Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp1081659rdb; Fri, 19 Jan 2024 07:39:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IHVspBNdyI7gRf50GZyVPv8ag1zpcFcF5GDY4TEsGjxXLGtrl3jnmSsbevmz7FhsHQRO/h3 X-Received: by 2002:a17:90a:94ca:b0:290:c3a:fb44 with SMTP id j10-20020a17090a94ca00b002900c3afb44mr1998773pjw.4.1705678773810; Fri, 19 Jan 2024 07:39:33 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705678773; cv=pass; d=google.com; s=arc-20160816; b=v7sNjf6MpySphjBr3BV61qk2ryH8P13Ejbx3wMP2hTkWXH0ejfJxTO1yYIysuolUnu FlkFuYxlx3oLuVOSPzZgIyR2fB6on6YedR5pkKQqFaxXnscY8A3oZRZmvIN4lR6MacGn o8kff6hz72aNnZWbsWcTzzgaQ/DWiCBnmmyaDOUsC1h80iufotxSHUN1SU2adxn08qPz fMt2MyZZox5QBl6I57NcTdyDhZdnBpBZqFOG1oRDa8HfGBH5k0/lXkkttqSmjjr0j6z+ ukS7u8PpdLG1NTztk3oYzmYik2T77sW02V2rEOGR0Y7v8B8gjbk8llLJMT2s8XTqrDVl yj0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=Bm6FQoIxc8CKzv1n+QClBbpnXbXFV9M48KnUa9RN6UQ=; fh=zKKdULBiV0R41iHUI2UPZKpQsshZZqzzuhRmV9tDAFI=; b=zqaPiSIfqUGyBDwfkMtiCD6oYMvPOAfN27ZMqNh6LL/ql/JrPLRLZqmKIK6DtcD1B4 lDoi/2G5AMeNN7503fuYPZ98vGamfBosqP3bxe8TO1FzeBRL63/JREFtulX3Q7v4v93o MtLTdmAQ9Q0AzJ+8+F3uYSMfM9bu0wecT498fAs45HfdBf+dof4KQdJ0aQPVTX068pwB oOI3VJXrbNMAExqMpsvzOM9m9l4XGhhuRo9REL1iirGOiN6kWndKT9MT5boiQ712UOD+ LBWTvTw2FpkKIgvZC72hIaRDTooGKqQQ6oCv72tfvux8H3Hk33t5dmTEE24JKKT60ja2 HxFw== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=fintech.ru); spf=pass (google.com: domain of linux-nfs+bounces-1206-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1206-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id v15-20020a17090a898f00b0029058da5dc5si614520pjn.176.2024.01.19.07.39.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jan 2024 07:39:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-1206-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=fintech.ru); spf=pass (google.com: domain of linux-nfs+bounces-1206-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-1206-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 74C9A28297A for ; Fri, 19 Jan 2024 15:39:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5F08454BC5; Fri, 19 Jan 2024 15:39:29 +0000 (UTC) X-Original-To: linux-nfs@vger.kernel.org Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 506E13C465; Fri, 19 Jan 2024 15:39:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.54.195.159 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705678769; cv=none; b=CiVPM4j9xmZUW5/YKDf4tLlOuvn9vcSGL3kS5cLNmvO7HUdKaiAB4fiBwX9EkhaSnJv5aqQbmfJ6M+eGHgKk5Hv8TCiQKWCkUdXpIBSQRWKoTunM5qU5GdMs6gQfCS6emkhCNcM6ZMoeA1eQUzmk042EoD5/2xZqc3Lp5nbU+yk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705678769; c=relaxed/simple; bh=VtiMxsi1+ub0qW/r114MxUAGi/pPUxucnebfcw3ezbc=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Eipn1GW45z0naebRbgewEbW+CK/Yax+LhBYdfOhd3Ma9j5gf5KmCvUZr3tRJ/NRN4vrdpKNpzWmbSND/e2RPlAseCwRkrU+qEQauw1l5zsqPbLP/arZPF2R4Htuci3iRISEEc3dhI1ywHUoBNt8odIZ3c8iEABeXaWowIUMelho= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru; spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 19 Jan 2024 18:39:17 +0300 Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 19 Jan 2024 18:39:16 +0300 From: Nikita Zhandarovich To: Chuck Lever CC: Nikita Zhandarovich , Jeff Layton , Amir Goldstein , Alexander Viro , Christian Brauner , Jan Kara , , , , Subject: [PATCH] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak Date: Fri, 19 Jan 2024 07:39:06 -0800 Message-ID: <20240119153906.4367-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1]. [1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240" Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem. Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") Suggested-by: Chuck Lever III Reported-and-tested-by: syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com Signed-off-by: Nikita Zhandarovich --- Link to Chuck's suggestion: https://lore.kernel.org/all/B4A8D625-6997-49C8-B105-B2DCFE8C6DDA@oracle.com/ fs/fhandle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 18b3ba8dc8ea..57a12614addf 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -36,7 +36,7 @@ static long do_sys_name_to_handle(const struct path *path, if (f_handle.handle_bytes > MAX_HANDLE_SZ) return -EINVAL; - handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, GFP_KERNEL); if (!handle) return -ENOMEM; -- 2.25.1