From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42F3FC4345F for ; Tue, 16 Apr 2024 08:52:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8C60A6B0083; Tue, 16 Apr 2024 04:52:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 876B26B0085; Tue, 16 Apr 2024 04:52:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 73E826B0088; Tue, 16 Apr 2024 04:52:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 58AFC6B0083 for ; Tue, 16 Apr 2024 04:52:57 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id CF6C6A0A3B for ; Tue, 16 Apr 2024 08:52:56 +0000 (UTC) X-FDA: 82014779952.21.4C751FE Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by imf11.hostedemail.com (Postfix) with ESMTP id 42C7440004 for ; Tue, 16 Apr 2024 08:52:55 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="0hNLhyn/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf11.hostedemail.com: domain of glider@google.com designates 209.85.222.180 as permitted sender) smtp.mailfrom=glider@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713257575; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=hPVk/nT4EhdKCio3Wn9r/Arl5MCpgxnJeUxrDI8MyIE=; b=tGA/WfXTHK5+yqRslXpgCF+XSBDLG569BM2WUgTcpu4UVmXl5ks9F87bGeYpqV95Di3988 +f7JclIgOmf3f0fxTlF0IMMBnpb6safMN1gLF2xU8it3owA+aQLmLm/S9qDvPzbVEernbC QRN8pKOHY1NJ5B4BhcBU1KHcBpjn5Qs= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="0hNLhyn/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf11.hostedemail.com: domain of glider@google.com designates 209.85.222.180 as permitted sender) smtp.mailfrom=glider@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713257575; a=rsa-sha256; cv=none; b=fvg1POZqLDnjtlL1SYDtBUFROPu1nFsxzsOo1p1/jyjSYjOJ57pM0wVLclBesMr36mnJzH bRET1qZu340aajoiIR5odLMbY7pl1B0SSNqZJhQ8DtJAvQexW38LHfT/PJrQpsw7+wNsX1 DchqWD8vcmGP2gsjLYFmy52qxf1QCtg= Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-78d723c0dc5so381109785a.2 for ; Tue, 16 Apr 2024 01:52:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713257574; x=1713862374; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hPVk/nT4EhdKCio3Wn9r/Arl5MCpgxnJeUxrDI8MyIE=; b=0hNLhyn/HTfAQgbytH4TI6bZdI5KGnr/X9SKnL/o4C0BBrdYFEJN+/jk/NMy2IfeHg f1HvGM6YWccBOvXjrDJXmSCvOXjG7qKp4U+uv0cb9lhx08+ky2Ea+bX97gWVW+sUhFaP 3CBopirNMryt0u57bkuKIuNyJqBQ6gWTXRZ2yb+tzd0dMhgK+wLki2hB8BE3HtSNqiA1 rMo7AjArM888zD7BmvZZ57m3gx7LkfvdAfCz5BFzoivy5HWQ5qx0wpgtwK4KYtq5n/4O vb/DpPIm/pa+1ARYe5w8jA8YX6TH3nm8CSnPYMJnH1xetse78rAL9ty7spy52v5IdcWM 06NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713257574; x=1713862374; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hPVk/nT4EhdKCio3Wn9r/Arl5MCpgxnJeUxrDI8MyIE=; b=Ruyvq22qx7APL/YIx17Fno+NXIP8tQVZfzaaN2FdpLV/qNXsoC1fzPcB6iCElvx2pb cNoN9zLDEtvqjQ9njrx9kHvepufTdtf1rsXRQTNCHM0uXcZDpwbZC2AqGfPCEKwN4lVz iFRbzrhZ0FSVFOhEXwAnRiWphEpChTqtlgowRNYdsNfG6NsvD2OURJIoDV7BjSgfc+eR AwnX4yYZmJEUrKBcUiYskEjLP70jd08a1MyHRaRIhbUbC6lQbDmUwL5kUgLwylejIwZJ 7Yi2SLOpSzyP+LvuAPTyMOQT3GQbq8MkNPn1xs1B4jAJS8AouM74Lk2QaN8BSfhhjs7U K7fQ== X-Forwarded-Encrypted: i=1; AJvYcCWQqG0a16J83ERyaPALgICtoqHy9ToUT8P9eWMdlm/n1kilNnT0bcG4vvZsJDcvbKnSvY2UndMCgDqXo3WM3iEfruQ= X-Gm-Message-State: AOJu0YwgTD8bZSWZN3ppgTMCcSSP+NcD/9bA+Jd9QL7qxiFkT/JCReVz raubuFBMpmbaF0chbj5Kfww+FYeWH1MxzTtSYLnZp5COYYr3ZyNxkjzlihBIR5FAChCfdYUOKL4 jCcs8ti6/ypFaz10WtlbzvvezxFlkZCn6Zq14 X-Google-Smtp-Source: AGHT+IEVH1GgftNMpoMJgPffHF/J8q7xcxKz2P8Pi0PJGcyYrQzTS/Zde01ylrcWnYqhEA7c7VJkWeiB58NSk9HcEN8= X-Received: by 2002:ad4:4ba2:0:b0:69b:7145:b2ee with SMTP id i2-20020ad44ba2000000b0069b7145b2eemr6105996qvw.4.1713257574178; Tue, 16 Apr 2024 01:52:54 -0700 (PDT) MIME-Version: 1.0 References: <000000000000fe696d0615f120bb@google.com> <20240415131837.411c6e05eb7b0af077d6424a@linux-foundation.org> In-Reply-To: From: Alexander Potapenko Date: Tue, 16 Apr 2024 10:52:12 +0200 Message-ID: Subject: Re: [syzbot] [mm?] KMSAN: kernel-infoleak in bpf_probe_write_user To: Alexei Starovoitov Cc: Andrew Morton , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 42C7440004 X-Stat-Signature: 6b4nhsbbh7n7m3hyj4r5hz8gbg7aih7n X-Rspam-User: X-HE-Tag: 1713257575-882994 X-HE-Meta: U2FsdGVkX1+nYyjtwIXa5/2K5xTq0WYjhxlL8t2SEYDjUZAcVqXyXQHZ7MluL12U+8FoQA5RQ7DafMAalkfUK0RJLU/nvhxtnRqFku7ElfP5EKRLSawhHAFmhNnAzcM+a1sbc2SLvfkZF2s/r/mX3et/jn+C1Yke99sRgdV98aLoqYHBPKHQerKywPA7iX02SiIittxPw7X42SEwMkhQTQBu16NKoryuuKmXXz/NABoLDChHuxuhDrtI5vvsJvNRG0eo6GQCXhEd85DZc9JZwTnEr05WNxAS1zhTojlcpjiNr0J3H0+cbRL1n1ghY59mCljH+j3NycKqCeFG4Zoq//lY+fwAevTI9IK9NXdqprI26vUYfaYEs4uzezubGXNGcQncoLM+0++EnKvdGFvuonC0EQfM8rm+rouCjasWxLf3ZkFKJc2BhCFumzebrXcoxaQRoxuzREBBnNvN0/5iALs0rX5AZI8uz3OojVwiViV+obvXIPqqjc2OKVuBPCaBa8UHc2DP9cNLDZZCI1eFxJBr9fJN6/46UGhlDsJy2iICwlBKSTSngWPI2drOQ6HLsb33v9V+GYuz6MR94TtakvogIcR8R1cn10TBxzMeexKXPqdgUT2OnTASpNfHoDsPWWZi0ZNgUOYAflmbWuZC8de2fEfodcdV4SSO7RebEjbJJuw9yG0tUphyU95Po/u/S5lk7DqzRqVXMCEcTWYDqE/huYeu7c6tKuMmPRqiETS9TzGGYISe20xrriFWxoafcQsr/8DYMt/zSrmotH8rzpUIsIcyJ/sT1CZmP9X0LV9wj7LHWYdADbGA1fRdelsyJSAsDny6Rdri7w1Zn/wNFLKhrSFPrt1iwh+eSmEExr7wmu9JvoTdRAYZg29nu5t2rwdfHP81E9q4UTjOVeshhxxeMjv9ACs8QPIgQAOc9EB5fNyZ5/1NSkX3q15b6vkW/J2YUCeVkpfRZMqfp/c ZNZylegr 7UI2epBX4jSjYDbKZF3IXe0rBfHLhuh2WtVS6nBU1h1t62/nHH3AOxFNYnsIjGQaWEKBlGTmsUypdmJcloQopdG61aVKJhxuj5VbR5teRZBm9R+50CCoUQaDcGn0OyntztakvMa/LdmCRcfRc3+GoPSi3zmaUDYT/8kPWIJVXBCqOjkbg2OFoAfsJCtpFikuvYKOZCgV8eFCdGd+wdq9hRnIxeSP0aUJd8vIcwp055vlj/Yp0H/9ABKnKt/A6wm2v84vdwrhB+NIZgZoh0lSVxgKeCQcUrAYuiAX7S/4BciYoAJRi2nrV4PUbvMUsWw0NHjKx9hqIgYiUf6dVtYkVDot0dg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Apr 15, 2024 at 11:06=E2=80=AFPM Alexei Starovoitov wrote: > > Hi, > > syzbot folks, please disable such "bug" reporting. > The whole point of bpf is to pass such info to userspace. > probe_write_user, various ring buffers, bpf_*_printk-s, bpf maps > all serve this purpose of "infoleak". > Hi Alexei, >From KMSAN's perspective it is fine to pass information to the userspace, unless it is marked as uninitialized. It could be that we are missing some initialization in kernel/bpf/core.c th= ough. Do you know which part of the code is supposed to initialize the stack in PROG_NAME? > On Mon, Apr 15, 2024 at 1:18=E2=80=AFPM Andrew Morton wrote: > > > > (cc bpf@) > > > > On Fri, 12 Apr 2024 19:27:25 -0700 syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: fec50db7033e Linux 6.9-rc3 > > > git tree: upstream > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D16509ba11= 80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D13e7da432= 565d94c > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D79102ed905e= 5b2dc0fc3 > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for= Debian) 2.40 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D10a4af9= d180000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D12980f9d1= 80000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/901017b36ccc= /disk-fec50db7.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/16bfcf5618d3/vm= linux-fec50db7.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/dc9c5a1e7d= 02/bzImage-fec50db7.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the = commit: > > > Reported-by: syzbot+79102ed905e5b2dc0fc3@syzkaller.appspotmail.com > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > > BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/= instrumented.h:114 [inline] > > > BUG: KMSAN: kernel-infoleak in __copy_to_user_inatomic include/linux/= uaccess.h:125 [inline] > > > BUG: KMSAN: kernel-infoleak in copy_to_user_nofault+0x129/0x1f0 mm/ma= ccess.c:149 > > > instrument_copy_to_user include/linux/instrumented.h:114 [inline] > > > __copy_to_user_inatomic include/linux/uaccess.h:125 [inline] > > > copy_to_user_nofault+0x129/0x1f0 mm/maccess.c:149 > > > ____bpf_probe_write_user kernel/trace/bpf_trace.c:349 [inline] > > > bpf_probe_write_user+0x104/0x180 kernel/trace/bpf_trace.c:327 > > > ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 > > > __bpf_prog_run64+0xb5/0xe0 kernel/bpf/core.c:2236 > > > bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] > > > __bpf_prog_run include/linux/filter.h:657 [inline] > > > bpf_prog_run include/linux/filter.h:664 [inline] > > > __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] > > > bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420 > > > __bpf_trace_kfree+0x29/0x40 include/trace/events/kmem.h:94 > > > trace_kfree include/trace/events/kmem.h:94 [inline] > > > kfree+0x6a5/0xa30 mm/slub.c:4377 > > > vfs_writev+0x12bf/0x1450 fs/read_write.c:978 > > > do_writev+0x251/0x5c0 fs/read_write.c:1018 > > > __do_sys_writev fs/read_write.c:1091 [inline] > > > __se_sys_writev fs/read_write.c:1088 [inline] > > > __x64_sys_writev+0x98/0xe0 fs/read_write.c:1088 > > > do_syscall_64+0xd5/0x1f0 > > > entry_SYSCALL_64_after_hwframe+0x72/0x7a > > > > > > Local variable stack created at: > > > __bpf_prog_run64+0x45/0xe0 kernel/bpf/core.c:2236 > > > bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] > > > __bpf_prog_run include/linux/filter.h:657 [inline] > > > bpf_prog_run include/linux/filter.h:664 [inline] > > > __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] > > > bpf_trace_run2+0x116/0x300 kernel/trace/bpf_trace.c:2420 > > > > > > Bytes 0-7 of 8 are uninitialized > > > Memory access of size 8 starts at ffff888121ec7ae8 > > > Data copied to user address 00000000ffffffff > > > > > > CPU: 1 PID: 4779 Comm: dhcpcd Not tainted 6.9.0-rc3-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BI= OS Google 03/27/2024 > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > > > > If the report is already addressed, let syzbot know by replying with: > > > #syz fix: exact-commit-title > > > > > > If you want syzbot to run the reproducer, reply with: > > > #syz test: git://repo/address.git branch-or-commit-hash > > > If you attach or paste a git patch, syzbot will apply it before testi= ng. > > > > > > If you want to overwrite report's subsystems, reply with: > > > #syz set subsystems: new-subsystem > > > (See the list of subsystem names on the web dashboard) > > > > > > If the report is a duplicate of another one, reply with: > > > #syz dup: exact-subject-of-another-report > > > > > > If you want to undo deduplication, reply with: > > > #syz undup > > > > -- > You received this message because you are subscribed to the Google Groups= "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgi= d/syzkaller-bugs/CAADnVQ%2BE%3Dj1Z4MOuk2f-U33oqvUmmrRcvWvsDrmLXvD8FhUmsQ%40= mail.gmail.com. -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg