Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1701250ima; Thu, 25 Oct 2018 03:36:17 -0700 (PDT) X-Google-Smtp-Source: AJdET5fWXUEUGt0hK8Nt3rCcxAXeJ0lII688OeLdbZuFN9FZx6VGZ6+B1NXTE2fwSvVuJXSMxWF7 X-Received: by 2002:a62:1497:: with SMTP id 145-v6mr1052968pfu.100.1540463777849; Thu, 25 Oct 2018 03:36:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540463777; cv=none; d=google.com; s=arc-20160816; b=ytXfAWHieiP4EtJgqh/rInP0UqBcyCXO9A08+i2i058OsfCqFWNCFu972hM6joByYR aqesPmxGq94ekWQKqpk9o8J4GiO4mPQiF39eZCZyCsFXSFkZ6U2wauPM5xHg/Xk8TJps YNzub3sqiSJtvfwKZdtgbowFPR9spC5anXheb/T7S7rVR2e3UbQ4tb28j0pFGgOpYgEe iPTnwxHE6s0E3PPovb6MSIZj16mh7kwZ4CkqNxZ7whnrFCi/M6e5y+PMzD+ECCqyzH4h O1p+Zhv+70X5M1sJjUoc7pjOwakvdG75WG4u6DWBleQC1upUXvMlGw5GKb5FqRqIqVP0 0mtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:mime-version:dkim-signature; bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=; b=u6mNSk4HZTDDZlzdaFbEy0KZkQe1pUOBBYPG0VS771TR4F4dDLffK/BWkmQFfGHagS lpHU5YrA0ui0N19k4veHnfxuQp6ITwZZOIy6Rp+DSGp8481JXia+SNZH4Xt1mbga2HQm hp/B16crBVRBvHTHuIZ1sLnC2YH4nJVndCkx02YP3Il70R+ciasCJTde/+pVhunCeoMK CFQ7NSFNu/SQWxHaXFb4hsIOudwicl58uTfmNRFCOqPErWqX+La3kZXL+hdAoAIUKuqB GMyAuCuv1cY20PfTzTdcl3WmovVkSNY29GFa5eMXUMyxHmWuD4KOIWMLLU2tJmVHd4O9 pY4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vAt0qdU6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s9-v6si7970739pgk.371.2018.10.25.03.36.01; Thu, 25 Oct 2018 03:36:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vAt0qdU6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727398AbeJYTHh (ORCPT + 99 others); Thu, 25 Oct 2018 15:07:37 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:36439 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726852AbeJYTHh (ORCPT ); Thu, 25 Oct 2018 15:07:37 -0400 Received: by mail-io1-f68.google.com with SMTP id o19-v6so5155605iod.3; Thu, 25 Oct 2018 03:35:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=; b=vAt0qdU6s/EoYzvIYKXzTyL8a7YnPc1EXGa8YlVQtwtjbkNl7r1s2COiF+yQcLeORD jUWz8CecUHDWnplpiP0Jbm2vUJFhlG2uIh71ha2AChtct5aIqHN8RI/Oc6EZRk1AkWAL t/kQdW19TjqLpeCTgMxhWzAQXQXb4z/DBLwng3waoKtmRQQCsFXDde4VG0DHEX1piK7n L86POEzwd+IPtPZzP7gvrbbAXeK1+TS2oNs0D+dGv0ngjxPf73kO9pBIJX1v6Bsugjru YQjAT+X1PBaPDXsPnuyFWeG1oanRDf0dUrMu5uTSsXiNdh/z2UGkYS7cpHslIaEKdaLw NKpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=HApCBrP3GUcUQzrqXjWtOUnbeF7cKGnNY5yardXuXDg=; b=JbN9hUzjWCDoBUeqIFQI6X6DtkOmygrBMkc67HVfrni1FZezEmsYt13tPOcKLM7fzV JJWaZwHqZq+P0RriY8ccbZKkAqAZMR1IgJJImRxxC/nbCaz/H/GSGWpvrdYKxPTTWZcP TQ2bg12OFgmOVVTO22s7llBefpZlQrHObvXv9Yc41BiIGTzfWtL0ctQDM9OvMntnqLxg dvkX+9PuDiet2qkXNYvHRVkPjXo31Zcdf1ql9NiIYwfS1lEM1156VsoYErP8RBDT7dRo LU1SRhixl1owSj2VijV34fJpp9HqFEEUMfZ0BBhZr/JspT2FJJ5i4NquF4zion8xGxxw EuJA== X-Gm-Message-State: AGRZ1gJ9k4KWxxP+4iqzXJku/jGwjuS0ePy7awvsbqNMlFVgh+l+ffWF r358XB5eZBXT+iXVGly5QOMTLadSsaRk/BRdT0c= X-Received: by 2002:a6b:8e90:: with SMTP id q138-v6mr651852iod.112.1540463727086; Thu, 25 Oct 2018 03:35:27 -0700 (PDT) MIME-Version: 1.0 From: Kyungtae Kim Date: Thu, 25 Oct 2018 06:35:15 -0400 Message-ID: Subject: BUG: KMSAN: uninit-value in selinux_socket_bind, selinux_socket_connect_helper To: davem@davemloft.net Cc: lifeasageek@gmail.com, syzkaller@googlegroups.com, threeearcat@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We report two crashes related (in v4.19-rc8) : "BUG: KMSAN: uninit-value in selinux_socket_bind" "BUG: KMSAN: uninit-value in selinux_socket_connect_helper=E2=80=9D kernel config: https://kt0755.github.io/etc/config-4.19-rc2.kmsan repro: https://kt0755.github.io/etc/repro.b0e55.c Since both crashes share the same issue, we just explain one of the two. When the third argument of bind() (i.e., addrlen) is zero, in __sys_bind(), data copy from user sockaddr to kernel sockaddr does not occur (net/socket.c:186). However, a subsequent function selinux_socket_bind() tries to read the kernel sockaddr (address->sa_family) that was not initialized at all. Crash log1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KMSAN: uninit-value in selinux_socket_bind+0x61b/0x1040 security/selinux/hooks.c:4643 CPU: 0 PID: 19070 Comm: syz-executor6 Not tainted 4.19.0-rc8+ #18 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201= 1 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x305/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500 selinux_socket_bind+0x61b/0x1040 security/selinux/hooks.c:4643 security_socket_bind+0x127/0x200 security/security.c:1390 __sys_bind+0x577/0x7e0 net/socket.c:1479 __do_sys_bind net/socket.c:1494 [inline] __se_sys_bind+0x8d/0xb0 net/socket.c:1492 __x64_sys_bind+0x4a/0x70 net/socket.c:1492 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fdddf1e9c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007fdddf1ea6cc RCX: 00000000004497b9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004c8 R14: 00000000006e8568 R15: 00007fdddf1ea700 Local variable description: ----address@__sys_bind Variable was created at: __sys_bind+0x89/0x7e0 net/socket.c:1470 __do_sys_bind net/socket.c:1494 [inline] __se_sys_bind+0x8d/0xb0 net/socket.c:1492 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Crash log2 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KMSAN: uninit-value in selinux_socket_connect_helper+0x55c/0x960 security/selinux/hooks.c:4775 CPU: 0 PID: 8234 Comm: syz-executor2 Not tainted 4.19.0-rc8+ #18 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201= 1 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x305/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7d/0xe0 mm/kmsan/kmsan_instr.c:500 selinux_socket_connect_helper+0x55c/0x960 security/selinux/hooks.c:4775 selinux_socket_connect+0xbe/0x180 security/selinux/hooks.c:4834 security_socket_connect+0x127/0x200 security/security.c:1395 __sys_connect+0x577/0x850 net/socket.c:1660 __do_sys_connect net/socket.c:1675 [inline] __se_sys_connect+0x8d/0xb0 net/socket.c:1672 __x64_sys_connect+0x4a/0x70 net/socket.c:1672 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x4497b9 Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ff660d67c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007ff660d686cc RCX: 00000000004497b9 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000ae0 R14: 00000000006e8b80 R15: 00007ff660d68700 Local variable description: ----address@__sys_connect Variable was created at: __sys_connect+0x89/0x850 net/socket.c:1647 __do_sys_connect net/socket.c:1675 [inline] __se_sys_connect+0x8d/0xb0 net/socket.c:1672 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D We provide a simple patch below to stop them. There are a few more lines that invoke move_addr_to_kernel(), but the two of them (bind and connect) seem to be the only cases to be corrected. diff --git a/net/socket.c b/net/socket.c index 390a8ec..de0931c2 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1475,7 +1475,7 @@ int __sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen) sock =3D sockfd_lookup_light(fd, &err, &fput_needed); if (sock) { err =3D move_addr_to_kernel(umyaddr, addrlen, &address); - if (err >=3D 0) { + if (err > 0) { err =3D security_socket_bind(sock, (struct sockaddr *)&addr= ess, addrlen); @@ -1653,7 +1653,7 @@ int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen) if (!sock) goto out; err =3D move_addr_to_kernel(uservaddr, addrlen, &address); - if (err < 0) + if (err <=3D 0) goto out_put; err =3D Thanks, Kyungtae Kim