lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8ba465e6-f933-6224-ef74-c5aa898a1022@toxicpanda.com>
Date:   Mon, 14 Jun 2021 14:52:59 -0400
From:   Josef Bacik <josef@...icpanda.com>
To:     syzbot <syzbot+8aa9678d1cda7a0432b7@...kaller.appspotmail.com>,
        clm@...com, dsterba@...e.com, glider@...gle.com,
        linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KMSAN: uninit-value in generic_bin_search (2)

On 6/14/21 1:41 AM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    6099c9da x86: entry: speculatively unpoison pt_regs in do_..
> git tree:       https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=12c7a057d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4e6842a91012889c
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa9678d1cda7a0432b7
> compiler:       Debian clang version 11.0.1-2
> userspace arch: i386
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8aa9678d1cda7a0432b7@...kaller.appspotmail.com
> 
>   tracehook_notify_resume include/linux/tracehook.h:189 [inline]
>   exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
>   exit_to_user_mode_prepare+0x486/0x560 kernel/entry/common.c:208
>   __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
>   syscall_exit_to_user_mode+0x35/0x60 kernel/entry/common.c:301
>   __do_fast_syscall_32+0x14f/0x180 arch/x86/entry/common.c:145
>   do_fast_syscall_32+0x77/0xd0 arch/x86/entry/common.c:168
>   do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:211
>   entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> =====================================================
> =====================================================
> BUG: KMSAN: uninit-value in btrfs_comp_cpu_keys fs/btrfs/ctree.c:1556 [inline]
> BUG: KMSAN: uninit-value in comp_keys fs/btrfs/ctree.c:1528 [inline]
> BUG: KMSAN: uninit-value in generic_bin_search+0x799/0xbc0 fs/btrfs/ctree.c:1702
> CPU: 1 PID: 9364 Comm: syz-executor.2 Tainted: G    B             5.12.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:79 [inline]
>   dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
>   kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
>   __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
>   btrfs_comp_cpu_keys fs/btrfs/ctree.c:1556 [inline]
>   comp_keys fs/btrfs/ctree.c:1528 [inline]
>   generic_bin_search+0x799/0xbc0 fs/btrfs/ctree.c:1702
>   btrfs_bin_search fs/btrfs/ctree.c:1724 [inline]

This appears to be a bug in KMSAN, the code is doing the correct thing and it 
appears to be complaining about tmp, which is initialized either in the if or 
else part.  The else part may be what's confusing KMSAM here as it's essentially

struct btrfs_disk_key tmp;
struct btrfs_disk_key unaligned;

else {
      memcpy(&unaligned, ptr, len); // read_extent_buffer is basically memcpy
      tmp = &unaligned;
}

Thanks,

Josef

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ