Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1775712ybh; Fri, 13 Mar 2020 07:14:07 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuWXUhBVdjrYFDMuge9rEl6fvz5gKdG/IMxcF9K0rFl5A4ZKe7yfKEz+Vt8zMe5qVR2Zf2N X-Received: by 2002:a05:6830:210d:: with SMTP id i13mr11297960otc.104.1584108847838; Fri, 13 Mar 2020 07:14:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584108847; cv=none; d=google.com; s=arc-20160816; b=zAoAs8cSTyBvSj3mW1l9uzTgvbC8lN0JpIaxHT0JyxlvyIzrYxk5yaqRJlHU2au4xQ GgsCKHpZTH3wtPL2bRrTGkVd7ojV/DGx/YZGQfakvzGJcDHKxInB5Q+d5N1pvo7KG2Af Sem/xlNn6LcCXp+ywUn1LNHU+e14KGcAYXGO91Y7Q4m77gFiXnmfIIIZze0eQQZUVUFi sX2o9R7jZKmgd0psmf1zHpyYWU/aPM4LZo4x+mIj/WkroSKd92b1qpkHdn8e88lFu/2A E0ZSKt93ndo+aXkCtIoyiCMtnEqtT0IaSOg9wHDZwECytXT23Sg4IIA32GE1M5hb2tZd bnPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=pTkIuFS+sGaAC8JwXfK5lVK6SYN5Se9MVMEv67XiNyk=; b=c2iStmfO+7/EJ845gwC8LuuctMrwUqqSgVOIfJc+ejPmgAme2KzhLt+taylYYeFoQs 2y8ulErGoBKpcNHawZ5kHo/Wgbsm2u3WGNdZOOowucvA8PJFgvMysswb3X54bf1vC6s9 MRNiliE7lEvdusCNFhEUL5hcEl1Ge02CuLit0IjoV1jGtPUM0VDvKNkGKAVN3LhxwXGa 2A/pw5FihMInWKbfCw2cTiK1IRZTxMsI7NrOm+LSSmFIws47RfVuVmqCog3Ep28iE6VB MfRD6LLpnyLXElZkqxVAkR95c1+IJONTFlkix9tUqW3MSw1wmqB5bzr3UO5e9BpgFvKS j0lA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cJoJ3AzH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m14si3983453otk.177.2020.03.13.07.13.54; Fri, 13 Mar 2020 07:14:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cJoJ3AzH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726810AbgCMOLB (ORCPT + 99 others); Fri, 13 Mar 2020 10:11:01 -0400 Received: from mail-wm1-f67.google.com ([209.85.128.67]:55351 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726642AbgCMOLA (ORCPT ); Fri, 13 Mar 2020 10:11:00 -0400 Received: by mail-wm1-f67.google.com with SMTP id 6so10113201wmi.5 for ; Fri, 13 Mar 2020 07:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pTkIuFS+sGaAC8JwXfK5lVK6SYN5Se9MVMEv67XiNyk=; b=cJoJ3AzHZmwtZp40v4ICGMZ3Ajp7ofahUeU14HAvuKUqTyvuR8LSLilmLXPz1OKLj0 eGkjod9Y94A1RJyiwamaaS3MsFttxA2C5yKvxv/GHnNNd84hqPWBF5lGG6mi172kLsRX xoPMyIR23wjH7d8/b/SAg23nr+J01v60kuwgQd8mh/eyLss8kCh2b3CNdjrM/G6lCunt MsVHqXH1/vRzLjef2+Ob3ISr52uNkYnouj/37RlpMpE63sX5BErPRieM3hXbQy3pnr5d ODhCOQfovpDUjXFEa77tR1D9LMpW5jAlBnQrBMI6vbsqV984k1QMVfCt1JVW5wsU1R/D wKlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pTkIuFS+sGaAC8JwXfK5lVK6SYN5Se9MVMEv67XiNyk=; b=qQnlYis6cQ1rcJd9b3/V06OJC1lE07y4ee6TelzwIbtxvg59eYb/Kos0Qq4s7YLgtx rmcKRSWUBFpEuTRPyAdrvpeTTP3wDUYzOCwdrTxiFXTndL1lso8atAmjVsSvFgphxU9H LL7I/XIEFOgcgX2YQFnlsM68zlRFdQUmxD+ZLRtHuusbr2hRL8aP7BnW059uwPiFi4qL UoH0TPgSLJ/l6ZEaZOGGLhAcweR67pT25oK033vmzUtCEfuyT/uCeofN7FmBCr04qPeO IvlFsSlpo9y307sJCRgNk50hj12APjFMjSDsbi0AMA3jnCqfVJ0uSSEzZLo2gFt6MftB 0A0Q== X-Gm-Message-State: ANhLgQ3cYjqnaTGLX4du3oYEyDvNBiaWD0omrOzfOk1HKRzEB9ABLkSs j1oiiPDRP1TI0P8snjgJP9SS8XFNIlQOUHV3Ecs7mQ== X-Received: by 2002:a7b:cc98:: with SMTP id p24mr10437048wma.29.1584108658739; Fri, 13 Mar 2020 07:10:58 -0700 (PDT) MIME-Version: 1.0 References: <000000000000938a57059f7cafe4@google.com> <20200307235437.GW15444@sol.localdomain> <20200308032434.GX15444@sol.localdomain> <20200309181154.GB1073@sol.localdomain> In-Reply-To: <20200309181154.GB1073@sol.localdomain> From: Alexander Potapenko Date: Fri, 13 Mar 2020 15:10:45 +0100 Message-ID: Subject: Re: KMSAN: uninit-value in snapshot_compat_ioctl To: Eric Biggers Cc: syzbot , len.brown@intel.com, LKML , Linux PM , Pavel Machek , "Rafael J. Wysocki" , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 9, 2020 at 7:11 PM Eric Biggers wrote: > > On Mon, Mar 09, 2020 at 12:53:28PM +0100, 'Alexander Potapenko' via syzkaller-bugs wrote: > > > > Looks like a KMSAN false positive? As far as I can tell, the memory is being > > > > initialized by put_user() called under set_fs(KERNEL_DS). > > > > Why? put_user() doesn't write to kernel memory, instead it copies a > > value to the userspace. > > That's why KMSAN performs kmsan_check_memory() on it. > > It would actually be better if KMSAN printed an kernel-infoleak warning instead. > > When under set_fs(KERNEL_DS), the userspace access functions like put_user() and > copy_to_user() can write to kernel memory. It's discouraged and people have > been trying to get rid of uses of set_fs(), but a lot still remain, since > sometimes it's useful to allow code to operate on both user and kernel memory. > A common example is kernel_read(). Ah, you're right. We can simply check that the target address is in the userspace before actually reporting the error.