lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220517170817.94ca21558bbe035ae06bf6fa@linux-foundation.org>
Date:   Tue, 17 May 2022 17:08:17 -0700
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Wang Cheng <wanngchenng@...il.com>
Cc:     linux-mm@...ck.org, cgroups@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        syzbot+ad1b8c404f0959c4bfcc@...kaller.appspotmail.com
Subject: Re: [PATCH] mm/mempolicy: fix uninit-value in mpol_rebind_policy()

On Mon, 16 May 2022 17:47:26 +0800 Wang Cheng <wanngchenng@...il.com> wrote:

> 
> ...
>
> This patch seems to fix below bug too.
> KMSAN: uninit-value in mpol_rebind_mm (2)
> https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b
> 
> The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().
> When syzkaller reproducer runs to the beginning of mpol_new(),
> 
> 	    mpol_new() mm/mempolicy.c
> 	  do_mbind() mm/mempolicy.c
> 	kernel_mbind() mm/mempolicy.c
> 
> `mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`
> is 0. Then
> 
> 	mode = MPOL_LOCAL;
> 	...
> 	policy->mode = mode;
> 	policy->flags = flags;
> 
> will be executed. So in mpol_set_nodemask(),
> 
> 	    mpol_set_nodemask() mm/mempolicy.c
> 	  do_mbind()
> 	kernel_mbind()
> 
> pol->mode is 4(MPOL_LOCAL), that `nodemask` in `pol` is not initialized,
> which will be accessed in mpol_rebind_policy().

Thanks, I added the above to the changelog and I plan to import the
result into mm-stable later this week.

> IIUC, "#syz fix: mm/mempolicy: fix uninit-value in mpol_rebind_policy()"
> could be sent to syzbot+ad1b8c404f0959c4bfcc@...kaller.appspotmail.com
> to attach the fixing commit to the bug. WDYT?

Could be.  The "syz fix" isn't a thing I've paid much attention to. 
I'll start doing so ;)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ