| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 May 2017 10:58:45 -0700
From: Kees Cook <keescook@...omium.org>
To: Alexander Potapenko <glider@...gle.com>,
Dmitriy Vyukov <dvyukov@...gle.com>, "Ted Ts'o" <tytso@....edu>
Cc: Kostya Serebryany <kcc@...gle.com>,
Al Viro <viro@...iv.linux.org.uk>,
LKML <linux-kernel@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
Ext4 Developers List <linux-ext4@...r.kernel.org>
Subject: Re: [PATCH] fs: Initialize tmp.b_page in generic_block_bmap()
On Tue, Mar 28, 2017 at 9:28 AM, Alexander Potapenko <glider@...gle.com> wrote:
> On Wed, Jan 18, 2017 at 5:32 PM, Theodore Ts'o <tytso@....edu> wrote:
>> On Thu, Dec 22, 2016 at 01:30:15PM +0100, Alexander Potapenko wrote:
>>> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
>>> uninitialized memory in ext4_update_bh_state():
>>>
>>> ==================================================================
>>> BUG: KMSAN: use of unitialized memory
>>> CPU: 3 PID: 1 Comm: swapper/0 Tainted: G B 4.8.0-rc6+ #597
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>>> 01/01/2011
>>> 0000000000000282 ffff88003cc96f68 ffffffff81f30856 0000003000000008
>>> ffff88003cc96f78 0000000000000096 ffffffff8169742a ffff88003cc96ff8
>>> ffffffff812fc1fc 0000000000000008 ffff88003a1980e8 0000000100000000
>>> Call Trace:
>>> [< inline >] __dump_stack lib/dump_stack.c:15
>>> [<ffffffff81f30856>] dump_stack+0xa6/0xc0 lib/dump_stack.c:51
>>> [<ffffffff812fc1fc>] kmsan_report+0x1ec/0x300 mm/kmsan/kmsan.c:?
>>> [<ffffffff812fc33b>] __msan_warning+0x2b/0x40 ??:?
>>> [< inline >] ext4_update_bh_state fs/ext4/inode.c:727
>>> [<ffffffff8169742a>] _ext4_get_block+0x6ca/0x8a0 fs/ext4/inode.c:759
>>> [<ffffffff81696d4c>] ext4_get_block+0x8c/0xa0 fs/ext4/inode.c:769
>>> [<ffffffff814a2d36>] generic_block_bmap+0x246/0x2b0 fs/buffer.c:2991
>>> [<ffffffff816ca30e>] ext4_bmap+0x5ee/0x660 fs/ext4/inode.c:3177
>>> ...
>>> origin description: ----tmp@...eric_block_bmap
>>> ==================================================================
>>>
>>> (the line numbers are relative to 4.8-rc6, but the bug persists
>>> upstream)
>>>
>>> The local |tmp| is created in generic_block_bmap() and then passed into
>>> ext4_bmap() => ext4_get_block() => _ext4_get_block() =>
>>> ext4_update_bh_state(). Along the way tmp.b_page is never initialized
>>> before ext4_update_bh_state() checks its value.
>>>
>>> Signed-off-by: Alexander Potapenko <glider@...gle.com>
>>
>> This is a one-line fix to fs/buffer.c; but I've investigated, and
>> since it only affects ext4, and no one else has responded, I'll take
>> the change through the ext4 git tree.
>>
>> Thanks!!
>>
>> - Ted
>
> Hi Ted,
>
> any updates on this patch?
> Looks like it hasn't been landed yet.
I think the following would be better (pardon any whitespace damage
via gmail...):
diff --git a/fs/buffer.c b/fs/buffer.c
index 161be58c5cb0..20292b858b61 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -3021,11 +3021,11 @@ EXPORT_SYMBOL(block_write_full_page);
sector_t generic_block_bmap(struct address_space *mapping, sector_t block,
get_block_t *get_block)
{
- struct buffer_head tmp;
struct inode *inode = mapping->host;
- tmp.b_state = 0;
- tmp.b_blocknr = 0;
- tmp.b_size = i_blocksize(inode);
+ struct buffer_head tmp = {
+ .b_size = i_blocksize(inode);
+ };
+
get_block(inode, block, &tmp, 0);
return tmp.b_blocknr;
}
This will keep all unspecified fields zero-initialized. (i.e. a more
robust fix than just a single zero-initialization being added)
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists