Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2471541imm;
        Sat, 23 Jun 2018 19:57:53 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJ77L+epA0zKiP2Frr+MaEaTY9i4H3NlURe40h4O/+gB2OoshCY+RVNMBaQ5YJ9amb6TA1O
X-Received: by 2002:a63:be4a:: with SMTP id g10-v6mr1481206pgo.378.1529809073908;
        Sat, 23 Jun 2018 19:57:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529809073; cv=none;
        d=google.com; s=arc-20160816;
        b=DVQ0VrehjvSEcQuRTVG2VqkRklnSitmI0I6cTAbZ6z+bqynek3CWCxCERHJmQoYFSf
         mby3iYIOlldM/IYPqbwaQb0w7hzn/qRsvqfc30SjpvAbos816F8vE1RyLKBZFK8zIps7
         net9xhOKGLMB1q/lr+TJJsH5YpYpvAcLzGcCT9m2rSynOjA32NVsfuCLBnI7RFG8olAM
         S6sY7ih9i0+GT1MczndHED6+UzfLCkUeuXpgHbKX4+nckiwrVw5NnRvL1HJoszbXTR6E
         M2cFdipaO1ZrLoJURMJUMJTd+rGe43fwJJbwoFB7mmrQM6zyloPnxKhUhqDVKaleYPTw
         B/ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=UQo/+U/Tah+MTfMfgqb+B+iaS9HYMB3m3TW35CCUhIM=;
        b=srXZR9nV46bzwpbFL6uxFRLgfdYvAPPh1N8GApHqmVfRQpSqU3PXrklGtOVGqvUw1p
         de1c87S+ehryV+Pa6SyQev7chZJKMBYBaZ2pfCQu1fd2sgPAkgNHlStR2JYdf6gzPCep
         z05KT77BYWhdFqYSK6UB6LqC8LmfhfEQ0GhXDujFq/udKCHCDBkAuARV3Fr46ufB4d/5
         aYzHOCOIhlhs1d/dlyR1qZpwMIln4OnxIUnbQpX0AcEySmeXk3ZQ9iFiQ+Sh3Fqwd9aq
         tEZzC+Z/Yswf9N0G3DSlgSru+XGdDmdmd0uIR1sl3nJ9JreuRVq6c0gMbeYA0CKnvxCd
         P44w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a7-v6si9327999pgc.125.2018.06.23.19.57.39;
        Sat, 23 Jun 2018 19:57:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752166AbeFXC5C (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Sat, 23 Jun 2018 22:57:02 -0400
Received: from mx2.suse.de ([195.135.220.15]:33549 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752048AbeFXC5A (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 23 Jun 2018 22:57:00 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext-too.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 4CF01AB34;
        Sun, 24 Jun 2018 02:56:59 +0000 (UTC)
Date:   Sat, 23 Jun 2018 19:56:51 -0700
From:   Davidlohr Bueso <dave@stgolabs.net>
To:     syzbot <syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com>
Cc:     akpm@linux-foundation.org, ebiederm@xmission.com,
        keescook@chromium.org, linux-kernel@vger.kernel.org,
        linux@dominikbrodowski.net, manfred@colorfullife.com,
        syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk,
        dave@stgolabs.net
Subject: ipc/msg: zalloc struct msg_queue when creating a new msq
Message-ID: <20180624025651.bvjlcfulbmycz5bf@linux-r8p5>
References: <000000000000e403b3056e76c786@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <000000000000e403b3056e76c786@google.com>
User-Agent: NeoMutt/20170912 (1.9.0)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The following splat was reported around the msg_queue structure
which can have uninitialized fields left over after newque().
Future syscalls which make use of the msq id (now valid) can thus
make KMSAN complain because not all fields are explicitly initialized
and we have the padding as well. This is internal to the kernel,
hence no bogus leaks.

==================================================================
BUG: KMSAN: uninit-value in do_msgrcv+0x509/0x1e30 ipc/msg.c:1048
CPU: 0 PID: 4528 Comm: syz-executor852 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x185/0x1d0 lib/dump_stack.c:113
  kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
  __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
  do_msgrcv+0x509/0x1e30 ipc/msg.c:1048
  ksys_msgrcv ipc/msg.c:1184 [inline]
  __do_sys_msgrcv ipc/msg.c:1190 [inline]
  __se_sys_msgrcv ipc/msg.c:1187 [inline]
  __x64_sys_msgrcv+0x160/0x1b0 ipc/msg.c:1187
  do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4459b9
RSP: 002b:00007f0d57662db8 EFLAGS: 00000297 ORIG_RAX: 0000000000000046
RAX: ffffffffffffffda RBX: 00000000006dac54 RCX: 00000000004459b9
RDX: 00000000000000d0 RSI: 0000000020000000 RDI: 0000000000260007
RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000000
R13: 00007ffd5ab7e25f R14: 00007f0d576639c0 R15: 0000000000000006

Uninit was created at:
  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
  kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
  kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
  __kmalloc_node+0xe25/0x11f0 mm/slub.c:3865
  kmalloc_node include/linux/slab.h:554 [inline]
  kvmalloc_node+0x197/0x2f0 mm/util.c:421
  kvmalloc include/linux/mm.h:550 [inline]
  newque+0xb4/0x7d0 ipc/msg.c:139
  ipcget_new ipc/util.c:315 [inline]
  ipcget+0x27b/0xd90 ipc/util.c:653
  ksys_msgget ipc/msg.c:289 [inline]
  __do_sys_msgget ipc/msg.c:294 [inline]
  __se_sys_msgget ipc/msg.c:292 [inline]
  __x64_sys_msgget+0x14c/0x1d0 ipc/msg.c:292
  do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================

Fix this by simply zero init the whole structure, something that
sysvsems also do; this is safe as it's a nop, having no secondary
effect afaict.

Reported-by: syzbot <syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/msg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipc/msg.c b/ipc/msg.c
index 62545ce19173..da81b374f9fd 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -136,7 +136,7 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
 	key_t key = params->key;
 	int msgflg = params->flg;
 
-	msq = kvmalloc(sizeof(*msq), GFP_KERNEL);
+	msq = kvzalloc(sizeof(*msq), GFP_KERNEL);
 	if (unlikely(!msq))
 		return -ENOMEM;
 
-- 
2.16.4