KMSAN Trophies

Trophies

Bugs reported manually:

1. tmp.b_page uninitialized in generic_block_bmap()

   • Writeup: https://github.com/google/kmsan/blob/master/kmsan-first-bug-writeup.txt
   • Status: fixed upstream

2. strlen() called on non-terminated string in bind() for AF_PACKET

   • Status: fixed upstream

3. too short socket address passed to selinux_socket_bind()

   • Status: reported upstream

4. uninitialized msg.msg_flags in recvfrom syscall

   • Status: fixed upstream

5. incorrect input length validation in nl_fib_input()

   • Status: fixed upstream by Eric Dumazet

6. uninitialized sockc.tsflags in udpv6_sendmsg()

   • Status: fixed upstream

7. incorrect input length validation in packet_getsockopt()

   • Status: fixed upstream

8. incorrect input length validation in raw_send_hdrinc() and rawv6_send_hdrinc()

   • Status: fixed upstream

9. missing check of nlmsg_parse() return value in rtnl_fdb_dump()

   • Status: fixed upstream

10. Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)

    • Status: fixed upstream (1, 2)

11. strlen() incorrectly called on user-supplied memory in dev_set_alias()

    • Status: fixed upstream

12. waitid() copies uninitialized data to userspace (CVE-2017-14954)

    • Status: fixed upstream by Al Viro

13. local infoleak via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 (CVE-2017-14991)

    • Status: fixed upstream

14. Uninitialized TCP request hash used in cookie_v[46]_check()

    • Status: fixed upstream

15. _sctp_walk_params() and _sctp_walk_errors() dereference uninitialized pointers

    • Status: fixed upstream

16. sctp_v6_to_addr() compared addresses to uninit data

    • Status: fixed upstream

17. tun_get_user() accesses uninitialized data if skb->len is 0

    • Status: fixed upstream

18. sctp_inet6_skb_msgname() leaks 4 bytes to the userspace

    • Status: fixed upstream by Eric W. Biederman

19. Use of uninitialized memory in inet_ehash_insert()

    • Status: fixed upstream by Eric Dumazet

20. Buffer overflow in verify_address_len()

    • Status: fixed upstream by Eric Biggers

21. Insufficient validation of user provided tunnel names in vti6_tnl_create()

    • Status: fixed upstream by Eric Dumazet

22. Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)

    • Status: patch in flight

Confirmed bug reports by others:

1. deprecated_sysctl_warning() reads uninit memory
2. struct sockaddr length not checked in llcp_sock_connect()
3. uninitialized default host->id in nvmf_host_default()

Bugs reported by syzbot:

1. KMSAN: uninit-value in pppoe_connect (fix by Guillaume Nault)
2. KMSAN: uninit-value in pppol2tp_connect (fix by Guillaume Nault)
3. KMSAN: uninit-value in fib6_new_table (fix by Eric Dumazet)
4. KMSAN: uninit-value in packet_set_ring
5. KMSAN: uninit-value in netif_skb_features
6. KMSAN: uninit-value in neigh_dump_info (fix by Eric Dumazet)
7. KMSAN: uninit-value in tcp_parse_options (fix by Eric Dumazet)
8. KMSAN: uninit-value in inet_getpeer (fix by Eric Dumazet)
9. KMSAN: uninit-value in sctp_sendmsg (fix by Eric Dumazet)
10. KMSAN: uninit-value in sctp_do_bind (fix by Eric Dumazet)
11. KMSAN: uninit-value in tipc_node_get_mtu
12. KMSAN: uninit-value in __skb_try_recv_from_queue (fix by Eric Dumazet)
13. KMSAN: uninit-value in inet6_rtm_delroute (fix by Eric Dumazet)
14. KMSAN: uninit-value in memcmp (fix by Eric Dumazet)
15. KMSAN: uninit-value in inet_csk_bind_conflict (fix by Eric Dumazet)
16. KMSAN: uninit-value in move_addr_to_user (fix by Eric Dumazet)
17. KMSAN: uninit-value in ip_route_output_key_hash_rcu (fix by Eric Dumazet)
18. KMSAN: uninit-value in fib_create_info (fix by Eric Dumazet)
19. KMSAN: uninit-value in alg_bind (fix by Eric Dumazet)
20. KMSAN: uninit-value in netlink_sendmsg (fix by Eric Dumazet)
21. KMSAN: uninit-value in iptable_mangle_hook (fix by Eric Dumazet)
22. KMSAN: uninit-value in ip6table_mangle_hook (fix by Eric Dumazet)
23. KMSAN: uninit-value in put_cmsg (fix by Eric Dumazet)
24. KMSAN: uninit-value in rt6_multipath_hash (fix by Eric Dumazet)
25. KMSAN: uninit-value in move_addr_to_user (fix by Eric Dumazet)
26. KMSAN: uninit-value in strcmp
27. KMSAN: uninit-value in __sctp_v6_cmp_addr
28. KMSAN: uninit-value in ebt_stp_mt_check
29. KMSAN: uninit-value in _copy_to_iter CVE-2018-1118
30. KMSAN: uninit-value in ip_vs_lblcr_check_expire
31. KMSAN: uninit-value in nfqnl_recv_config (fix by Eric Dumazet)
32. KMSAN: uninit-value in ebt_stp_mt_check
33. KMSAN: uninit-value in eth_mac_addr (fix by Eric Dumazet)
34. KMSAN: uninit-value in rtnetlink_put_metrics (fix by Eric Dumazet)
35. KMSAN: uninit-value in ip_vs_lblc_check_expire
36. KMSAN: kernel-infoleak in vcs_read
37. KMSAN: uninit-value in ip_tunnel_xmit
38. KMSAN: uninit-value in br_nf_forward_arp
39. KMSAN: uninit-value in af_alg_free_areq_sgls
40. KMSAN: uninit-value in __nf_conntrack_find_get
41. KMSAN: kernel-infoleak in put_cmsg
42. KMSAN: uninit-value in gc_worker
43. KMSAN: kernel-infoleak in _copy_to_iter (fix by Eric Dumazet)
44. KMSAN: uninit-value in do_msgrcv
45. KMSAN: uninit-value in snd_midi_event_encode_byte
46. KMSAN: uninit-value in ip6_tnl_start_xmit
47. KMSAN: uninit-value in pppoe_rcv
48. KMSAN: kernel-infoleak in _copy_to_iter
49. KMSAN: uninit-value in synaptics_detect
50. KMSAN: uninit-value in dev_mc_add_excl
51. KMSAN: uninit-value in dev_uc_add_excl
52. KMSAN: uninit-value in ip_tunnel_lookup
53. KMSAN: uninit-value in linear_transfer
54. KMSAN: kernel-infoleak in kvm_write_guest_page
55. KMSAN: kernel-infoleak in kvm_arch_vcpu_ioctl
56. KMSAN: kernel-infoleak in _copy_to_iter (fix by Eric Dumazet)
57. KMSAN: uninit-value in packet_sendmsg (fix by Willem de Bruijn)
58. KMSAN: uninit-value in __inet6_bind (fix by Cong Wang)
59. KMSAN: kernel-infoleak in sctp_getsockopt (fix by Xin Long)
60. KMSAN: kernel-infoleak in capi_unlocked_ioctl (fix by Eric Dumazet)
61. KMSAN: uninit-value in check_6rd (fix by Willem de Bruijn)
62. KMSAN: uninit-value in vti6_tnl_xmit (fix by Willem de Bruijn)
63. KMSAN: uninit-value in gue6_err (fix by Eric Dumazet)
64. KMSAN: kernel-infoleak in sctp_getsockopt (2) (fix by Xin Long)
65. KMSAN: uninit-value in tipc_conn_rcv_sub (fix by Ying Xue)
66. KMSAN: uninit-value in gue_err (fix by Eric Dumazet)
67. KMSAN: uninit-value in tipc_nl_compat_dumpit (fix by Ying Xue)
68. KMSAN: kernel-infoleak in vmx_get_nested_state (fix by Tom Roeder)
69. KMSAN: uninit-value in kvm_clear_dirty_log_protect (fix by Tomas Bortoli)
70. KMSAN: uninit-value in tipc_nl_compat_link_reset_stats (fix by Ying Xue)
71. KMSAN: kernel-infoleak in move_addr_to_user (fix by Eric Dumazet)
72. KMSAN: uninit-value in tipc_nl_compat_bearer_enable (fix by Ying Xue)
73. KMSAN: uninit-value in tipc_nl_compat_link_set (2) (fix by Ying Xue)
74. KMSAN: uninit-value in tipc_nl_compat_name_table_dump (fix by Ying Xue)
75. KMSAN: uninit-value in tipc_nl_compat_doit (fix by Ying Xue)
76. KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page (fix by Tom Roeder)
77. KMSAN: uninit-value in tipc_subscrb_rcv_cb (fix by Ying Xue)
78. KMSAN: uninit-value in batadv_interface_tx (fix by Eric Dumazet)
79. KMSAN: uninit-value in mpol_rebind_mm (fix by Vlastimil Babka)
80. KMSAN: kernel-infoleak in move_addr_to_user (2) (fix by Eric Dumazet)
81. KMSAN: uninit-value in gue_err (2) (fix by Eric Dumazet)
82. KMSAN: uninit-value in gue6_err (2) (fix by Eric Dumazet)
83. KMSAN: kernel-infoleak in video_usercopy (fix by Hans Verkuil)
84. KMSAN: uninit-value in mpol_rebind_mm (fix by Vlastimil Babka)
85. KMSAN: uninit-value in tipc_nl_compat_bearer_enable (2) (fix by Xin Long)
86. KMSAN: uninit-value in tipc_nl_compat_link_set (3) (fix by Xin Long)
87. KMSAN: kernel-infoleak in sctp_getsockopt (3) (fix by Xin Long)
88. KMSAN: uninit-value in tipc_nl_compat_name_table_dump (2) (fix by Xin Long)
89. KMSAN: uninit-value in ip6_compressed_string (fix by Tetsuo Handa)

Last update: 14.05.2019