lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ff0a4ed4-9fde-7a9f-da39-d799dfb946f1@gmail.com>
Date:   Tue, 14 Mar 2023 19:37:00 +0400
From:   Ivan Orlov <ivan.orlov0322@...il.com>
To:     Oliver Hartkopp <socketcan@...tkopp.net>, mkl@...gutronix.de,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com
Cc:     linux-can@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, himadrispandya@...il.com,
        skhan@...uxfoundation.org,
        syzbot+c9bfd85eca611ebf5db1@...kaller.appspotmail.com
Subject: Re: [PATCH] FS, NET: Fix KMSAN uninit-value in vfs_write

On 3/14/23 18:38, Oliver Hartkopp wrote:
> Hello Ivan,
> 
> besides the fact that we would read some uninitialized value the outcome 
> of the original implementation would have been an error and a 
> termination of the copy process too. Maybe throwing a different error 
> number.
> 
> But it is really interesting to see what KMSAN is able to detect these 
> days! Many thanks for the finding and your effort to contribute this fix!
> 
> Best regards,
> Oliver
> 
> 
> On 14.03.23 13:04, Ivan Orlov wrote:
>> Syzkaller reported the following issue:
> 
> (..)
> 
>>
>> Reported-by: syzbot+c9bfd85eca611ebf5db1@...kaller.appspotmail.com
>> Link: 
>> https://syzkaller.appspot.com/bug?id=47f897f8ad958bbde5790ebf389b5e7e0a345089
>> Signed-off-by: Ivan Orlov <ivan.orlov0322@...il.com>
> 
> Acked-by: Oliver Hartkopp <socketcan@...tkopp.net>
> 
> 
>> ---
>>   net/can/bcm.c | 16 ++++++++++------
>>   1 file changed, 10 insertions(+), 6 deletions(-)
>>
>> diff --git a/net/can/bcm.c b/net/can/bcm.c
>> index 27706f6ace34..a962ec2b8ba5 100644
>> --- a/net/can/bcm.c
>> +++ b/net/can/bcm.c
>> @@ -941,6 +941,8 @@ static int bcm_tx_setup(struct bcm_msg_head 
>> *msg_head, struct msghdr *msg,
>>               cf = op->frames + op->cfsiz * i;
>>               err = memcpy_from_msg((u8 *)cf, msg, op->cfsiz);
>> +            if (err < 0)
>> +                goto free_op;
>>               if (op->flags & CAN_FD_FRAME) {
>>                   if (cf->len > 64)
>> @@ -950,12 +952,8 @@ static int bcm_tx_setup(struct bcm_msg_head 
>> *msg_head, struct msghdr *msg,
>>                       err = -EINVAL;
>>               }
>> -            if (err < 0) {
>> -                if (op->frames != &op->sframe)
>> -                    kfree(op->frames);
>> -                kfree(op);
>> -                return err;
>> -            }
>> +            if (err < 0)
>> +                goto free_op;
>>               if (msg_head->flags & TX_CP_CAN_ID) {
>>                   /* copy can_id into frame */
>> @@ -1026,6 +1024,12 @@ static int bcm_tx_setup(struct bcm_msg_head 
>> *msg_head, struct msghdr *msg,
>>           bcm_tx_start_timer(op);
>>       return msg_head->nframes * op->cfsiz + MHSIZ;
>> +
>> +free_op:
>> +    if (op->frames != &op->sframe)
>> +        kfree(op->frames);
>> +    kfree(op);
>> +    return err;
>>   }
>>   /*

Thank you for the quick answer! I totally agree that this patch will not 
change the behavior a lot. However, I think a little bit more error 
processing will not be bad (considering this will not bring any 
performance overhead). If someone in the future tries to use the "cf" 
object right after "memcpy_from_msg" call without proper error 
processing it will lead to a bug (which will be hard to trigger). Maybe 
fixing it now to avoid possible future mistakes in the future makes sense?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ