Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
Date:   Sun, 11 Nov 2018 11:59:07 -0800
In-Reply-To: <lsq.1541965745.239435396@decadent.org.uk>
Message-ID: <000000000000687eda057a6904e9@google.com>
Subject: Re: [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to
 userspace via /dev/vcs*
From:   syzbot <syzbot+17a8efdf800000@syzkaller.appspotmail.com>
To:     Ben Hutchings <ben@decadent.org.uk>
Cc:     akpm@linux-foundation.org, ben@decadent.org.uk, glider@google.com,
        gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

> 3.16.61-rc1 review patch.  If anyone has any objections, please let me  
> know.

> ------------------

> From: Alexander Potapenko <glider@google.com>

> commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.

> KMSAN reported an infoleak when reading from /dev/vcs*:

>    BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
>    Call Trace:
>    ...
>     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
>     copy_to_user ./include/linux/uaccess.h:184
>     vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
>     __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
>     vfs_read+0x36c/0x6b0 fs/read_write.c:452
>    ...
>    Uninit was created at:
>     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
>     kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
>     kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
>     __kmalloc+0x13a/0x350 mm/slub.c:3818
>     kmalloc ./include/linux/slab.h:517
>     vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
>     con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
>     tty_driver_install_tty drivers/tty/tty_io.c:1224
>     tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
>     tty_open_by_driver drivers/tty/tty_io.c:1959
>     tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
>     chrdev_open+0xc25/0xd90 fs/char_dev.c:417
>     do_dentry_open+0xccc/0x1440 fs/open.c:794
>     vfs_open+0x1b6/0x2f0 fs/open.c:908
>    ...
>    Bytes 0-79 of 240 are uninitialized

> Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem

> Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
> Signed-off-by: Alexander Potapenko <glider@google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>   drivers/tty/vt/vt.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -782,7 +782,7 @@ int vc_allocate(unsigned int currcons)	/
>   	if (!*vc->vc_uni_pagedir_loc)
>   		con_set_default_unimap(vc);

> -	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
> +	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
>   	if (!vc->vc_screenbuf)
>   		goto err_free;

> @@ -869,7 +869,7 @@ static int vc_do_resize(struct tty_struc

>   	if (new_screen_size > (4 << 20))
>   		return -EINVAL;
> -	newscreen = kmalloc(new_screen_size, GFP_USER);
> +	newscreen = kzalloc(new_screen_size, GFP_USER);
>   	if (!newscreen)
>   		return -ENOMEM;


Can't find the corresponding bug.