lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Mar 2023 15:38:17 +0100
From:   Oliver Hartkopp <socketcan@...tkopp.net>
To:     Ivan Orlov <ivan.orlov0322@...il.com>, mkl@...gutronix.de,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com
Cc:     linux-can@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, himadrispandya@...il.com,
        skhan@...uxfoundation.org,
        syzbot+c9bfd85eca611ebf5db1@...kaller.appspotmail.com
Subject: Re: [PATCH] FS, NET: Fix KMSAN uninit-value in vfs_write

Hello Ivan,

besides the fact that we would read some uninitialized value the outcome 
of the original implementation would have been an error and a 
termination of the copy process too. Maybe throwing a different error 
number.

But it is really interesting to see what KMSAN is able to detect these 
days! Many thanks for the finding and your effort to contribute this fix!

Best regards,
Oliver


On 14.03.23 13:04, Ivan Orlov wrote:
> Syzkaller reported the following issue:

(..)

> 
> Reported-by: syzbot+c9bfd85eca611ebf5db1@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
> Signed-off-by: Ivan Orlov <ivan.orlov0322@...il.com>

Acked-by: Oliver Hartkopp <socketcan@...tkopp.net>


> ---
>   net/can/bcm.c | 16 ++++++++++------
>   1 file changed, 10 insertions(+), 6 deletions(-)
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 27706f6ace34..a962ec2b8ba5 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -941,6 +941,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
>   
>   			cf = op->frames + op->cfsiz * i;
>   			err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
> +			if (err < 0)
> +				goto free_op;
>   
>   			if (op->flags & CAN_FD_FRAME) {
>   				if (cf->len > 64)
> @@ -950,12 +952,8 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
>   					err = -EINVAL;
>   			}
>   
> -			if (err < 0) {
> -				if (op->frames != &op->sframe)
> -					kfree(op->frames);
> -				kfree(op);
> -				return err;
> -			}
> +			if (err < 0)
> +				goto free_op;
>   
>   			if (msg_head->flags & TX_CP_CAN_ID) {
>   				/* copy can_id into frame */
> @@ -1026,6 +1024,12 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
>   		bcm_tx_start_timer(op);
>   
>   	return msg_head->nframes * op->cfsiz + MHSIZ;
> +
> +free_op:
> +	if (op->frames != &op->sframe)
> +		kfree(op->frames);
> +	kfree(op);
> +	return err;
>   }
>   
>   /*

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ