Skip to content

KMSAN Trophies

Jump to bottom
Alexander Potapenko edited this page May 9, 2018 · 24 revisions

Trophies

  1. tmp.b_page uninitialized in generic_block_bmap()

  2. strlen() called on non-terminated string in bind() for AF_PACKET

  3. too short socket address passed to selinux_socket_bind()

    • Status: reported upstream

  4. uninitialized msg.msg_flags in recvfrom syscall

  5. incorrect input length validation in nl_fib_input()

  6. uninitialized sockc.tsflags in udpv6_sendmsg()

  7. incorrect input length validation in packet_getsockopt()

  8. incorrect input length validation in raw_send_hdrinc() and rawv6_send_hdrinc()

  9. missing check of nlmsg_parse() return value in rtnl_fdb_dump()

  10. Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)

    • Status: fixed upstream (1, 2)

  11. strlen() incorrectly called on user-supplied memory in dev_set_alias()

  12. waitid() copies uninitialized data to userspace (CVE-2017-14954)

  13. local infoleak via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0 (CVE-2017-14991)

  14. Uninitialized TCP request hash used in cookie_v[46]_check()

  15. _sctp_walk_params() and _sctp_walk_errors() dereference uninitialized pointers

  16. sctp_v6_to_addr() compared addresses to uninit data

  17. tun_get_user() accesses uninitialized data if skb->len is 0

  18. sctp_inet6_skb_msgname() leaks 4 bytes to the userspace

  19. Use of uninitialized memory in inet_ehash_insert()

  20. Buffer overflow in verify_address_len()

    • Status: [fixed upstream (https://github.com/torvalds/linux/commit/06b335cb51af018d5feeff5dd4fd53847ddb675a) by Eric Biggers

  21. Insufficient validation of user provided tunnel names in vti6_tnl_create()

Confirmed bug reports by others:

  1. deprecated_sysctl_warning() reads uninit memory
  2. struct sockaddr length not checked in llcp_sock_connect()
  3. uninitialized default host->id in nvmf_host_default()
Clone this wiki locally