2022-01-07 11:42:20

by syzbot

[permalink] [raw]
Subject: [syzbot] KMSAN: uninit-value in from_kgid

Hello,

syzbot found the following issue on:

HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10071b99b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
dashboard link: https://syzkaller.appspot.com/bug?extid=13e44cec8bcb2396a0a3
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

=====================================================
BUG: KMSAN: uninit-value in map_id_up_base kernel/user_namespace.c:335 [inline]
BUG: KMSAN: uninit-value in map_id_up kernel/user_namespace.c:365 [inline]
BUG: KMSAN: uninit-value in from_kgid+0x52e/0xbe0 kernel/user_namespace.c:481
map_id_up_base kernel/user_namespace.c:335 [inline]
map_id_up kernel/user_namespace.c:365 [inline]
from_kgid+0x52e/0xbe0 kernel/user_namespace.c:481
p9pdu_vwritef+0x18d0/0x5100 net/9p/protocol.c:405
p9pdu_writef+0x240/0x290 net/9p/protocol.c:539
p9pdu_vwritef+0x21ed/0x5100 net/9p/protocol.c:490
p9_client_prepare_req+0xe64/0x16d0 net/9p/client.c:703
p9_client_rpc+0x28b/0x1460 net/9p/client.c:734
p9_client_setattr+0x113/0x2c0 net/9p/client.c:1894
v9fs_vfs_setattr_dotl+0x7e2/0xd70 fs/9p/vfs_inode_dotl.c:588
notify_change+0x1fde/0x2180 fs/attr.c:410
chown_common+0x832/0xc70 fs/open.c:678
do_fchownat+0x2df/0x4e0 fs/open.c:709
ksys_lchown include/linux/syscalls.h:1335 [inline]
__do_sys_lchown16 kernel/uid16.c:30 [inline]
__se_sys_lchown16 kernel/uid16.c:28 [inline]
__ia32_sys_lchown16+0x200/0x250 kernel/uid16.c:28
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Uninit was stored to memory at:
v9fs_vfs_setattr_dotl+0x5a9/0xd70 fs/9p/vfs_inode_dotl.c:566
notify_change+0x1fde/0x2180 fs/attr.c:410
chown_common+0x832/0xc70 fs/open.c:678
do_fchownat+0x2df/0x4e0 fs/open.c:709
ksys_lchown include/linux/syscalls.h:1335 [inline]
__do_sys_lchown16 kernel/uid16.c:30 [inline]
__se_sys_lchown16 kernel/uid16.c:28 [inline]
__ia32_sys_lchown16+0x200/0x250 kernel/uid16.c:28
do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
__do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Local variable newattrs created at:
chown_common+0x120/0xc70 fs/open.c:647
do_fchownat+0x2df/0x4e0 fs/open.c:709

CPU: 0 PID: 31712 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.


2022-01-07 12:11:43

by Christian Brauner

[permalink] [raw]
Subject: Re: [syzbot] KMSAN: uninit-value in from_kgid

On Fri, Jan 07, 2022 at 03:42:18AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=10071b99b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
> dashboard link: https://syzkaller.appspot.com/bug?extid=13e44cec8bcb2396a0a3
> compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]

Same 9p issue as others steeming from 9p copying from struct iattr
without checking what fields are valid leading to ultimately invalid
values being sent over the wire which is why KMSAN reports it.

Fixed in 9p and sitting in -next
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a403e2bd0026a690478719e46bef478777e7dd41
should show up during merge window.