KMSAN Trophies

Jump to bottom

Alexander Potapenko edited this page Jan 16, 2020 · 24 revisions

Trophies

Bugs reported manually:

tmp.b_page uninitialized in generic_block_bmap()
- Writeup: https://github.com/google/kmsan/blob/master/kmsan-first-bug-writeup.txt
- Status: fixed upstream
strlen() called on non-terminated string in bind() for AF_PACKET
- Status: fixed upstream
too short socket address passed to selinux_socket_bind()
- Status: fixed upstream
uninitialized msg.msg_flags in recvfrom syscall
- Status: fixed upstream
incorrect input length validation in nl_fib_input()
- Status: fixed upstream by Eric Dumazet
uninitialized sockc.tsflags in udpv6_sendmsg()
- Status: fixed upstream
incorrect input length validation in packet_getsockopt()
- Status: fixed upstream
incorrect input length validation in raw_send_hdrinc() and rawv6_send_hdrinc()
- Status: fixed upstream
missing check of nlmsg_parse() return value in rtnl_fdb_dump()
- Status: fixed upstream
Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)
- Status: fixed upstream (1, 2)
strlen() incorrectly called on user-supplied memory in dev_set_alias()
- Status: fixed upstream
waitid() copies uninitialized data to userspace (CVE-2017-14954)
- Status: fixed upstream by Al Viro
local infoleak via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 (CVE-2017-14991)
- Status: fixed upstream
Uninitialized TCP request hash used in cookie_v[46]_check()
- Status: fixed upstream
_sctp_walk_params() and _sctp_walk_errors() dereference uninitialized pointers
- Status: fixed upstream
sctp_v6_to_addr() compared addresses to uninit data
- Status: fixed upstream
tun_get_user() accesses uninitialized data if skb->len is 0
- Status: fixed upstream
sctp_inet6_skb_msgname() leaks 4 bytes to the userspace
- Status: fixed upstream by Eric W. Biederman
Use of uninitialized memory in inet_ehash_insert()
- Status: fixed upstream by Eric Dumazet
Buffer overflow in verify_address_len()
- Status: fixed upstream by Eric Biggers
Insufficient validation of user provided tunnel names in vti6_tnl_create() (syzbot)
- Status: fixed upstream by Eric Dumazet
Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
- Status: patch in flight

Confirmed bug reports by others:

Bugs reported by syzbot (see also https://syzkaller.appspot.com/upstream/fixed?manager=ci-upstream-kmsan-gce)

KMSAN: uninit-value in inet_csk_bind_conflict (fix by Eric Dumazet)
KMSAN: uninit-value in packet_set_ring (fix by Eric Dumazet)
KMSAN: uninit-value in neigh_dump_info (fix by Eric Dumazet)
KMSAN: uninit-value in iptable_mangle_hook (fix by Eric Dumazet)
KMSAN: uninit-value in pppoe_connect (fix by Guillaume Nault)
KMSAN: uninit-value in __skb_try_recv_from_queue (fix by Eric Dumazet)
KMSAN: uninit-value in memcmp (fix by Eric Dumazet) (duplicate)
KMSAN: uninit-value in fib_create_info (fix by Eric Dumazet)
KMSAN: uninit-value in netlink_sendmsg (fix by Eric Dumazet)
KMSAN: uninit-value in inet6_rtm_delroute (fix by Eric Dumazet)
KMSAN: uninit-value in fib6_new_table (fix by Eric Dumazet)
KMSAN: uninit-value in ip_route_output_key_hash_rcu (fix by Eric Dumazet)
KMSAN: uninit-value in sctp_sendmsg (fix by Eric Dumazet)
KMSAN: uninit-value in tcp_parse_options (fix by Eric Dumazet)
KMSAN: uninit-value in tipc_node_get_mtu (fix by Jon Maloy)
KMSAN: uninit-value in netif_skb_features (fix by Toshiaki Makita)
KMSAN: uninit-value in move_addr_to_user (fix by Eric Dumazet)
KMSAN: uninit-value in sctp_do_bind (fix by Eric Dumazet)
KMSAN: uninit-value in ip6table_mangle_hook (fix by Eric Dumazet)
KMSAN: uninit-value in pppol2tp_connect (fix by Guillaume Nault)
KMSAN: uninit-value in alg_bind (fix by Eric Dumazet)
KMSAN: uninit-value in inet_getpeer (fix by Eric Dumazet)
KMSAN: uninit-value in put_cmsg (fix by Eric Dumazet)
KMSAN: uninit-value in rt6_multipath_hash (fix by Eric Dumazet)
KMSAN: uninit-value in __sctp_v6_cmp_addr (fix by Xin Long)
KMSAN: uninit-value in move_addr_to_user (fix by Eric Dumazet)
KMSAN: uninit-value in strcmp (fix by Ying Xue)
KMSAN: uninit-value in ebt_stp_mt_check (fix by Stephen Hemminger)
KMSAN: uninit-value in ip_vs_lblc_check_expire (fix by Cong Wang)
KMSAN: uninit-value in rtnetlink_put_metrics (fix by Eric Dumazet)
KMSAN: uninit-value in eth_mac_addr (fix by Eric Dumazet)
KMSAN: uninit-value in ebt_stp_mt_check (fix by Florian Westphal)
KMSAN: uninit-value in nfqnl_recv_config (fix by Eric Dumazet)
KMSAN: uninit-value in ip_vs_lblcr_check_expire (fix by Cong Wang)
KMSAN: uninit-value in _copy_to_iter CVE-2018-1118 (fix by Kevin Easton)
KMSAN: kernel-infoleak in vcs_read (fix by Alexander Potapenko)
KMSAN: uninit-value in br_nf_forward_arp (fix by Willem de Bruijn)
KMSAN: uninit-value in ip_tunnel_xmit (fix by Willem de Bruijn)
KMSAN: uninit-value in af_alg_free_areq_sgls (fix by Stephan Mueller)
KMSAN: kernel-infoleak in _copy_to_iter (fix by Eric Dumazet) (duplicate)
KMSAN: uninit-value in gc_worker (fix by Florian Westphal)
KMSAN: kernel-infoleak in put_cmsg (fix by Willem de Bruijn)
KMSAN: uninit-value in __nf_conntrack_find_get (fix by Florian Westphal)
KMSAN: uninit-value in do_msgrcv (fix by Manfred Spraul)
KMSAN: uninit-value in snd_midi_event_encode_byte (fix by Takashi Iwai)
KMSAN: uninit-value in pppoe_rcv (fix by Guillaume Nault)
KMSAN: uninit-value in ip6_tnl_start_xmit (fix by Paolo Abeni)
KMSAN: kernel-infoleak in _copy_to_iter (fix by Jon Maloy)
KMSAN: uninit-value in vcs_read (fix by Alexander Potapenko)
KMSAN: uninit-value in ip_tunnel_lookup (fix by Jiri Benc)
KMSAN: uninit-value in dev_uc_add_excl (fix by Ido Schimmel)
KMSAN: uninit-value in dev_mc_add_excl (fix by Ido Schimmel)
KMSAN: uninit-value in synaptics_detect (fix by Dmitry Torokhov)
KMSAN: kernel-infoleak in kvm_arch_vcpu_ioctl (fix by Liran Alon)
KMSAN: kernel-infoleak in kvm_write_guest_page (fix by Liran Alon)
KMSAN: uninit-value in linear_transfer (fix by Takashi Iwai)
KMSAN: kernel-infoleak in _copy_to_iter (fix by Eric Dumazet)
KMSAN: uninit-value in packet_sendmsg (fix by Willem de Bruijn)
KMSAN: uninit-value in __inet6_bind (fix by Cong Wang)
KMSAN: kernel-infoleak in sctp_getsockopt (fix by Xin Long)
KMSAN: kernel-infoleak in capi_unlocked_ioctl (fix by Eric Dumazet)
KMSAN: uninit-value in check_6rd (fix by Willem de Bruijn)
KMSAN: uninit-value in vti6_tnl_xmit (fix by Willem de Bruijn)
KMSAN: uninit-value in gue6_err (fix by Eric Dumazet)
KMSAN: kernel-infoleak in sctp_getsockopt (2) (fix by Xin Long)
KMSAN: uninit-value in tipc_conn_rcv_sub (fix by Ying Xue)
KMSAN: uninit-value in gue_err (fix by Eric Dumazet)
KMSAN: uninit-value in tipc_nl_compat_dumpit (fix by Ying Xue)
KMSAN: kernel-infoleak in vmx_get_nested_state (fix by Tom Roeder)
KMSAN: uninit-value in kvm_clear_dirty_log_protect (fix by Tomas Bortoli)
KMSAN: uninit-value in tipc_nl_compat_link_reset_stats (fix by Ying Xue)
KMSAN: kernel-infoleak in move_addr_to_user (fix by Eric Dumazet)
KMSAN: uninit-value in tipc_nl_compat_bearer_enable (fix by Ying Xue)
KMSAN: uninit-value in tipc_nl_compat_link_set (2) (fix by Ying Xue)
KMSAN: uninit-value in tipc_nl_compat_name_table_dump (fix by Ying Xue)
KMSAN: uninit-value in tipc_nl_compat_doit (fix by Ying Xue)
KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page (fix by Tom Roeder)
KMSAN: uninit-value in tipc_subscrb_rcv_cb (fix by Ying Xue)
KMSAN: uninit-value in batadv_interface_tx (fix by Eric Dumazet)
KMSAN: uninit-value in mpol_rebind_mm (fix by Vlastimil Babka)
KMSAN: kernel-infoleak in move_addr_to_user (2) (fix by Eric Dumazet)
KMSAN: uninit-value in gue_err (2) (fix by Eric Dumazet)
KMSAN: uninit-value in gue6_err (2) (fix by Eric Dumazet)
KMSAN: kernel-infoleak in video_usercopy (fix by Hans Verkuil)
KMSAN: uninit-value in mpol_rebind_mm (fix by Vlastimil Babka)
KMSAN: uninit-value in tipc_nl_compat_bearer_enable (2) (fix by Xin Long)
KMSAN: uninit-value in tipc_nl_compat_link_set (3) (fix by Xin Long)
KMSAN: kernel-infoleak in sctp_getsockopt (3) (fix by Xin Long)
KMSAN: uninit-value in tipc_nl_compat_name_table_dump (2) (fix by Xin Long)
KMSAN: uninit-value in ip6_compressed_string (fix by Tetsuo Handa)
KMSAN: uninit-value in tomoyo_check_unix_address (fix by Tetsuo Handa)
KMSAN: uninit-value in rtnl_stats_get (fix by Eric Dumazet)
KMSAN: uninit-value in rds_bind (fix by Tetsuo Handa)
KMSAN: uninit-value in tomoyo_check_inet_address (fix by Tetsuo Handa)
KMSAN: uninit-value in rtnl_stats_dump (fix by Eric Dumazet)
KMSAN: uninit-value in rds_connect (fix by Tetsuo Handa)
KMSAN: uninit-value in br_mdb_ip_get (fix by Nikolay Aleksandrov)
KMSAN: uninit-value in aa_fqlookupn_profile (fix by Zubin Mithra)
KMSAN: kernel-infoleak in copy_siginfo_to_user (2) (fix by Eric W. Biederman)
KMSAN: uninit-value in tcp_create_openreq_child (fix by Eric Dumazet)
KMSAN: uninit-value in tipc_nl_compat_bearer_disable (fix by Xin Long)
KMSAN: uninit-value in bond_start_xmit (2) (fix by Cong Wang)
KMSAN: uninit-value in ax88772_bind (fix by Phong Tran)
KMSAN: uninit-value in read_eprom_word (fix by Denis Kirjanov)
KMSAN: kernel-usb-infoleak in pcan_usb_pro_init (fix by Tomas Bortoli)
KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req (fix by Tomas Bortoli)
KMSAN: uninit-value in rtm_dump_nexthop (fix by David Ahern)
KMSAN: uninit-value in batadv_netlink_dump_hardif (fix by Eric Dumazet)
KMSAN: uninit-value in rtm_new_nexthop (fix by David Ahern)
KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet (fix by Sven Eckelmann)
KMSAN: uninit-value in capi_write (fix by Eric Biggers)
KMSAN: uninit-value in sd_init (fix by Hans Verkuil)
KMSAN: uninit-value in __request_module (fix by Cong Wang)
KMSAN: uninit-value in i2c_w (fix by Hans Verkuil)
KMSAN: uninit-value in inet_ehash_insert (fix by Eric Dumazet)
KMSAN: kernel-usb-infoleak in ttusb_dec_send_command (fix by Tomas Bortoli)
KMSAN: uninit-value in read_sensor_register (fix by Hans Verkuil)
KMSAN: uninit-value in iowarrior_disconnect (fix by Johan Hovold)
KMSAN: uninit-value in mts_usb_probe (fix by Johan Hovold)
KMSAN: uninit-value in sr9800_bind (fix by Valentin Vidic)
KMSAN: uninit-value in lg4ff_set_autocenter_default (fix by Alan Stern)
KMSAN: use-after-free in rxrpc_put_peer (fix by David Howells)
KMSAN: use-after-free in hidraw_ioctl (fix by Alan Stern)
KMSAN: use-after-free in __pm_runtime_resume
KMSAN: use-after-free in usb_autopm_put_interface (fix by Johan Hovold)
KMSAN: use-after-free in iowarrior_disconnect (fix by Johan Hovold)
KMSAN: use-after-free in mutex_spin_on_owner (fix by Johan Hovold)
KMSAN: use-after-free in adu_disconnect (fix by Johan Hovold)
KMSAN: kernel-usb-infoleak in pcan_usb_wait_rsp (fix by Johan Hovold)
KMSAN: uninit-value in cdc_ncm_set_dgram_size (fix by Oliver Neukum)
KMSAN: uninit-value in get_min_max_with_quirks (fix by Takashi Iwai)
KMSAN: use-after-free in build_audio_procunit (fix by Takashi Iwai)
KMSAN: uninit-value in aesti_encrypt (fix by Jakub Kicinski)
KMSAN: uninit-value in gf128mul_4k_lle (3) (fix by Jakub Kicinski)
KMSAN: uninit-value in ax88172a_bind (fix by Oliver Neukum)
KMSAN: use-after-free in copyout (fix by Tomas Bortoli)
KMSAN: use-after-free in skb_dequeue (fix by Tomas Bortoli)
KMSAN: use-after-free in __netif_receive_skb_core (fix by Tomas Bortoli)
KMSAN: use-after-free in sk_forced_mem_schedule (fix by Tomas Bortoli)
KMSAN: use-after-free in __skb_try_recv_from_queue (fix by Tomas Bortoli)
KMSAN: use-after-free in kfree_skb (fix by Tomas Bortoli)
KMSAN: use-after-free in netlink_recvmsg (fix by Tomas Bortoli)
KMSAN: uninit-value in nf_conntrack_tcp_packet (fix by Eric Dumazet)
KMSAN: uninit-value in usbnet_probe (fix by Phong Tran)
KMSAN: uninit-value in __request_module (2) (fix by Eric Dumazet)

Last update: 16.01.2020