Re: KMSAN: kernel-infoleak in copyout lib/iov_iter.c

[Alexander Potapenko <glider@google.com>]

On Mon, Jun 11, 2018 at 7:43 AM 'Dmitry Vyukov' via syzkaller
<syzkaller@googlegroups.com> wrote:
>
> On Sun, Jun 10, 2018 at 11:28 PM, shankarapailoor
> <shankarapailoor@gmail.com> wrote:
> > Hi,
> >
Hi Shankara,

> > I have been fuzzing Linux 4.17 with KMSAN
> > (https://github.com/google/kmsan/)  and I found the following crash:
> >
> > =======================================================
> > BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
I couldn't reproduce the report on a KMSAN tree. Could you please
share your .config file?
I've seen similar reports on syzbot and think that the problem is in
KMSAN missing the initialization in copy_user_page()
The speculative fix is here:
https://github.com/google/kmsan/commit/5cdf0501ac1bdc9ba2844d17b2665c7881cb2ac7,
could you please try that out?

Overall, it's usually unlikely that there're big infoleaks in trivial
places like a plain process_vm_readv() call.
Because KMSAN is still in development, it's better to validate the
reports manually by e.g. filling the suspect memory with some constant
and printing its contents in the reproducer.

> > BUG: KMSAN: kernel-infoleak in copy_page_to_iter_iovec
> > lib/iov_iter.c:212 [inline]
> > BUG: KMSAN: kernel-infoleak in copy_page_to_iter+0x754/0x1b70 lib/iov_iter.c:716
> >  CPU: 2 PID: 21280 Comm: syz-executor3 Not tainted 4.17.0+ #4 Hardware
> > name: Google Google Compute Engine/Google Compute Engine, BIOS Google
> > 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x188/0x2a0
> > mm/kmsan/kmsan.c:1117 kmsan_internal_check_memory+0x17e/0x1f0
> > mm/kmsan/kmsan.c:1230 kmsan_copy_to_user+0x7a/0x160
> > mm/kmsan/kmsan.c:1253 copyout lib/iov_iter.c:140 [inline]
> > copy_page_to_iter_iovec lib/iov_iter.c:212 [inline]
> > copy_page_to_iter+0x754/0x1b70 lib/iov_iter.c:716 process_vm_rw_pages
> > mm/process_vm_access.c:53 [inline] process_vm_rw_single_vec
> > mm/process_vm_access.c:124 [inline] process_vm_rw_core+0xf6a/0x1930
> > mm/process_vm_access.c:220 process_vm_rw+0x3d0/0x500
> > mm/process_vm_access.c:288 __do_sys_process_vm_readv
> > mm/process_vm_access.c:302 [inline] __se_sys_process_vm_readv
> > mm/process_vm_access.c:298 [inline]
> > __x64_sys_process_vm_readv+0x1a0/0x200 mm/process_vm_access.c:298
> > do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
> > entry_SYSCALL_64_after_hwframe+0x44/0xa9RIP: 0033:0x455a09RSP:
> > 002b:00007f621260ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000136RAX:
> > ffffffffffffffda RBX: 00007f621260f6d4 RCX: 0000000000455a09RDX:
> > 0000000000000007 RSI: 0000000020001b00 RDI: 000000000000070aRBP:
> > 000000000072bea0 R08: 0000000000000001 R09: 0000000000000000R10:
> > 0000000020001c80 R11: 0000000000000246 R12: 00000000ffffffffR13:
> > 0000000000000524 R14: 00000000006fbc00 R15: 0000000000000000
> >
> > Uninit was created at: kmsan_save_stack_with_flags
> > mm/kmsan/kmsan.c:279 [inline] kmsan_alloc_meta_for_pages+0x161/0x3a0
> > mm/kmsan/kmsan.c:815 kmsan_alloc_page+0x82/0xe0 mm/kmsan/kmsan.c:885
> > __alloc_pages_nodemask+0xe02/0x5c80 mm/page_alloc.c:4402 __alloc_pages
> > include/linux/gfp.h:458 [inline] __alloc_pages_node
> > include/linux/gfp.h:471 [inline]
> > alloc_pages_vma+0x1555/0x17f0 mm/mempolicy.c:2049
> > do_huge_pmd_wp_page+0x3026/0x4f50 mm/huge_memory.c:1296 wp_huge_pmd
> > mm/memory.c:3866 [inline]
> > __handle_mm_fault mm/memory.c:4079 [inline]
> > handle_mm_fault+0x22aa/0x7c40 mm/memory.c:4126
>
> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>
> User pages must be initialized. Alex, do we handle clear_huge_page already?
>
>
> > __do_page_fault+0xec6/0x1a10 arch/x86/mm/fault.c:1400
> > do_page_fault+0xb7/0x250 arch/x86/mm/fault.c:1477 page_fault+0x1e/0x30
> > arch/x86/entry/entry_64.S:1160
> > Bytes 0-204 of 205 are uninitialized
> > Memory access starts at ffff880029601b80
> > ==================================================================
> >
> > I am able to reliably reproduce the crash using ./syz-repro on the
> > following program:
> >
> > r0 = gettid()
> > process_vm_readv(r0, &(0x7f0000001b00)=[{&(0x7f00000006c0)=""/221,
> > 0xdd}, {&(0x7f00000007c0)=""/248, 0xf8}, {&(0x7f00000008c0)=""/254,
> > 0xfe}, {&(0x7f00000009c0)=""/4096, 0x1000}, {&(0x7f00000019c0)},
> > {&(0x7f0000001a00)=""/184, 0xb8}, {&(0x7f0000001ac0)=""/26, 0x1a}],
> > 0x7, &(0x7f0000001c80)=[{&(0x7f0000001b80)=""/205, 0xcd}], 0x1, 0x0)
> > r1 = socket$inet(0x2, 0x1, 0x0)
> > fcntl$setown(r1, 0x8, 0xffffffffffffffff)
> > fcntl$getownex(r1, 0x10, &(0x7f00000000c0)={0x0,<r2=>0x0})
> > process_vm_writev(r2, &(0x7f0000000080)=[{&(0x7f0000000000)=""/99,
I've seen similar reports from process_vm_readv() on Friday (
> > 0x63}], 0x1, &(0x7f00000003c0)=[{&(0x7f0000000100)=""/157, 0x9d},
> > {&(0x7f00000001c0)=""/22, 0x16}, {&(0x7f0000000200)=""/137, 0x89},
> > {&(0x7f00000002c0)=""/51, 0x33}, {&(0x7f0000000300)=""/134, 0x86}],
> > 0x5, 0x0)
> >
> > Here is a C program that can (inconsistently) trigger the crash:
> > https://pastebin.com/pRBptS9X
> > My kernel configs are here: https://pastebin.com/KGjTG2Yd
> > Log context around crash: https://pastebin.com/f5BsDUpV
> >
> >
> > Regards,
> > Shankara Pailoor
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg