[syzbot] KMSAN: uninit-value in from_kuid
13 views
Skip to first unread message
syzbot
Nov 27, 2021, 10:50:28 AM11/27/21
to ak...@linux-foundation.org, christia...@ubuntu.com, cxfc...@gmail.com, ebie...@xmission.com, gli...@google.com, leg...@kernel.org, linux-...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 425295055ce6 kmsan: core: address comments to kmsan-checks.h
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1640209ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d142cdf4204061
dashboard link: https://syzkaller.appspot.com/bug?extid=dfac92a50024b54acaa4
compiler: clang version 14.0.0 (g...@github.com:llvm/llvm-project.git 0996585c8e3b3d409494eb5f1cad714b9e1f7fb5), GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dfac92...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in map_id_up_base kernel/user_namespace.c:335 [inline]
BUG: KMSAN: uninit-value in map_id_up kernel/user_namespace.c:365 [inline]
BUG: KMSAN: uninit-value in from_kuid+0x51d/0xbd0 kernel/user_namespace.c:413
map_id_up_base kernel/user_namespace.c:335 [inline]
map_id_up kernel/user_namespace.c:365 [inline]
from_kuid+0x51d/0xbd0 kernel/user_namespace.c:413
p9pdu_vwritef+0x15ab/0x5120 net/9p/protocol.c:398
p9pdu_writef+0x23a/0x280 net/9p/protocol.c:539
p9pdu_vwritef+0x21f0/0x5120 net/9p/protocol.c:490
p9_client_prepare_req+0xa4b/0xff0 net/9p/client.c:709
p9_client_rpc+0x278/0x1410 net/9p/client.c:740
p9_client_setattr+0x115/0x2c0 net/9p/client.c:1899
v9fs_vfs_setattr_dotl+0x7e2/0xd70 fs/9p/vfs_inode_dotl.c:590
notify_change+0x1fe3/0x2170 fs/attr.c:410
vfs_utimes+0x8aa/0xc70 fs/utimes.c:65
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
__ia32_sys_utime32+0x91/0xc0 fs/utimes.c:235
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Uninit was stored to memory at:
v9fs_vfs_setattr_dotl+0x58a/0xd70 fs/9p/vfs_inode_dotl.c:567
notify_change+0x1fe3/0x2170 fs/attr.c:410
vfs_utimes+0x8aa/0xc70 fs/utimes.c:65
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
__ia32_sys_utime32+0x91/0xc0 fs/utimes.c:235
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Local variable newattrs created at:
vfs_utimes+0x69/0xc70 fs/utimes.c:22
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 425295055ce6 kmsan: core: address comments to kmsan-checks.h
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1640209ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d142cdf4204061
dashboard link: https://syzkaller.appspot.com/bug?extid=dfac92a50024b54acaa4
compiler: clang version 14.0.0 (g...@github.com:llvm/llvm-project.git 0996585c8e3b3d409494eb5f1cad714b9e1f7fb5), GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dfac92...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in map_id_up_base kernel/user_namespace.c:335 [inline]
BUG: KMSAN: uninit-value in map_id_up kernel/user_namespace.c:365 [inline]
BUG: KMSAN: uninit-value in from_kuid+0x51d/0xbd0 kernel/user_namespace.c:413
map_id_up_base kernel/user_namespace.c:335 [inline]
map_id_up kernel/user_namespace.c:365 [inline]
from_kuid+0x51d/0xbd0 kernel/user_namespace.c:413
p9pdu_vwritef+0x15ab/0x5120 net/9p/protocol.c:398
p9pdu_writef+0x23a/0x280 net/9p/protocol.c:539
p9pdu_vwritef+0x21f0/0x5120 net/9p/protocol.c:490
p9_client_prepare_req+0xa4b/0xff0 net/9p/client.c:709
p9_client_rpc+0x278/0x1410 net/9p/client.c:740
p9_client_setattr+0x115/0x2c0 net/9p/client.c:1899
v9fs_vfs_setattr_dotl+0x7e2/0xd70 fs/9p/vfs_inode_dotl.c:590
notify_change+0x1fe3/0x2170 fs/attr.c:410
vfs_utimes+0x8aa/0xc70 fs/utimes.c:65
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
__ia32_sys_utime32+0x91/0xc0 fs/utimes.c:235
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Uninit was stored to memory at:
v9fs_vfs_setattr_dotl+0x58a/0xd70 fs/9p/vfs_inode_dotl.c:567
notify_change+0x1fe3/0x2170 fs/attr.c:410
vfs_utimes+0x8aa/0xc70 fs/utimes.c:65
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
__ia32_sys_utime32+0x91/0xc0 fs/utimes.c:235
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Local variable newattrs created at:
vfs_utimes+0x69/0xc70 fs/utimes.c:22
do_utimes_path fs/utimes.c:98 [inline]
do_utimes fs/utimes.c:144 [inline]
__do_sys_utime32 fs/utimes.c:247 [inline]
__se_sys_utime32+0x386/0x520 fs/utimes.c:235
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Christian Brauner
Nov 29, 2021, 6:47:22 AM11/29/21
to syzbot, ak...@linux-foundation.org, cxfc...@gmail.com, ebie...@xmission.com, gli...@google.com, leg...@kernel.org, linux-...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com
It copies struct iattr values without checking ia_valid. That's causing
uninitalized memory to be copied. I sent a fix to 9p for this.
Christian
Alexander Potapenko
Nov 29, 2021, 7:04:28 AM11/29/21
to Christian Brauner, syzbot, ak...@linux-foundation.org, cxfc...@gmail.com, ebie...@xmission.com, leg...@kernel.org, linux-...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Alexander Potapenko
Nov 29, 2021, 10:16:58 AM11/29/21
to Christian Brauner, syzbot, ak...@linux-foundation.org, cxfc...@gmail.com, ebie...@xmission.com, leg...@kernel.org, linux-...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com
Do you think it makes sense to request a CVE for this issue?
If so, were you going to request one? Otherwise I can do that.
Christian Brauner
Nov 29, 2021, 10:52:31 AM11/29/21
to Alexander Potapenko, syzbot, ak...@linux-foundation.org, cxfc...@gmail.com, ebie...@xmission.com, leg...@kernel.org, linux-...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com
If you would like this to be a CVE then sure go ahead.
(I don't understand the rules around this well enough tbh. For example,
during the last merge window there were at least 3 or 4 NULL pointer
derefs or UAFs in newly added but already released code. Should all of
these get a CVE without a working exploit?)
Reply all
Reply to author
Forward
0 new messages