• Lu Shuaibing's avatar
    ipc/msg.c: consolidate all xxxctl_down() functions · 1ead3e85
    Lu Shuaibing authored
    A use of uninitialized memory in msgctl_down() because msqid64 in
    ksys_msgctl hasn't been initialized.  The local | msqid64 | is created in
    ksys_msgctl() and then passed into msgctl_down().  Along the way msqid64
    is never initialized before msgctl_down() checks msqid64->msg_qbytes.
    
    KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
    reports:
    
    ==================================================================
    BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
    Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
    
    CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    Call Trace:
     dump_stack+0x75/0xae
     __kumsan_report+0x17c/0x3e6
     kumsan_report+0xe/0x20
     msgctl_down+0x94/0x300
     ksys_msgctl.constprop.14+0xef/0x260
     do_syscall_64+0x7e/0x1f0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x4400e9
    Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
    R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
    R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
    
    The buggy address belongs to the page:
    page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
    flags: 0x100000000000000()
    raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
    raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: kumsan: bad access detected
    ==================================================================
    
    Syzkaller reproducer:
    msgctl$IPC_RMID(0x0, 0x0)
    
    C reproducer:
    // autogenerated by syzkaller (https://github.com/google/syzkaller)
    
    int main(void)
    {
      syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
      syscall(__NR_msgctl, 0, 0, 0);
      return 0;
    }
    
    Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.comSigned-off-by: default avatarLu Shuaibing <shuaibinglu@126.com>
    Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: NeilBrown <neilb@suse.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
    1ead3e85
Name
Last commit
Last update
..
Makefile Loading commit data...
compat.c Loading commit data...
ipc_sysctl.c Loading commit data...
mq_sysctl.c Loading commit data...
mqueue.c Loading commit data...
msg.c Loading commit data...
msgutil.c Loading commit data...
namespace.c Loading commit data...
sem.c Loading commit data...
shm.c Loading commit data...
syscall.c Loading commit data...
util.c Loading commit data...
util.h Loading commit data...