-
Notifications
You must be signed in to change notification settings - Fork 62
KMSAN Trophies
-
tmp.b_page
uninitialized ingeneric_block_bmap()
-
strlen()
called on non-terminated string inbind()
forAF_PACKET
- Status: fixed upstream
-
too short socket address passed to
selinux_socket_bind()
- Status: fixed upstream
-
uninitialized
msg.msg_flags
inrecvfrom
syscall- Status: fixed upstream
- incorrect input length validation in
nl_fib_input()
- Status: fixed upstream by Eric Dumazet
-
uninitialized
sockc.tsflags
inudpv6_sendmsg()
- Status: fixed upstream
-
incorrect input length validation in
packet_getsockopt()
- Status: fixed upstream
-
incorrect input length validation in
raw_send_hdrinc()
andrawv6_send_hdrinc()
- Status: fixed upstream
-
missing check of
nlmsg_parse()
return value inrtnl_fdb_dump()
- Status: fixed upstream
- Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)
-
strlen()
incorrectly called on user-supplied memory indev_set_alias()
- Status: fixed upstream
-
waitid()
copies uninitialized data to userspace (CVE-2017-14954)- Status: fixed upstream by Al Viro
-
local infoleak via an
SG_GET_REQUEST_TABLE
ioctl call for/dev/sg0
(CVE-2017-14991)- Status: fixed upstream
- Uninitialized TCP request hash used in
cookie_v[46]_check()
- Status: fixed upstream
-
_sctp_walk_params() and _sctp_walk_errors() dereference uninitialized pointers
- Status: fixed upstream
-
sctp_v6_to_addr()
compared addresses to uninit data- Status: fixed upstream
-
tun_get_user()
accesses uninitialized data ifskb->len
is0
- Status: fixed upstream
-
sctp_inet6_skb_msgname()
leaks 4 bytes to the userspace- Status: fixed upstream by Eric W. Biederman
- Use of uninitialized memory in
inet_ehash_insert()
- Status: fixed upstream by Eric Dumazet
- Buffer overflow in
verify_address_len()
- Status: fixed upstream by Eric Biggers
- Insufficient validation of user provided tunnel names in
vti6_tnl_create()
(syzbot)- Status: fixed upstream by Eric Dumazet
- Information disclosure in
vhost/vhost.c:vhost_new_msg()
(CVE-2018-1118)- Status: patch in flight
deprecated_sysctl_warning()
reads uninit memorystruct sockaddr
length not checked inllcp_sock_connect()
- uninitialized default host->id in
nvmf_host_default()
Bugs reported by syzbot (see also https://syzkaller.appspot.com/upstream/fixed?manager=ci-upstream-kmsan-gce)
-
KMSAN: uninit-value in inet_csk_bind_conflict
(fix by Eric Dumazet) -
KMSAN: uninit-value in packet_set_ring
(fix by Eric Dumazet) -
KMSAN: uninit-value in neigh_dump_info
(fix by Eric Dumazet) -
KMSAN: uninit-value in iptable_mangle_hook
(fix by Eric Dumazet) -
KMSAN: uninit-value in pppoe_connect
(fix by Guillaume Nault) -
KMSAN: uninit-value in __skb_try_recv_from_queue
(fix by Eric Dumazet) -
KMSAN: uninit-value in memcmp
(fix by Eric Dumazet) (duplicate) -
KMSAN: uninit-value in fib_create_info
(fix by Eric Dumazet) -
KMSAN: uninit-value in netlink_sendmsg
(fix by Eric Dumazet) -
KMSAN: uninit-value in inet6_rtm_delroute
(fix by Eric Dumazet) -
KMSAN: uninit-value in fib6_new_table
(fix by Eric Dumazet) -
KMSAN: uninit-value in ip_route_output_key_hash_rcu
(fix by Eric Dumazet) -
KMSAN: uninit-value in sctp_sendmsg
(fix by Eric Dumazet) -
KMSAN: uninit-value in tcp_parse_options
(fix by Eric Dumazet) -
KMSAN: uninit-value in tipc_node_get_mtu
(fix by Jon Maloy) -
KMSAN: uninit-value in netif_skb_features
(fix by Toshiaki Makita) -
KMSAN: uninit-value in move_addr_to_user
(fix by Eric Dumazet) -
KMSAN: uninit-value in sctp_do_bind
(fix by Eric Dumazet) -
KMSAN: uninit-value in ip6table_mangle_hook
(fix by Eric Dumazet) -
KMSAN: uninit-value in pppol2tp_connect
(fix by Guillaume Nault) -
KMSAN: uninit-value in alg_bind
(fix by Eric Dumazet) -
KMSAN: uninit-value in inet_getpeer
(fix by Eric Dumazet) -
KMSAN: uninit-value in put_cmsg
(fix by Eric Dumazet) -
KMSAN: uninit-value in rt6_multipath_hash
(fix by Eric Dumazet) -
KMSAN: uninit-value in __sctp_v6_cmp_addr
(fix by Xin Long) -
KMSAN: uninit-value in move_addr_to_user
(fix by Eric Dumazet) -
KMSAN: uninit-value in strcmp
(fix by Ying Xue) -
KMSAN: uninit-value in ebt_stp_mt_check
(fix by Stephen Hemminger) -
KMSAN: uninit-value in ip_vs_lblc_check_expire
(fix by Cong Wang) -
KMSAN: uninit-value in rtnetlink_put_metrics
(fix by Eric Dumazet) -
KMSAN: uninit-value in eth_mac_addr
(fix by Eric Dumazet) -
KMSAN: uninit-value in ebt_stp_mt_check
(fix by Florian Westphal) -
KMSAN: uninit-value in nfqnl_recv_config
(fix by Eric Dumazet) -
KMSAN: uninit-value in ip_vs_lblcr_check_expire
(fix by Cong Wang) -
KMSAN: uninit-value in _copy_to_iter
CVE-2018-1118 (fix by Kevin Easton) -
KMSAN: kernel-infoleak in vcs_read
(fix by Alexander Potapenko) -
KMSAN: uninit-value in br_nf_forward_arp
(fix by Willem de Bruijn) -
KMSAN: uninit-value in ip_tunnel_xmit
(fix by Willem de Bruijn) -
KMSAN: uninit-value in af_alg_free_areq_sgls
(fix by Stephan Mueller) -
KMSAN: kernel-infoleak in _copy_to_iter
(fix by Eric Dumazet) (duplicate) -
KMSAN: uninit-value in gc_worker
(fix by Florian Westphal) -
KMSAN: kernel-infoleak in put_cmsg
(fix by Willem de Bruijn) -
KMSAN: uninit-value in __nf_conntrack_find_get
(fix by Florian Westphal) -
KMSAN: uninit-value in do_msgrcv
(fix by Manfred Spraul) -
KMSAN: uninit-value in snd_midi_event_encode_byte
(fix by Takashi Iwai) -
KMSAN: uninit-value in pppoe_rcv
(fix by Guillaume Nault) -
KMSAN: uninit-value in ip6_tnl_start_xmit
(fix by Paolo Abeni) -
KMSAN: kernel-infoleak in _copy_to_iter
(fix by Jon Maloy) -
KMSAN: uninit-value in vcs_read
(fix by Alexander Potapenko) -
KMSAN: uninit-value in ip_tunnel_lookup
(fix by Jiri Benc) -
KMSAN: uninit-value in dev_uc_add_excl
(fix by Ido Schimmel) -
KMSAN: uninit-value in dev_mc_add_excl
(fix by Ido Schimmel) -
KMSAN: uninit-value in synaptics_detect
(fix by Dmitry Torokhov) -
KMSAN: kernel-infoleak in kvm_arch_vcpu_ioctl
(fix by Liran Alon) -
KMSAN: kernel-infoleak in kvm_write_guest_page
(fix by Liran Alon) -
KMSAN: uninit-value in linear_transfer
(fix by Takashi Iwai) -
KMSAN: kernel-infoleak in _copy_to_iter
(fix by Eric Dumazet) -
KMSAN: uninit-value in packet_sendmsg
(fix by Willem de Bruijn) -
KMSAN: uninit-value in __inet6_bind
(fix by Cong Wang) -
KMSAN: kernel-infoleak in sctp_getsockopt
(fix by Xin Long) -
KMSAN: kernel-infoleak in capi_unlocked_ioctl
(fix by Eric Dumazet) -
KMSAN: uninit-value in check_6rd
(fix by Willem de Bruijn) -
KMSAN: uninit-value in vti6_tnl_xmit
(fix by Willem de Bruijn) -
KMSAN: uninit-value in gue6_err
(fix by Eric Dumazet) -
KMSAN: kernel-infoleak in sctp_getsockopt (2)
(fix by Xin Long) -
KMSAN: uninit-value in tipc_conn_rcv_sub
(fix by Ying Xue) -
KMSAN: uninit-value in gue_err
(fix by Eric Dumazet) -
KMSAN: uninit-value in tipc_nl_compat_dumpit
(fix by Ying Xue) -
KMSAN: kernel-infoleak in vmx_get_nested_state
(fix by Tom Roeder) -
KMSAN: uninit-value in kvm_clear_dirty_log_protect
(fix by Tomas Bortoli) -
KMSAN: uninit-value in tipc_nl_compat_link_reset_stats
(fix by Ying Xue) -
KMSAN: kernel-infoleak in move_addr_to_user
(fix by Eric Dumazet) -
KMSAN: uninit-value in tipc_nl_compat_bearer_enable
(fix by Ying Xue) -
KMSAN: uninit-value in tipc_nl_compat_link_set (2)
(fix by Ying Xue) -
KMSAN: uninit-value in tipc_nl_compat_name_table_dump
(fix by Ying Xue) -
KMSAN: uninit-value in tipc_nl_compat_doit
(fix by Ying Xue) -
KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page
(fix by Tom Roeder) -
KMSAN: uninit-value in tipc_subscrb_rcv_cb
(fix by Ying Xue) -
KMSAN: uninit-value in batadv_interface_tx
(fix by Eric Dumazet) -
KMSAN: uninit-value in mpol_rebind_mm
(fix by Vlastimil Babka) -
KMSAN: kernel-infoleak in move_addr_to_user (2)
(fix by Eric Dumazet) -
KMSAN: uninit-value in gue_err (2)
(fix by Eric Dumazet) -
KMSAN: uninit-value in gue6_err (2)
(fix by Eric Dumazet) -
KMSAN: kernel-infoleak in video_usercopy
(fix by Hans Verkuil) -
KMSAN: uninit-value in mpol_rebind_mm
(fix by Vlastimil Babka) -
KMSAN: uninit-value in tipc_nl_compat_bearer_enable (2)
(fix by Xin Long) -
KMSAN: uninit-value in tipc_nl_compat_link_set (3)
(fix by Xin Long) -
KMSAN: kernel-infoleak in sctp_getsockopt (3)
(fix by Xin Long) -
KMSAN: uninit-value in tipc_nl_compat_name_table_dump (2)
(fix by Xin Long) -
KMSAN: uninit-value in ip6_compressed_string
(fix by Tetsuo Handa) -
KMSAN: uninit-value in tomoyo_check_unix_address
(fix by Tetsuo Handa) -
KMSAN: uninit-value in rtnl_stats_get
(fix by Eric Dumazet) -
KMSAN: uninit-value in rds_bind
(fix by Tetsuo Handa) -
KMSAN: uninit-value in tomoyo_check_inet_address
(fix by Tetsuo Handa) -
KMSAN: uninit-value in rtnl_stats_dump
(fix by Eric Dumazet) -
KMSAN: uninit-value in rds_connect
(fix by Tetsuo Handa) -
KMSAN: uninit-value in br_mdb_ip_get
(fix by Nikolay Aleksandrov) -
KMSAN: uninit-value in aa_fqlookupn_profile
(fix by Zubin Mithra) -
KMSAN: kernel-infoleak in copy_siginfo_to_user (2)
(fix by Eric W. Biederman) -
KMSAN: uninit-value in tcp_create_openreq_child
(fix by Eric Dumazet) -
KMSAN: uninit-value in tipc_nl_compat_bearer_disable
(fix by Xin Long) -
KMSAN: uninit-value in bond_start_xmit (2)
(fix by Cong Wang) -
KMSAN: uninit-value in ax88772_bind
(fix by Phong Tran) -
KMSAN: uninit-value in read_eprom_word
(fix by Denis Kirjanov) -
KMSAN: kernel-usb-infoleak in pcan_usb_pro_init
(fix by Tomas Bortoli) -
KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
(fix by Tomas Bortoli) -
KMSAN: uninit-value in rtm_dump_nexthop
(fix by David Ahern) -
KMSAN: uninit-value in batadv_netlink_dump_hardif
(fix by Eric Dumazet) -
KMSAN: uninit-value in rtm_new_nexthop
(fix by David Ahern) -
KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet
(fix by Sven Eckelmann) -
KMSAN: uninit-value in capi_write
(fix by Eric Biggers) -
KMSAN: uninit-value in sd_init
(fix by Hans Verkuil) -
KMSAN: uninit-value in __request_module
(fix by Cong Wang) -
KMSAN: uninit-value in i2c_w
(fix by Hans Verkuil) -
KMSAN: uninit-value in inet_ehash_insert
(fix by Eric Dumazet) -
KMSAN: kernel-usb-infoleak in ttusb_dec_send_command
(fix by Tomas Bortoli) -
KMSAN: uninit-value in read_sensor_register
(fix by Hans Verkuil) -
KMSAN: uninit-value in iowarrior_disconnect
(fix by Johan Hovold) -
KMSAN: uninit-value in mts_usb_probe
(fix by Johan Hovold) -
KMSAN: uninit-value in sr9800_bind
(fix by Valentin Vidic) -
KMSAN: uninit-value in lg4ff_set_autocenter_default
(fix by Alan Stern) -
KMSAN: use-after-free in rxrpc_put_peer
(fix by David Howells) -
KMSAN: use-after-free in hidraw_ioctl
(fix by Alan Stern) -
KMSAN: use-after-free in usb_autopm_put_interface
(fix by Johan Hovold) -
KMSAN: use-after-free in iowarrior_disconnect
(fix by Johan Hovold) -
KMSAN: use-after-free in mutex_spin_on_owner
(fix by Johan Hovold) -
KMSAN: use-after-free in adu_disconnect
(fix by Johan Hovold) -
KMSAN: kernel-usb-infoleak in pcan_usb_wait_rsp
(fix by Johan Hovold) -
KMSAN: uninit-value in cdc_ncm_set_dgram_size
(fix by Oliver Neukum) -
KMSAN: uninit-value in get_min_max_with_quirks
(fix by Takashi Iwai) -
KMSAN: use-after-free in build_audio_procunit
(fix by Takashi Iwai) -
KMSAN: uninit-value in aesti_encrypt
(fix by Jakub Kicinski) -
KMSAN: uninit-value in gf128mul_4k_lle (3)
(fix by Jakub Kicinski) -
KMSAN: uninit-value in ax88172a_bind
(fix by Oliver Neukum) -
KMSAN: use-after-free in copyout
(fix by Tomas Bortoli) -
KMSAN: use-after-free in skb_dequeue
(fix by Tomas Bortoli) -
KMSAN: use-after-free in __netif_receive_skb_core
(fix by Tomas Bortoli) -
KMSAN: use-after-free in sk_forced_mem_schedule
(fix by Tomas Bortoli) -
KMSAN: use-after-free in __skb_try_recv_from_queue
(fix by Tomas Bortoli) -
KMSAN: use-after-free in kfree_skb
(fix by Tomas Bortoli) -
KMSAN: use-after-free in netlink_recvmsg
(fix by Tomas Bortoli) -
KMSAN: uninit-value in nf_conntrack_tcp_packet
(fix by Eric Dumazet) -
KMSAN: uninit-value in usbnet_probe
(fix by Phong Tran) -
KMSAN: uninit-value in __request_module (2)
(fix by Eric Dumazet)
Last update: 16.01.2020