrs in sctp_getsockopt_peer_addrs():
>
> memcpy(&temp, &from->ipaddr, sizeof(temp));
> copy_to_user(to, &temp, addrlen),
>
> addrlen is sizeof(struct sockaddr_in), 16 bytes, but only the first 8
> bytes were inited.
>
> So we should fix it by setting addr->v4._pad in sctp_v4_addr_to_user as
> sctp_v6_addr_to_user does:
>
> @@ -600,6 +600,7 @@ static struct sock
> *sctp_v4_create_accept_sk(struct sock *sk,
> static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
> {
> /* No address mapping for V4 sockets */
> + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
> return sizeof(struct sockaddr_in);
> }
I can confirm this is a valid fix.
>
> >
> > Not 4 bytes are initialized, but still half of the ipv6 addr.
> >
> >
> > > but I don't yet see how that
> > > can happen.
> >
> > The repro says "#{"threaded":true,"collide":true,"repeat":true,"procs":6".
> > So I would assume there is a race somewhere.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 34+ messages in thread
end of thread, other threads:[~2019-04-01 8:43 UTC | newest]
Thread overview: 34+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-28 16:25 KMSAN: kernel-infoleak in sctp_getsockopt (3) syzbot
2019-03-28 16:25 ` syzbot
2019-03-29 14:50 ` Neil Horman
2019-03-29 14:50 ` Neil Horman
2019-03-29 17:35 ` Alexander Potapenko
2019-03-29 17:35 ` Alexander Potapenko
2019-03-29 18:30 ` Neil Horman
2019-03-29 18:30 ` Neil Horman
2019-03-29 18:51 ` Dmitry Vyukov
2019-03-29 18:51 ` Dmitry Vyukov
2019-03-30 7:20 ` Xin Long
2019-03-30 7:20 ` Xin Long
2019-04-01 8:42 ` Alexander Potapenko
2019-04-01 8:42 ` Alexander Potapenko
-- strict thread matches above, loose matches on Subject: below --
2019-01-14 11:08 KMSAN: kernel-infoleak in sctp_getsockopt (2) syzbot
2019-01-14 11:08 ` syzbot
2018-12-05 19:31 KMSAN: kernel-infoleak in sctp_getsockopt syzbot
2018-12-05 19:31 ` syzbot
2018-12-06 10:36 ` Alexander Potapenko
2018-12-06 10:36 ` Alexander Potapenko
2018-12-06 11:06 ` Marcelo Ricardo Leitner
2018-12-06 11:06 ` Marcelo Ricardo Leitner
2018-12-06 11:35 ` Alexander Potapenko
2018-12-06 11:35 ` Alexander Potapenko
2018-12-10 8:56 ` Xin Long
2018-12-10 8:56 ` Xin Long
2019-01-14 9:34 ` Alexander Potapenko
2019-01-14 9:34 ` Alexander Potapenko
2019-01-14 9:55 ` Xin Long
2019-01-14 9:55 ` Xin Long
2019-01-14 9:58 ` Alexander Potapenko
2019-01-14 9:58 ` Alexander Potapenko
2019-01-14 11:09 ` Dmitry Vyukov
2019-01-14 11:09 ` Dmitry Vyukov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.