[syzbot] KMSAN: kernel-infoleak in v4l2_compat_put_array_args
From: syzbot
Date: Tue Jan 18 2022 - 14:07:35 EST
Hello,
syzbot found the following issue on:
HEAD commit: fa3879a274df Input: libps2: mark data received in __ps2_co..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=128abbdfb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
dashboard link: https://syzkaller.appspot.com/bug?extid=ff18193ff05f3f87f226
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ff18193ff05f3f87f226@xxxxxxxxxxxxxxxxxxxxxxxxx
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
instrument_copy_to_user include/linux/instrumented.h:121 [inline]
_copy_to_user+0x1c9/0x270 lib/usercopy.c:33
copy_to_user include/linux/uaccess.h:209 [inline]
v4l2_compat_put_array_args+0x155a/0x1670 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1152
video_usercopy+0x2332/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3340
video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3370
v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
__do_compat_sys_ioctl fs/ioctl.c:972 [inline]
__se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
__ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node+0xe03/0x14f0 mm/slub.c:4485
kmalloc_node include/linux/slab.h:613 [inline]
kvmalloc_node+0x228/0x450 mm/util.c:587
kvmalloc include/linux/slab.h:741 [inline]
video_usercopy+0x1660/0x2870 drivers/media/v4l2-core/v4l2-ioctl.c:3304
video_ioctl2+0x9f/0xb0 drivers/media/v4l2-core/v4l2-ioctl.c:3370
v4l2_ioctl+0x263/0x290 drivers/media/v4l2-core/v4l2-dev.c:364
v4l2_compat_ioctl32+0x384/0x410 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1251
__do_compat_sys_ioctl fs/ioctl.c:972 [inline]
__se_compat_sys_ioctl+0x876/0x1150 fs/ioctl.c:914
__ia32_compat_sys_ioctl+0xd9/0x110 fs/ioctl.c:914
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Bytes 0-7 of 16 are uninitialized
Memory access of size 16 starts at ffff88808d250578
Data copied to user address 0000000020000214
CPU: 0 PID: 12831 Comm: syz-executor.1 Tainted: G S 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.