Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2570517imu; Tue, 6 Nov 2018 17:38:57 -0800 (PST) X-Google-Smtp-Source: AJdET5eTBqBcjCztVkhqKTGmZCXUZdhU65n9J7E9XSbqJgnMqqVhPsLLUzonMMdg86JSAJfwVuoz X-Received: by 2002:a17:902:4381:: with SMTP id j1-v6mr28198846pld.59.1541554737062; Tue, 06 Nov 2018 17:38:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541554737; cv=none; d=google.com; s=arc-20160816; b=0auL/rKPw39WiBi06Vpzm4SZYkKHIgkeSGmrGxxUn4ERBsJsnibDT2lzIz6qoajbnN nKIcZ/YBki9CdOFLGQK7NQTR2f+e4mhwnlpsM7TresUD1s7D9Y7DqQ1ObaSYHwvumBD8 Z7GqQR5dq3KNEVAKjtOMnE2ryipbuv8k4j/RNR4LEEM0g4hZ1nYGFZEvw+2oPEZfETZl Kzxmfws6zKXulZ91xpzKiPwv8lSMsbYAFnMIOQK6Lw+RJQ4haj13JRJqtfTU/Qlr1oAQ PrQ6x/OshAoogcQqAOWTtO3SqqgdPr+LJ3je9GAj6QoiZQRAzBkHJCMEjaDUF0uZt1hM MHkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:from:subject:message-id:date :mime-version; bh=6vpWVkaXIwmz9cSkYlKWVhkSg3LlLH/uLlwkR1+SZFs=; b=G1Pmhd7rxACvXqhJ7aW3h1Can0pRLZjmbzp3pcicv1wy9i55nI3P3u4mlBjVihrZLg hr/hPy7GACoEIoyc5SeHjobnXJL9z56WvjoLIFELe6hoxae4MQ8ntXbuHSd1QXKmaEZD +Opa7Ygi2dUOnoB5v8VW/k9ZkUgTRF3ZlTG6RsELGdH7GYeUMnN9Kqcsj0yjrmUAi2G/ 0DyXoM3tmdYd1Xxtz3sKFmgT3VWFI+9HDSYv4/oI8I8PTqhQoHqs8g/OXxRwtNHNlyoR CJY2trIOcBuK/NkAqSbEAWlouUXdb7kWLV5o5hUhmI4b9auWH4oaCUyi8tS4SCpDc9BJ g7uQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o12-v6si52585220pfh.9.2018.11.06.17.38.42; Tue, 06 Nov 2018 17:38:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389037AbeKGLGN (ORCPT + 99 others); Wed, 7 Nov 2018 06:06:13 -0500 Received: from mail-it1-f197.google.com ([209.85.166.197]:38523 "EHLO mail-it1-f197.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731003AbeKGLGN (ORCPT ); Wed, 7 Nov 2018 06:06:13 -0500 Received: by mail-it1-f197.google.com with SMTP id j190-v6so4792788itj.3 for ; Tue, 06 Nov 2018 17:38:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=6vpWVkaXIwmz9cSkYlKWVhkSg3LlLH/uLlwkR1+SZFs=; b=GcwHbBA4guyMCYgZw/AGSsm6dYPGP+WOUv4lBA8TkLpMR1g/2N3RVUHKKu+g2QPx6u QnLKS1TltFAra346JvAxElE4KALs4f3vlfuQhWmNl4mojTqO0sjlI5BGR/EeweO7wVA0 ZTKjdSeZ/pghJ/HQiKCpJZv57q01IXhgsRQo8zWD9082d8xqAcscoDeu9LWisyBNXR8d Pp6yiSLETJttkCjYEPeCuK9e2weNEQWCMQlUhSmOapt71Z+UYNPzXaGdoDI6sNRXU32B CjJBW1VttFGshfyntNy/6MD9rTdbGvom/ZlwSj11mTOAR0V+74pzOtOgOUpJ4CHHROOm s2nw== X-Gm-Message-State: AGRZ1gITllLY0b1Meu0KaQJfD4hbd0oTA71f2QbI+pun0fVM+CHSWxuB otUd1rkdbyseGlC8vRu2HFXSzkJYVUoC++mFdJWbUGNgsYOp MIME-Version: 1.0 X-Received: by 2002:a24:9085:: with SMTP id x127-v6mr157945itd.17.1541554684419; Tue, 06 Nov 2018 17:38:04 -0800 (PST) Date: Tue, 06 Nov 2018 17:38:04 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000005de8da057a092ba2@google.com> Subject: KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page From: syzbot To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, pbonzini@redhat.com, rkrcmar@redhat.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, syzbot found the following crash on: HEAD commit: 88b95ef4c780 kmsan: use MSan assembly instrumentation git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=12505e33400000 kernel config: https://syzkaller.appspot.com/x/.config?x=8df5fc509a1b351b dashboard link: https://syzkaller.appspot.com/bug?extid=ded1696f6b50b615b630 compiler: clang version 8.0.0 (trunk 343298) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce62f5400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=174efca3400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ded1696f6b50b615b630@syzkaller.appspotmail.com ================================================================== BUG: KMSAN: kernel-infoleak in __copy_to_user include/linux/uaccess.h:121 [inline] BUG: KMSAN: kernel-infoleak in __kvm_write_guest_page arch/x86/kvm/../../../virt/kvm/kvm_main.c:1849 [inline] BUG: KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page+0x39a/0x510 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1870 CPU: 0 PID: 7918 Comm: syz-executor542 Not tainted 4.19.0+ #77 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x32d/0x480 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:911 kmsan_internal_check_memory+0x34c/0x430 mm/kmsan/kmsan.c:991 kmsan_copy_to_user+0x85/0xe0 mm/kmsan/kmsan_hooks.c:552 __copy_to_user include/linux/uaccess.h:121 [inline] __kvm_write_guest_page arch/x86/kvm/../../../virt/kvm/kvm_main.c:1849 [inline] kvm_vcpu_write_guest_page+0x39a/0x510 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1870 nested_release_vmcs12 arch/x86/kvm/vmx.c:8441 [inline] handle_vmptrld+0x2384/0x26b0 arch/x86/kvm/vmx.c:8907 vmx_handle_exit+0x1e81/0xbac0 arch/x86/kvm/vmx.c:10128 vcpu_enter_guest arch/x86/kvm/x86.c:7667 [inline] vcpu_run arch/x86/kvm/x86.c:7730 [inline] kvm_arch_vcpu_ioctl_run+0xac32/0x11d80 arch/x86/kvm/x86.c:7930 kvm_vcpu_ioctl+0xfb1/0x1f90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2590 do_vfs_ioctl+0xf77/0x2d30 fs/ioctl.c:46 ksys_ioctl fs/ioctl.c:702 [inline] __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:707 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:707 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x44b6e9 Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b ff fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f096b292ce8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006e3c48 RCX: 000000000044b6e9 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000006e3c40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 00000000006e3c4c R13: 00007ffd978aeb2f R14: 00007f096b2939c0 R15: 00000000006e3d4c Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:252 [inline] kmsan_internal_poison_shadow+0xc8/0x1e0 mm/kmsan/kmsan.c:177 kmsan_kmalloc+0x98/0x110 mm/kmsan/kmsan_hooks.c:104 __kmalloc+0x14c/0x4d0 mm/slub.c:3789 kmalloc include/linux/slab.h:518 [inline] enter_vmx_operation+0x980/0x1a90 arch/x86/kvm/vmx.c:8278 vmx_set_nested_state+0xc3a/0x1530 arch/x86/kvm/vmx.c:14045 kvm_arch_vcpu_ioctl+0x4fc9/0x73a0 arch/x86/kvm/x86.c:4057 kvm_vcpu_ioctl+0xca3/0x1f90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2742 do_vfs_ioctl+0xf77/0x2d30 fs/ioctl.c:46 ksys_ioctl fs/ioctl.c:702 [inline] __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:707 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:707 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Bytes 1000-4095 of 4096 are uninitialized Memory access of size 4096 starts at ffff8801b5157000 ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches