lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 25 Sep 2020 13:57:58 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Chao Yu <yuchao0@...wei.com>
Cc:     syzbot <syzbot+0eac6f0bbd558fd866d7@...kaller.appspotmail.com>,
        chao@...nel.org, glider@...gle.com, jaegeuk@...nel.org,
        linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [f2fs-dev] KMSAN: uninit-value in f2fs_lookup

On Fri, Sep 25, 2020 at 05:06:33PM +0800, Chao Yu wrote:
> Hi,
> 
> I don't see any problem here, thanks for your report. :)
>

I bet the uninitialize value is because "max_depth" is zero.


   352  struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
   353                                           const struct f2fs_filename *fname,
   354                                           struct page **res_page)
                                                               ^^^^^^^^
The stack trace says this isn't initialized.

   355  {
   356          unsigned long npages = dir_blocks(dir);
   357          struct f2fs_dir_entry *de = NULL;
   358          unsigned int max_depth;
   359          unsigned int level;
   360  
   361          if (f2fs_has_inline_dentry(dir)) {
   362                  *res_page = NULL;
   363                  de = f2fs_find_in_inline_dir(dir, fname, res_page);
   364                  goto out;
   365          }
   366  
   367          if (npages == 0) {
   368                  *res_page = NULL;
   369                  goto out;
   370          }
   371  
   372          max_depth = F2FS_I(dir)->i_current_depth;
   373          if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) {
   374                  f2fs_warn(F2FS_I_SB(dir), "Corrupted max_depth of %lu: %u",
   375                            dir->i_ino, max_depth);
   376                  max_depth = MAX_DIR_HASH_DEPTH;
   377                  f2fs_i_depth_write(dir, max_depth);
   378          }
   379  
   380          for (level = 0; level < max_depth; level++) {
                                ^^^^^^^^^^^^^^^^^
If "max_depth" is zero, then we never enter this loop.

   381                  *res_page = NULL;
   382                  de = find_in_level(dir, level, fname, res_page);
   383                  if (de || IS_ERR(*res_page))
   384                          break;
   385          }
   386  out:
   387          /* This is to increase the speed of f2fs_create */
   388          if (!de)
   389                  F2FS_I(dir)->task = current;
   390          return de;

Which means that we return a NULL "de" and "*res_page" is uninitialized
and that matches what syzbot found throug runtime testing.

   391  }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ