Re: [syzbot] Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl (3)
From: syzbot
Date: Fri Jun 20 2025 - 01:23:22 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.
***
Subject: Re: [syzbot] [kernel?] KMSAN: kernel-infoleak in vmci_host_unlocked_ioctl (3)
Author: lizhi.xu@xxxxxxxxxxxxx
#syz test
diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index b64944367ac5..178febf6c561 100644
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -385,14 +385,20 @@ static int vmci_host_do_send_datagram(struct vmci_host_dev *vmci_host_dev,
return -EINVAL;
}
- dg = memdup_user((void __user *)(uintptr_t)send_info.addr,
- send_info.len);
- if (IS_ERR(dg)) {
+ dg = kzalloc(send_info.len, GFP_KERNEL);
+
+ if (IS_ERR_OR_NULL(dg)) {
vmci_ioctl_err(
"cannot allocate memory to dispatch datagram\n");
return PTR_ERR(dg);
}
+ if (copy_from_user(dg, (void __user *)(uintptr_t)send_info.addr, send_info.len)) {
+ vmci_ioctl_err("copy datagram fails\n");
+ kfree(dg);
+ return -EFAULT;
+ }
+
if (VMCI_DG_SIZE(dg) != send_info.len) {
vmci_ioctl_err("datagram size mismatch\n");
kfree(dg);