lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <27500993-7fbd-bbe7-1d6e-83e0e12b4a3e@kernel.org>
Date:   Fri, 25 Sep 2020 23:01:55 +0800
From:   Chao Yu <chao@...nel.org>
To:     Dan Carpenter <dan.carpenter@...cle.com>,
        Chao Yu <yuchao0@...wei.com>
Cc:     syzbot <syzbot+0eac6f0bbd558fd866d7@...kaller.appspotmail.com>,
        glider@...gle.com, jaegeuk@...nel.org,
        linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [f2fs-dev] KMSAN: uninit-value in f2fs_lookup

Hi Dan,

On 2020-9-25 18:57, Dan Carpenter wrote:
> On Fri, Sep 25, 2020 at 05:06:33PM +0800, Chao Yu wrote:
>> Hi,
>>
>> I don't see any problem here, thanks for your report. :)
>>
>
> I bet the uninitialize value is because "max_depth" is zero.

I agree with you, thanks for the hint. :)

Thanks,

>
>
>    352  struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
>    353                                           const struct f2fs_filename *fname,
>    354                                           struct page **res_page)
>                                                                ^^^^^^^^
> The stack trace says this isn't initialized.
>
>    355  {
>    356          unsigned long npages = dir_blocks(dir);
>    357          struct f2fs_dir_entry *de = NULL;
>    358          unsigned int max_depth;
>    359          unsigned int level;
>    360
>    361          if (f2fs_has_inline_dentry(dir)) {
>    362                  *res_page = NULL;
>    363                  de = f2fs_find_in_inline_dir(dir, fname, res_page);
>    364                  goto out;
>    365          }
>    366
>    367          if (npages == 0) {
>    368                  *res_page = NULL;
>    369                  goto out;
>    370          }
>    371
>    372          max_depth = F2FS_I(dir)->i_current_depth;
>    373          if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) {
>    374                  f2fs_warn(F2FS_I_SB(dir), "Corrupted max_depth of %lu: %u",
>    375                            dir->i_ino, max_depth);
>    376                  max_depth = MAX_DIR_HASH_DEPTH;
>    377                  f2fs_i_depth_write(dir, max_depth);
>    378          }
>    379
>    380          for (level = 0; level < max_depth; level++) {
>                                 ^^^^^^^^^^^^^^^^^
> If "max_depth" is zero, then we never enter this loop.
>
>    381                  *res_page = NULL;
>    382                  de = find_in_level(dir, level, fname, res_page);
>    383                  if (de || IS_ERR(*res_page))
>    384                          break;
>    385          }
>    386  out:
>    387          /* This is to increase the speed of f2fs_create */
>    388          if (!de)
>    389                  F2FS_I(dir)->task = current;
>    390          return de;
>
> Which means that we return a NULL "de" and "*res_page" is uninitialized
> and that matches what syzbot found throug runtime testing.
>
>    391  }
>
> regards,
> dan carpenter
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ