• Lu Shuaibing's avatar
    ipc/msg.c: consolidate all xxxctl_down() functions · 078dd732
    Lu Shuaibing authored
    commit 889b3317 upstream.
    
    A use of uninitialized memory in msgctl_down() because msqid64 in
    ksys_msgctl hasn't been initialized.  The local | msqid64 | is created in
    ksys_msgctl() and then passed into msgctl_down().  Along the way msqid64
    is never initialized before msgctl_down() checks msqid64->msg_qbytes.
    
    KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
    reports:
    
    ==================================================================
    BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
    Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
    
    CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    Call Trace:
     dump_stack+0x75/0xae
     __kumsan_report+0x17c/0x3e6
     kumsan_report+0xe/0x20
     msgctl_down+0x94/0x300
     ksys_msgctl.constprop.14+0xef/0x260
     do_syscall_64+0x7e/0x1f0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x4400e9
    Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
    R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
    R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
    
    The buggy address belongs to the page:
    page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
    flags: 0x100000000000000()
    raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
    raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: kumsan: bad access detected
    ==================================================================
    
    Syzkaller reproducer:
    msgctl$IPC_RMID(0x0, 0x0)
    
    C reproducer:
    // autogenerated by syzkaller (https://github.com/google/syzkaller)
    
    int main(void)
    {
      syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
      syscall(__NR_msgctl, 0, 0, 0);
      return 0;
    }
    
    [natechancellor@gmail.com: adjust indentation in ksys_msgctl]
      Link: https://github.com/ClangBuiltLinux/linux/issues/829
      Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
    Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.comSigned-off-by: default avatarLu Shuaibing <shuaibinglu@126.com>
    Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
    Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: NeilBrown <neilb@suse.com>
    From: Andrew Morton <akpm@linux-foundation.org>
    Subject: ipc/msg.c: consolidate all xxxctl_down() functions
    
    Each line here overflows 80 cols by exactly one character.  Delete one tab
    per line to fix.
    
    Cc: Shaohua Li <shli@fb.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    078dd732
msg.c 30 KB