Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1701250ima;
        Thu, 25 Oct 2018 03:36:17 -0700 (PDT)
X-Google-Smtp-Source: AJdET5fWXUEUGt0hK8Nt3rCcxAXeJ0lII688OeLdbZuFN9FZx6VGZ6+B1NXTE2fwSvVuJXSMxWF7
X-Received: by 2002:a62:1497:: with SMTP id 145-v6mr1052968pfu.100.1540463777849;
        Thu, 25 Oct 2018 03:36:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540463777; cv=none;
        d=google.com; s=arc-20160816;
        b=ytXfAWHieiP4EtJgqh/rInP0UqBcyCXO9A08+i2i058OsfCqFWNCFu972hM6joByYR
         aqesPmxGq94ekWQKqpk9o8J4GiO4mPQiF39eZCZyCsFXSFkZ6U2wauPM5xHg/Xk8TJps
         YNzub3sqiSJtvfwKZdtgbowFPR9spC5anXheb/T7S7rVR2e3UbQ4tb28j0pFGgOpYgEe
         iPTnwxHE6s0E3PPovb6MSIZj16mh7kwZ4CkqNxZ7whnrFCi/M6e5y+PMzD+ECCqyzH4h
         O1p+Zhv+70X5M1sJjUoc7pjOwakvdG75WG4u6DWBleQC1upUXvMlGw5GKb5FqRqIqVP0
         0mtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:mime-version:dkim-signature;
        bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=;
        b=u6mNSk4HZTDDZlzdaFbEy0KZkQe1pUOBBYPG0VS771TR4F4dDLffK/BWkmQFfGHagS
         lpHU5YrA0ui0N19k4veHnfxuQp6ITwZZOIy6Rp+DSGp8481JXia+SNZH4Xt1mbga2HQm
         hp/B16crBVRBvHTHuIZ1sLnC2YH4nJVndCkx02YP3Il70R+ciasCJTde/+pVhunCeoMK
         CFQ7NSFNu/SQWxHaXFb4hsIOudwicl58uTfmNRFCOqPErWqX+La3kZXL+hdAoAIUKuqB
         GMyAuCuv1cY20PfTzTdcl3WmovVkSNY29GFa5eMXUMyxHmWuD4KOIWMLLU2tJmVHd4O9
         pY4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vAt0qdU6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s9-v6si7970739pgk.371.2018.10.25.03.36.01;
        Thu, 25 Oct 2018 03:36:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vAt0qdU6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727398AbeJYTHh (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Thu, 25 Oct 2018 15:07:37 -0400
Received: from mail-io1-f68.google.com ([209.85.166.68]:36439 "EHLO
        mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726852AbeJYTHh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Oct 2018 15:07:37 -0400
Received: by mail-io1-f68.google.com with SMTP id o19-v6so5155605iod.3;
        Thu, 25 Oct 2018 03:35:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc
         :content-transfer-encoding;
        bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=;
        b=vAt0qdU6s/EoYzvIYKXzTyL8a7YnPc1EXGa8YlVQtwtjbkNl7r1s2COiF+yQcLeORD
         jUWz8CecUHDWnplpiP0Jbm2vUJFhlG2uIh71ha2AChtct5aIqHN8RI/Oc6EZRk1AkWAL
         t/kQdW19TjqLpeCTgMxhWzAQXQXb4z/DBLwng3waoKtmRQQCsFXDde4VG0DHEX1piK7n
         L86POEzwd+IPtPZzP7gvrbbAXeK1+TS2oNs0D+dGv0ngjxPf73kO9pBIJX1v6Bsugjru
         YQjAT+X1PBaPDXsPnuyFWeG1oanRDf0dUrMu5uTSsXiNdh/z2UGkYS7cpHslIaEKdaLw
         NKpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc
         :content-transfer-encoding;
        bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=;
        b=JbN9hUzjWCDoBUeqIFQI6X6DtkOmygrBMkc67HVfrni1FZezEmsYt13tPOcKLM7fzV
         JJWaZwHqZq+P0RriY8ccbZKkAqAZMR1IgJJImRxxC/nbCaz/H/GSGWpvrdYKxPTTWZcP
         TQ2bg12OFgmOVVTO22s7llBefpZlQrHObvXv9Yc41BiIGTzfWtL0ctQDM9OvMntnqLxg
         dvkX+9PuDiet2qkXNYvHRVkPjXo31Zcdf1ql9NiIYwfS1lEM1156VsoYErP8RBDT7dRo
         LU1SRhixl1owSj2VijV34fJpp9HqFEEUMfZ0BBhZr/JspT2FJJ5i4NquF4zion8xGxxw
         EuJA==
X-Gm-Message-State: AGRZ1gJ9k4KWxxP+4iqzXJku/jGwjuS0ePy7awvsbqNMlFVgh+l+ffWF
        r358XB5eZBXT+iXVGly5QOMTLadSsaRk/BRdT0c=
X-Received: by 2002:a6b:8e90:: with SMTP id q138-v6mr651852iod.112.1540463727086;
 Thu, 25 Oct 2018 03:35:27 -0700 (PDT)
MIME-Version: 1.0
From:   Kyungtae Kim <kt0755@gmail.com>
Date:   Thu, 25 Oct 2018 06:35:15 -0400
Message-ID: <CAEAjamv0P63dTXEjzbDp6ahaNRuUiRPWTnj_N2RV7monBk4bHw@mail.gmail.com>
Subject: BUG: KMSAN: uninit-value in selinux_socket_bind, selinux_socket_connect_helper
To:     davem@davemloft.net
Cc:     lifeasageek@gmail.com, syzkaller@googlegroups.com,
        threeearcat@gmail.com, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We report two crashes related (in v4.19-rc8) :
"BUG: KMSAN: uninit-value in selinux_socket_bind"
"BUG: KMSAN: uninit-value in selinux_socket_connect_helper=E2=80=9D

kernel config: https://kt0755.github.io/etc/config-4.19-rc2.kmsan
repro: https://kt0755.github.io/etc/repro.b0e55.c

Since both crashes share the same issue, we just explain one of the two.
When the third argument of bind() (i.e., addrlen) is zero, in __sys_bind(),
data copy from user sockaddr to kernel sockaddr does not occur
(net/socket.c:186).
However, a subsequent function selinux_socket_bind() tries to read
the kernel sockaddr (address->sa_family) that was not initialized at all.

Crash log1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BUG: KMSAN: uninit-value in selinux_socket_bind+0x61b/0x1040
security/selinux/hooks.c:4643
CPU: 0 PID: 19070 Comm: syz-executor6 Not tainted 4.19.0-rc8+ #18
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201=
1
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x305/0x460 lib/dump_stack.c:113
 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
 __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500
 selinux_socket_bind+0x61b/0x1040 security/selinux/hooks.c:4643
 security_socket_bind+0x127/0x200 security/security.c:1390
 __sys_bind+0x577/0x7e0 net/socket.c:1479
 __do_sys_bind net/socket.c:1494 [inline]
 __se_sys_bind+0x8d/0xb0 net/socket.c:1492
 __x64_sys_bind+0x4a/0x70 net/socket.c:1492
 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4497b9
Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdddf1e9c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007fdddf1ea6cc RCX: 00000000004497b9
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c8 R14: 00000000006e8568 R15: 00007fdddf1ea700

Local variable description: ----address@__sys_bind
Variable was created at:
 __sys_bind+0x89/0x7e0 net/socket.c:1470
 __do_sys_bind net/socket.c:1494 [inline]
 __se_sys_bind+0x8d/0xb0 net/socket.c:1492
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Crash log2
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
BUG: KMSAN: uninit-value in selinux_socket_connect_helper+0x55c/0x960
security/selinux/hooks.c:4775
CPU: 0 PID: 8234 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #18
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201=
1
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x305/0x460 lib/dump_stack.c:113
 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
 __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500
 selinux_socket_connect_helper+0x55c/0x960 security/selinux/hooks.c:4775
 selinux_socket_connect+0xbe/0x180 security/selinux/hooks.c:4834
 security_socket_connect+0x127/0x200 security/security.c:1395
 __sys_connect+0x577/0x850 net/socket.c:1660
 __do_sys_connect net/socket.c:1675 [inline]
 __se_sys_connect+0x8d/0xb0 net/socket.c:1672
 __x64_sys_connect+0x4a/0x70 net/socket.c:1672
 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4497b9
Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff660d67c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007ff660d686cc RCX: 00000000004497b9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000ae0 R14: 00000000006e8b80 R15: 00007ff660d68700

Local variable description: ----address@__sys_connect
Variable was created at:
 __sys_connect+0x89/0x850 net/socket.c:1647
 __do_sys_connect net/socket.c:1675 [inline]
 __se_sys_connect+0x8d/0xb0 net/socket.c:1672
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

We provide a simple patch below to stop them.
There are a few more lines that invoke move_addr_to_kernel(), but the
two of them
(bind and connect) seem to be the only cases to be corrected.


diff --git a/net/socket.c b/net/socket.c
index 390a8ec..de0931c2 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1475,7 +1475,7 @@ int __sys_bind(int fd, struct sockaddr __user
*umyaddr, int addrlen)
        sock =3D sockfd_lookup_light(fd, &err, &fput_needed);
        if (sock) {
                err =3D move_addr_to_kernel(umyaddr, addrlen, &address);
-               if (err >=3D 0) {
+               if (err > 0) {
                        err =3D security_socket_bind(sock,
                                                   (struct sockaddr *)&addr=
ess,
                                                   addrlen);
@@ -1653,7 +1653,7 @@ int __sys_connect(int fd, struct sockaddr __user
*uservaddr, int addrlen)
        if (!sock)
                goto out;
        err =3D move_addr_to_kernel(uservaddr, addrlen, &address);
-       if (err < 0)
+       if (err <=3D 0)
                goto out_put;

        err =3D


Thanks,
Kyungtae Kim