[syzbot] KMSAN: kernel-infoleak in iommufd_vfio_ioctl

From: syzbot
Date: Mon Feb 13 2023 - 05:50:43 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/6] dt-bindings: soc: amlogic: convert clk-measure.txt to dt-schema"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 1/6] dt-bindings: rtc: convert rtc-meson-vrtc.txt to dt-schema"
Next in thread: syzbot: "Re: [syzbot] KMSAN: kernel-infoleak in iommufd_vfio_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot found the following issue on:

HEAD commit: 8c89ecf5c13b kmsan: silence -Wmissing-prototypes warnings
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1592ac0b480000
kernel config: https://syzkaller.appspot.com/x/.config?x=91d3152219aa6b45
dashboard link: https://syzkaller.appspot.com/bug?extid=cb1e0978f6bf46b83a58
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c9d1327adc33/disk-8c89ecf5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a07e8c41800/vmlinux-8c89ecf5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fe36dc6c869b/bzImage-8c89ecf5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cb1e0978f6bf46b83a58@xxxxxxxxxxxxxxxxxxxxxxxxx

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c5/0x270 lib/usercopy.c:33
instrument_copy_to_user include/linux/instrumented.h:121 [inline]
_copy_to_user+0x1c5/0x270 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:169 [inline]
iommufd_vfio_iommu_get_info drivers/iommu/iommufd/vfio_compat.c:437 [inline]
iommufd_vfio_ioctl+0x1e57/0x2330 drivers/iommu/iommufd/vfio_compat.c:462
iommufd_fops_ioctl+0x254/0xb10 drivers/iommu/iommufd/main.c:315
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0x2dd/0x4b0 fs/ioctl.c:856
__x64_sys_ioctl+0xdc/0x120 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Local variable info.i created at:
iommufd_vfio_iommu_get_info drivers/iommu/iommufd/vfio_compat.c:384 [inline]
iommufd_vfio_ioctl+0x423/0x2330 drivers/iommu/iommufd/vfio_compat.c:462
iommufd_fops_ioctl+0x254/0xb10 drivers/iommu/iommufd/main.c:315

Bytes 20-23 of 24 are uninitialized
Memory access of size 24 starts at ffff8880ab237cb0
Data copied to user address 0000000020000000

CPU: 0 PID: 7156 Comm: syz-executor.5 Not tainted 6.2.0-rc7-syzkaller-80760-g8c89ecf5c13b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
=====================================================

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/6] dt-bindings: soc: amlogic: convert clk-measure.txt to dt-schema"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 1/6] dt-bindings: rtc: convert rtc-meson-vrtc.txt to dt-schema"
Next in thread: syzbot: "Re: [syzbot] KMSAN: kernel-infoleak in iommufd_vfio_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]