| Message ID | 20230307085548.6290-1-konishi.ryusuke@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2330819wrd;
Tue, 7 Mar 2023 01:25:47 -0800 (PST)
X-Google-Smtp-Source:
AK7set+ze+xJFi5lJa4u6DzFYUO1CP/zh0mVXsxl8Evc3a0+NacFEfTzmm95Z7OAfEBckPEXx+x+
X-Received: by 2002:a17:907:7e9a:b0:88a:a27c:c282 with SMTP id
qb26-20020a1709077e9a00b0088aa27cc282mr18338480ejc.47.1678181147805;
Tue, 07 Mar 2023 01:25:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678181147; cv=none;
d=google.com; s=arc-20160816;
b=V4BMLWTK7zWDGqf+lcFsGDOgj3v5fXVMicBIRaW/RaZNi12F/eVysH4kcY8ZfwB7jt
ZZ7kFkaiFR0TcztJyWDzdm6Nbqa6cEYkA00JmhvFQASZTLFmjKK1bcs7iKuuVGl0zB1H
e0YCDe4bywPZOzE/DbWITLNuCdW7vRobXSuFvHKn3PAdkP4U5JJiZh++Hg3oiw0ojYtk
u4VaMQH9dk2XyrjjdbBsXWeyyU5BNM0VInvNw2TDYOIVqTck0g1bI8DHG3Pp7cCANjer
o/uENCkVuOsANeSrayJUnrwRxj2XBzQ18o3VIfbUitHAlZwykwJnQCFe/QGG5f580pC9
KVEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=ImZIUnjHmWZ61AUl7EQPcyNMNKjjE5EWwslBdnmGov0=;
b=U2lsOWw/8M7HZfcXSLnEjbqthZSX+jEKam/Ocy/eHKsKZiDgE9I/IXZeDsROn32s+G
iSYH/ZrMor5ylpGhvkfvAK8RP3fb+Sy4iL3lzOA9hvcjqAywy2hu8+CKlnj269mhEtXZ
ZTWgKHzQEzkiVmGI/EkysBmPorG+kbFzPhsIb2LxnpLo6SLwDeRElE8BuCKe8vUpGxH3
8h+SxXmF0Mb9rzM4UsCsWJYuMg2WMs/cRob1OexITdsg1W06QdOZu1/HEyzJbe3Yp0UC
Mfb7XdE7uXHnaRuoFWHFte6l98/J1dgjT3KOiw5/KVyj9aUnClVTqDVmp1eXgzDNa4Cw
pudw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=SgtCPQOk;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ga27-20020a1709070c1b00b008c5fe055449si3728497ejc.754.2023.03.07.01.25.24;
Tue, 07 Mar 2023 01:25:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=SgtCPQOk;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230083AbjCGIzx (ORCPT <rfc822;toshivichauhan@gmail.com>
+ 99 others); Tue, 7 Mar 2023 03:55:53 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37838 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229742AbjCGIzu (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 7 Mar 2023 03:55:50 -0500
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com
[IPv6:2607:f8b0:4864:20::1032])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 707F1231D6;
Tue, 7 Mar 2023 00:55:49 -0800 (PST)
Received: by mail-pj1-x1032.google.com with SMTP id
6-20020a17090a190600b00237c5b6ecd7so15835233pjg.4;
Tue, 07 Mar 2023 00:55:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112; t=1678179349;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=ImZIUnjHmWZ61AUl7EQPcyNMNKjjE5EWwslBdnmGov0=;
b=SgtCPQOkavqX+SBvioxmaURb4Km1AY2R8AW5U4vSda+AC/SpuW1VlTHGyP70Ytx+dK
Ayqg7je+tRBqJgKKk3xbtLurdcXlYw7hY3sBDSNIsbqQaTaWlTIUJTIYgsMbE1qBnKWg
/hROrhlTfzg3xPNGrquDfsSGiwb0TXzQaLrdv6qEZpVcvM7b1WzNHXSgRk3aFnEGnlOS
pWwK1QeBx+FxcTN4I5U3/9k5Yj3rpU8Ih3evW7wRHjji5kdcAhxLf3NbbaUegC1gepj2
7a5RjDaKtVujCChtlIFUvuthDcTm7IdCxR8tO87EfAs7qwzDXDhuaRoejK8v9buentv2
88iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1678179349;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=ImZIUnjHmWZ61AUl7EQPcyNMNKjjE5EWwslBdnmGov0=;
b=UpVX4L6+uhd9WRQN43C/hOST1TWs4Fkzje/S4ypQuat/k953JuyEkGzL2eQix5q2lE
FA7QnP6Lq38G3Ryl4yJbLraasRtVTmO+A1PM2JIIGh0hROSbrDUioW9t1RdAtj9cSbqw
TPmOizo7ETcu7xp11VXCk4Bf/qVZW1A/wswy5JlH5VgMgrD4/u0v4pPpEGJTBDY5ssl4
42bk+z3lGKNZRcZf90rAZF58A0GyTJ9ah3GS+PkOPMQucRKDTWABfJUogGMUIWd880Ip
ZudZpUAFNJQiJlXtdTJ7HdKgMsB3DXGYvnyFtH12HH1FGwJ4YEds9I+hPvI1FVQIjPUF
Pzhg==
X-Gm-Message-State: AO0yUKVXbJEGoLc+Ch5OQFlJnbz/hGBCl7tPVF3PyEdqFIaxEH1ZKjD7
uEDK4+4zSwQGDTmmzrzYxmg=
X-Received: by 2002:a17:902:ab07:b0:19c:e7ee:52ad with SMTP id
ik7-20020a170902ab0700b0019ce7ee52admr12501058plb.28.1678179348695;
Tue, 07 Mar 2023 00:55:48 -0800 (PST)
Received: from carrot.. (i219-164-39-244.s42.a014.ap.plala.or.jp.
[219.164.39.244])
by smtp.gmail.com with ESMTPSA id
z9-20020a63e109000000b004fbd91d9716sm7377100pgh.15.2023.03.07.00.55.45
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 07 Mar 2023 00:55:47 -0800 (PST)
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-nilfs@vger.kernel.org,
syzbot <syzbot+132fdd2f1e1805fdc591@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, glider@google.com
Subject: [PATCH] nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
Date: Tue, 7 Mar 2023 17:55:48 +0900
Message-Id: <20230307085548.6290-1-konishi.ryusuke@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <000000000000a5bd2d05f63f04ae@google.com>
References: <000000000000a5bd2d05f63f04ae@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759700475361108642?=
X-GMAIL-MSGID: =?utf-8?q?1759700475361108642?=
|
| Series |
nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
|
|
Commit Message
Ryusuke Konishi
March 7, 2023, 8:55 a.m. UTC
The ioctl helper function nilfs_ioctl_wrap_copy, which exchanges a metadata array to/from user space, may copy uninitialized buffer regions to user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO and NILFS_IOCTL_GET_CPINFO. This can occur when the element size of the user space metadata given by the v_size member of the argument nilfs_argv structure is larger than the size of the metadata element (nilfs_suinfo structure or nilfs_cpinfo structure) on the file system side. KMSAN-enabled kernels detect this issue as follows: BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33 instrument_copy_to_user include/linux/instrumented.h:121 [inline] _copy_to_user+0xc0/0x100 lib/usercopy.c:33 copy_to_user include/linux/uaccess.h:169 [inline] nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [inline] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572 alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287 __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599 nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [inline] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Bytes 16-127 of 3968 are uninitialized ... This eliminates the leak issue by initializing the page allocated as buffer using get_zeroed_page(). Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+132fdd2f1e1805fdc591@syzkaller.appspotmail.com Link: https://lkml.kernel.org/r/000000000000a5bd2d05f63f04ae@google.com Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: stable@vger.kernel.org --- fs/nilfs2/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 5ccc638ae92f..1dfbc0c34513 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -71,7 +71,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, if (argv->v_index > ~(__u64)0 - argv->v_nmembs) return -EINVAL; - buf = (void *)__get_free_pages(GFP_NOFS, 0); + buf = (void *)get_zeroed_page(GFP_NOFS); if (unlikely(!buf)) return -ENOMEM; maxmembs = PAGE_SIZE / argv->v_size;