Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1756104imm; Thu, 14 Jun 2018 03:25:20 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJLj7LVcbcdKISFcQo7QK95sTFGxUF5HkTsF0xblrqt0kyZn+jn4gmdqVVVx5M+sf5SF44g X-Received: by 2002:a63:b44f:: with SMTP id n15-v6mr1696938pgu.389.1528971920473; Thu, 14 Jun 2018 03:25:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528971920; cv=none; d=google.com; s=arc-20160816; b=ECXWaxFV3/d1c+ahpRDYXXLa4C7EKmmfMQBvMlZbyBHSC6Q38yyCV/yigjJU4XnmMo JM86NQMFbGn+woML3fQgpvl3KXhDa/zqvacuQWn8htZQFMAk8d+XesQ/bq3rn3/Wh8OE RfbnUDPxK7KGTMOJzr9qxCbu4VzAmz6GHhU0UD+1QaSAP+sNa9w+MqsnKEYgH4XptHsH aCZzn+R33Y5VpariduPHyQkSY45BDc0djoBOa++czCnmgj5UG1TiBR//pEwKGvc6TbJd pWdGFVK6UF9U1jk/BgeL06dVo8mbelvHn7SGYFUMBOQOd19avL+pVDdHbwXKulBowC0+ Krsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=UiULXdtHce/y/mjtcKpCPMeIpED/h/LzKbgWTkqE6mE=; b=bfkmkC1sJp2muntPR7BJzstvucfKjvgyu5IGtDp3Z9ibp4Y6BZfRic9/Rh5KAsQ290 GQ9oSjpVkwKQtwwgNlpawJWFF/B7q9/2iBuBN97tFChW1ofPfbFUG3sMzIu8d+jHUDr0 9e/3WIFB6Z94bsMSfdgPmn9q96RLfPt52v3EAWnEUJvqzEP2oKfCwp/YDVddCmIkNPjT JD/68Q4QTVWsrEJ8boMSfxMEMs7K2CXBmmlxVnHcIh7D0FlSh6zuMX+IFpGw4o6tU5bO 6tUZLn61Y/1NzYeXyZpLH9uxg2QHQM4QFFl8yBn8xp8O+nERNAiA+IAu6YreMlJG63Qe jLDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EJ8ugjcJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 90-v6si5150003pla.38.2018.06.14.03.25.06; Thu, 14 Jun 2018 03:25:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EJ8ugjcJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754999AbeFNKXR (ORCPT + 99 others); Thu, 14 Jun 2018 06:23:17 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:35620 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754769AbeFNKXP (ORCPT ); Thu, 14 Jun 2018 06:23:15 -0400 Received: by mail-wm0-f65.google.com with SMTP id j15-v6so11006108wme.0 for ; Thu, 14 Jun 2018 03:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UiULXdtHce/y/mjtcKpCPMeIpED/h/LzKbgWTkqE6mE=; b=EJ8ugjcJpxkdQSb95hC61gIloxiXHYMjvAhNHFTAfYOt/1ed8tU3tYNp3fU33GY/AA R6XzHLAAg9ggwNwuvWZRyTeWkqP/wN+5+8Ycalwo0ufrG/pC/18bDILuoZ7RcqPWKaCf jsFuIuIBwD+d26kcEhYlgFhT20CaLKBqc167JGrxeI+Ob8+ng9pFq/npRAKyMH8wrt4G S9paVvBjzvXMH08aYLJn6nGHplxcxYm8sJHMyBQrWd0zlJ93PP55QG9BioHCyWklrCFy vwqxLGYdiNvdxbNi/9COf3xUvbK3kQvxI9uw8Jir9vN/7mLqN3WJlLnSLDsUCqpNOy7Y eBPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UiULXdtHce/y/mjtcKpCPMeIpED/h/LzKbgWTkqE6mE=; b=gv+VUbHKif8fZVwnmiQuJL3p+eCPdHNnL7RxufaxXmwnKuygtpqKmxhIfVr0mGiPyX 8kOMSw1htiF9GlSPOmB3JKmSjllQgfLp4E9yEKXwMo3t86DhZhQ7EqU+t7sh0fWtRLei A57R5w2LFb7SysDgBHq5BrmLLKL37/IhA2Z9tauu4O3nEmp9UuCGY7vC6Qft7IsSd5Qz LREAXh8K5Hwd0yKBTa7A8EbEaQpQjpidtNIznQH7zKSMxnDltUIu/2BxXBSYuKVIbGBi VQZ+z/UjZfZ64QQm/SV+g7jEKbBIGeY8JmxC27SUU6YtEibYoM68QRy5xOzCC0xIc+58 9ycw== X-Gm-Message-State: APt69E2X04+MIfPuqs7kAfrxd7ZxXSmLX1WjgPXAXDTwxekjyW2ohWL5 6yUF5/UTy3skv5LebV64W2V5Iw== X-Received: by 2002:a1c:64c5:: with SMTP id y188-v6mr1328541wmb.45.1528971794039; Thu, 14 Jun 2018 03:23:14 -0700 (PDT) Received: from glider0.muc.corp.google.com ([2a00:79e0:15:10:e0c7:92b9:c022:f69b]) by smtp.gmail.com with ESMTPSA id k82-v6sm8072148wmg.10.2018.06.14.03.23.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Jun 2018 03:23:12 -0700 (PDT) From: Alexander Potapenko To: gregkh@linuxfoundation.org, jslaby@suse.com Cc: linux-kernel@vger.kernel.org, dvyukov@google.com Subject: [PATCH] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Date: Thu, 14 Jun 2018 12:23:09 +0200 Message-Id: <20180614102309.131958-1-glider@google.com> X-Mailer: git-send-email 2.18.0.rc1.242.g61856ae69a-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KMSAN reported an infoleak when reading from /dev/vcs*: BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0 Call Trace: ... kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 copy_to_user ./include/linux/uaccess.h:184 vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 __vfs_read+0x1b2/0x9d0 fs/read_write.c:416 vfs_read+0x36c/0x6b0 fs/read_write.c:452 ... Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 __kmalloc+0x13a/0x350 mm/slub.c:3818 kmalloc ./include/linux/slab.h:517 vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880 tty_driver_install_tty drivers/tty/tty_io.c:1224 tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324 tty_open_by_driver drivers/tty/tty_io.c:1959 tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007 chrdev_open+0xc25/0xd90 fs/char_dev.c:417 do_dentry_open+0xccc/0x1440 fs/open.c:794 vfs_open+0x1b6/0x2f0 fs/open.c:908 ... Bytes 0-79 of 240 are uninitialized Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com Signed-off-by: Alexander Potapenko --- drivers/tty/vt/vt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 1eb1a376a041..15eb6c829d39 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -784,7 +784,7 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */ if (!*vc->vc_uni_pagedir_loc) con_set_default_unimap(vc); - vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); + vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); if (!vc->vc_screenbuf) goto err_free; @@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, if (new_screen_size > (4 << 20)) return -EINVAL; - newscreen = kmalloc(new_screen_size, GFP_USER); + newscreen = kzalloc(new_screen_size, GFP_USER); if (!newscreen) return -ENOMEM; -- 2.18.0.rc1.242.g61856ae69a-goog