On Mon, Aug 31, 2020 at 03:28:22AM -0700, syzbot wrote: > BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 > mm/kmsan/kmsan_hooks.c:253 > CPU: 1 PID: 12272 Comm: syz-executor.3 Not tainted 5.8.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x21c/0x280 lib/dump_stack.c:118 > kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 > kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423 > kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253 > instrument_copy_to_user include/linux/instrumented.h:91 [inline] > _copy_to_user+0x18e/0x260 lib/usercopy.c:33 > scsi_put_cdrom_generic_arg include/linux/uaccess.h:170 [inline]
+ Cc: Greg Kroah-Hartman + Cc: Anant Thazhemadam Hi all, In looking at the report, I guess this patch should fix the issue, there's a 3-byte hole in `struct compat_cdrom_generic_command`: [PATCH v3] block/scsi-ioctl: Prevent kernel-infoleak in scsi_put_cdrom_generic_arg() https://lore.kernel.org/lkml/20200909095057.1214104-1-yepeilin...@gmail.com/ But I cannot verify it, since syzbot doesn't have a reproducer for it. The patch adds a 3-byte padding field to `struct compat_cdrom_generic_command`. It hasn't been accepted yet. > Local variable ----cgc32.i42.i@scsi_cmd_ioctl created at: > scsi_put_cdrom_generic_arg block/scsi_ioctl.c:695 [inline] #ifdef CONFIG_COMPAT if (in_compat_syscall()) { struct compat_cdrom_generic_command [...] $ # before $ pahole -C "compat_cdrom_generic_command" !$ pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o struct compat_cdrom_generic_command { unsigned char cmd[12]; /* 0 12 */ compat_caddr_t buffer; /* 12 4 */ compat_uint_t buflen; /* 16 4 */ compat_int_t stat; /* 20 4 */ compat_caddr_t sense; /* 24 4 */ unsigned char data_direction; /* 28 1 */ /* XXX 3 bytes hole, try to pack */ compat_int_t quiet; /* 32 4 */ compat_int_t timeout; /* 36 4 */ compat_caddr_t reserved[1]; /* 40 4 */ /* size: 44, cachelines: 1, members: 9 */ /* sum members: 41, holes: 1, sum holes: 3 */ /* last cacheline: 44 bytes */ }; $ # after $ pahole -C "compat_cdrom_generic_command" block/scsi_ioctl.o struct compat_cdrom_generic_command { unsigned char cmd[12]; /* 0 12 */ compat_caddr_t buffer; /* 12 4 */ compat_uint_t buflen; /* 16 4 */ compat_int_t stat; /* 20 4 */ compat_caddr_t sense; /* 24 4 */ unsigned char data_direction; /* 28 1 */ unsigned char pad[3]; /* 29 3 */ compat_int_t quiet; /* 32 4 */ compat_int_t timeout; /* 36 4 */ compat_caddr_t reserved[1]; /* 40 4 */ /* size: 44, cachelines: 1, members: 10 */ /* last cacheline: 44 bytes */ }; $ _ Thank you, Peilin Ye
