[syzbot] [exfat?] KMSAN: kernel-infoleak in pipe_read
10 views
Skip to first unread message
syzbot
Oct 31, 2024, 5:16:28āÆAM10/31/24
to linki...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, sj155...@samsung.com, syzkall...@googlegroups.com, yuezh...@sony.com
Hello,
syzbot found the following issue on:
HEAD commit: 4236f913808c Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160252a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d4311df74eee96f
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ed9540580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/51b1dad228c5/disk-4236f913.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9a7ef646b195/vmlinux-4236f913.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5231f6873f58/bzImage-4236f913.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/30f3d2299c08/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41ebd8...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:30 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:300 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:328 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x2f3/0x2b30 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:30 [inline]
iterate_and_advance2 include/linux/iov_iter.h:300 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
_copy_to_iter+0x2f3/0x2b30 lib/iov_iter.c:185
copy_page_to_iter+0x419/0x880 lib/iov_iter.c:362
pipe_read+0x88c/0x21a0 fs/pipe.c:327
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0xcdf/0xf50 fs/read_write.c:569
ksys_read+0x24f/0x4c0 fs/read_write.c:712
__do_sys_read fs/read_write.c:722 [inline]
__se_sys_read fs/read_write.c:720 [inline]
__x64_sys_read+0x93/0xe0 fs/read_write.c:720
x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
memcpy_to_iter lib/iov_iter.c:65 [inline]
iterate_bvec include/linux/iov_iter.h:123 [inline]
iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
_copy_to_iter+0xe5a/0x2b30 lib/iov_iter.c:185
copy_page_to_iter+0x419/0x880 lib/iov_iter.c:362
shmem_file_read_iter+0xa09/0x12b0 mm/shmem.c:3164
do_iter_readv_writev+0x88a/0xa30
vfs_iter_read+0x278/0x760 fs/read_write.c:923
lo_read_simple drivers/block/loop.c:283 [inline]
do_req_filebacked drivers/block/loop.c:516 [inline]
loop_handle_cmd drivers/block/loop.c:1910 [inline]
loop_process_work+0x20fc/0x3750 drivers/block/loop.c:1945
loop_workfn+0x48/0x60 drivers/block/loop.c:1969
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was stored to memory at:
memcpy_from_iter lib/iov_iter.c:73 [inline]
iterate_bvec include/linux/iov_iter.h:123 [inline]
iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
__copy_from_iter lib/iov_iter.c:249 [inline]
copy_page_from_iter_atomic+0x1299/0x30c0 lib/iov_iter.c:481
copy_folio_from_iter_atomic include/linux/uio.h:201 [inline]
generic_perform_write+0x8d1/0x1080 mm/filemap.c:4066
shmem_file_write_iter+0x2ba/0x2f0 mm/shmem.c:3218
do_iter_readv_writev+0x88a/0xa30
vfs_iter_write+0x44d/0xd40 fs/read_write.c:988
lo_write_bvec drivers/block/loop.c:243 [inline]
lo_write_simple drivers/block/loop.c:264 [inline]
do_req_filebacked drivers/block/loop.c:511 [inline]
loop_handle_cmd drivers/block/loop.c:1910 [inline]
loop_process_work+0x15e6/0x3750 drivers/block/loop.c:1945
loop_workfn+0x48/0x60 drivers/block/loop.c:1969
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
__alloc_pages_noprof+0x9a7/0xe00 mm/page_alloc.c:4756
alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265
alloc_pages_noprof mm/mempolicy.c:2345 [inline]
folio_alloc_noprof+0x1db/0x310 mm/mempolicy.c:2352
filemap_alloc_folio_noprof+0xa6/0x440 mm/filemap.c:1010
__filemap_get_folio+0xac4/0x1550 mm/filemap.c:1952
block_write_begin+0x6e/0x2b0 fs/buffer.c:2226
exfat_write_begin+0xfb/0x400 fs/exfat/inode.c:434
exfat_extend_valid_size fs/exfat/file.c:553 [inline]
exfat_file_write_iter+0x474/0xfb0 fs/exfat/file.c:588
do_iter_readv_writev+0x88a/0xa30
vfs_writev+0x56a/0x14f0 fs/read_write.c:1064
do_pwritev fs/read_write.c:1165 [inline]
__do_sys_pwritev2 fs/read_write.c:1224 [inline]
__se_sys_pwritev2+0x280/0x470 fs/read_write.c:1215
__x64_sys_pwritev2+0x11f/0x1a0 fs/read_write.c:1215
x64_sys_call+0x2edb/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:329
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 0-1023 of 1024 are uninitialized
Memory access of size 1024 starts at ffff88801d942400
Data copied to user address 0000555560b53ba0
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor Not tainted 6.12.0-rc5-syzkaller-00047-g4236f913808c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4236f913808c Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160252a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d4311df74eee96f
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ed9540580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/51b1dad228c5/disk-4236f913.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9a7ef646b195/vmlinux-4236f913.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5231f6873f58/bzImage-4236f913.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/30f3d2299c08/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41ebd8...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:30 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:300 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:328 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x2f3/0x2b30 lib/iov_iter.c:185
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:30 [inline]
iterate_and_advance2 include/linux/iov_iter.h:300 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
_copy_to_iter+0x2f3/0x2b30 lib/iov_iter.c:185
copy_page_to_iter+0x419/0x880 lib/iov_iter.c:362
pipe_read+0x88c/0x21a0 fs/pipe.c:327
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0xcdf/0xf50 fs/read_write.c:569
ksys_read+0x24f/0x4c0 fs/read_write.c:712
__do_sys_read fs/read_write.c:722 [inline]
__se_sys_read fs/read_write.c:720 [inline]
__x64_sys_read+0x93/0xe0 fs/read_write.c:720
x64_sys_call+0x3055/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:1
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
memcpy_to_iter lib/iov_iter.c:65 [inline]
iterate_bvec include/linux/iov_iter.h:123 [inline]
iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
_copy_to_iter+0xe5a/0x2b30 lib/iov_iter.c:185
copy_page_to_iter+0x419/0x880 lib/iov_iter.c:362
shmem_file_read_iter+0xa09/0x12b0 mm/shmem.c:3164
do_iter_readv_writev+0x88a/0xa30
vfs_iter_read+0x278/0x760 fs/read_write.c:923
lo_read_simple drivers/block/loop.c:283 [inline]
do_req_filebacked drivers/block/loop.c:516 [inline]
loop_handle_cmd drivers/block/loop.c:1910 [inline]
loop_process_work+0x20fc/0x3750 drivers/block/loop.c:1945
loop_workfn+0x48/0x60 drivers/block/loop.c:1969
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was stored to memory at:
memcpy_from_iter lib/iov_iter.c:73 [inline]
iterate_bvec include/linux/iov_iter.h:123 [inline]
iterate_and_advance2 include/linux/iov_iter.h:304 [inline]
iterate_and_advance include/linux/iov_iter.h:328 [inline]
__copy_from_iter lib/iov_iter.c:249 [inline]
copy_page_from_iter_atomic+0x1299/0x30c0 lib/iov_iter.c:481
copy_folio_from_iter_atomic include/linux/uio.h:201 [inline]
generic_perform_write+0x8d1/0x1080 mm/filemap.c:4066
shmem_file_write_iter+0x2ba/0x2f0 mm/shmem.c:3218
do_iter_readv_writev+0x88a/0xa30
vfs_iter_write+0x44d/0xd40 fs/read_write.c:988
lo_write_bvec drivers/block/loop.c:243 [inline]
lo_write_simple drivers/block/loop.c:264 [inline]
do_req_filebacked drivers/block/loop.c:511 [inline]
loop_handle_cmd drivers/block/loop.c:1910 [inline]
loop_process_work+0x15e6/0x3750 drivers/block/loop.c:1945
loop_workfn+0x48/0x60 drivers/block/loop.c:1969
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xae0/0x1c40 kernel/workqueue.c:3310
worker_thread+0xea7/0x14f0 kernel/workqueue.c:3391
kthread+0x3e2/0x540 kernel/kthread.c:389
ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Uninit was created at:
__alloc_pages_noprof+0x9a7/0xe00 mm/page_alloc.c:4756
alloc_pages_mpol_noprof+0x299/0x990 mm/mempolicy.c:2265
alloc_pages_noprof mm/mempolicy.c:2345 [inline]
folio_alloc_noprof+0x1db/0x310 mm/mempolicy.c:2352
filemap_alloc_folio_noprof+0xa6/0x440 mm/filemap.c:1010
__filemap_get_folio+0xac4/0x1550 mm/filemap.c:1952
block_write_begin+0x6e/0x2b0 fs/buffer.c:2226
exfat_write_begin+0xfb/0x400 fs/exfat/inode.c:434
exfat_extend_valid_size fs/exfat/file.c:553 [inline]
exfat_file_write_iter+0x474/0xfb0 fs/exfat/file.c:588
do_iter_readv_writev+0x88a/0xa30
vfs_writev+0x56a/0x14f0 fs/read_write.c:1064
do_pwritev fs/read_write.c:1165 [inline]
__do_sys_pwritev2 fs/read_write.c:1224 [inline]
__se_sys_pwritev2+0x280/0x470 fs/read_write.c:1215
__x64_sys_pwritev2+0x11f/0x1a0 fs/read_write.c:1215
x64_sys_call+0x2edb/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:329
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 0-1023 of 1024 are uninitialized
Memory access of size 1024 starts at ffff88801d942400
Data copied to user address 0000555560b53ba0
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor Not tainted 6.12.0-rc5-syzkaller-00047-g4236f913808c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 31, 2024, 8:42:12āÆAM10/31/24
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [exfat?] KMSAN: kernel-infoleak in pipe_read
Author: aha3...@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
fs/pipe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/pipe.c b/fs/pipe.c
index 12b22c2723b7..596780490a32 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -324,6 +324,7 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
break;
}
+ printk(KERN_INFO "%p %u %lu", &buf->page, buf->offset, chars);
written = copy_page_to_iter(buf->page, buf->offset, chars, to);
if (unlikely(written < chars)) {
if (!ret)
--
syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [exfat?] KMSAN: kernel-infoleak in pipe_read
Author: aha3...@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
fs/pipe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/pipe.c b/fs/pipe.c
index 12b22c2723b7..596780490a32 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -324,6 +324,7 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
break;
}
+ printk(KERN_INFO "%p %u %lu", &buf->page, buf->offset, chars);
written = copy_page_to_iter(buf->page, buf->offset, chars, to);
if (unlikely(written < chars)) {
if (!ret)
--
Edward Adam Davis
Oct 31, 2024, 9:47:26āÆAM10/31/24
to syzbot+41ebd8...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1abb32c0da50..59832f73a4f2 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -478,6 +478,7 @@ size_t copy_page_from_iter_atomic(struct page *page, size_t offset,
}
p = kmap_atomic(page) + offset;
+ memset(p, 0, n);
n = __copy_from_iter(p, n, i);
kunmap_atomic(p);
copied += n;
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1abb32c0da50..59832f73a4f2 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -478,6 +478,7 @@ size_t copy_page_from_iter_atomic(struct page *page, size_t offset,
}
p = kmap_atomic(page) + offset;
+ memset(p, 0, n);
n = __copy_from_iter(p, n, i);
kunmap_atomic(p);
copied += n;
syzbot
Oct 31, 2024, 12:21:06āÆPM10/31/24
to aha3...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "ro...@10.128.0.23:./syz-execprog"]
Executing: program /usr/bin/ssh host 10.128.0.23, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.14 4 Jun 2024
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.0.23 [10.128.0.23] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.128.0.23:22 as 'root'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x2...@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:g5LT3corcdQiP3+7S3QNYL7lzLWO1gp/6X86Qtf82jk
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '10.128.0.23' (ED25519) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sh...@openssh.com,webauthn-sk-ecd...@openssh.com>
debug1: kex_input_ext_info: publickey...@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Authenticated to 10.128.0.23 ([10.128.0.23]:22) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-...@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostk...@openssh.com want_reply 0
debug1: Sending subsystem: sftp
debug1: pledge: fork
scp: debug1: stat remote: No such file or directory
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1695445684=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at fb888278a6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=fb888278a6b21eda7fa63551c83fd17b90305ba1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241030-093306'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"fb888278a6b21eda7fa63551c83fd17b90305ba1\"
/usr/bin/ld: /tmp/cccAwp7Q.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cccAwp7Q.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Tested on:
commit: 0fc810ae x86/uaccess: Avoid barrier_nospec() in 64-bit..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "ro...@10.128.0.23:./syz-execprog"]
Executing: program /usr/bin/ssh host 10.128.0.23, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.14 4 Jun 2024
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.0.23 [10.128.0.23] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
debug1: compat_banner: match: OpenSSH_9.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.128.0.23:22 as 'root'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x2...@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:g5LT3corcdQiP3+7S3QNYL7lzLWO1gp/6X86Qtf82jk
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '10.128.0.23' (ED25519) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sh...@openssh.com,webauthn-sk-ecd...@openssh.com>
debug1: kex_input_ext_info: publickey...@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Authenticated to 10.128.0.23 ([10.128.0.23]:22) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-...@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostk...@openssh.com want_reply 0
debug1: Sending subsystem: sftp
debug1: pledge: fork
scp: debug1: stat remote: No such file or directory
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1695445684=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at fb888278a6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=fb888278a6b21eda7fa63551c83fd17b90305ba1 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241030-093306'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"fb888278a6b21eda7fa63551c83fd17b90305ba1\"
/usr/bin/ld: /tmp/cccAwp7Q.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cccAwp7Q.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Tested on:
commit: 0fc810ae x86/uaccess: Avoid barrier_nospec() in 64-bit..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=4d4311df74eee96f
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15cb655f980000
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Oct 31, 2024, 12:39:04āÆPM10/31/24
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-infoleak in pipe_read
copy_page_from_iter_atomic+0x1284/0x3090 lib/iov_iter.c:482
Memory access of size 1024 starts at ffff888039552400
Data copied to user address 000055558b7cbba0
CPU: 0 UID: 0 PID: 6309 Comm: syz-executor Not tainted 6.12.0-rc5-syzkaller-00063-g0fc810ae3ae1-dirty #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: kernel-infoleak in pipe_read
Data copied to user address 000055558b7cbba0
CPU: 0 UID: 0 PID: 6309 Comm: syz-executor Not tainted 6.12.0-rc5-syzkaller-00063-g0fc810ae3ae1-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
=====================================================
=====================================================
Tested on:
commit: 0fc810ae x86/uaccess: Avoid barrier_nospec() in 64-bit..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1028ae87980000
commit: 0fc810ae x86/uaccess: Avoid barrier_nospec() in 64-bit..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=4d4311df74eee96f
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16fd2630580000
dashboard link: https://syzkaller.appspot.com/bug?extid=41ebd857f013384237a9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Mar 15, 2025, 1:08:16āÆAMMar 15
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages