lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Jan 2024 11:19:58 +0100
From: Alexander Potapenko <glider@...gle.com>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+d7521c1e3841ed075a42@...kaller.appspotmail.com, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)

On Fri, Jan 26, 2024 at 2:36 AM 'Edward Adam Davis' via syzkaller-bugs
<syzkaller-bugs@...glegroups.com> wrote:
>
> please test uninit-value in virtqueue_add (4)

Hi Edward,

KMSAN is currently broken at trunk, see
https://lore.kernel.org/linux-mm/20240115184430.2710652-1-glider@google.com/
Therefore syzbot is unable to test patches before a couple of changes
reach upstream.

I checked your patch, and it is still triggering the same bug, which
is expected, because there are whole uninitialized pages, and the
patch below only initializes two instances of struct scatterlist that
are unlikely to be cloned to fill those pages.
There must be some non-instrumented code that fills those pages with
data, e.g. a DMA write, an assembly routine or some VM-to-kernel
interaction that KMSAN fails to handle.

>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index 9d1bdcdc1331..4ca6627a7459 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -427,7 +427,7 @@ static int __virtscsi_add_cmd(struct virtqueue *vq,
>                             size_t req_size, size_t resp_size)
>  {
>         struct scsi_cmnd *sc = cmd->sc;
> -       struct scatterlist *sgs[6], req, resp;
> +       struct scatterlist *sgs[6], req = {}, resp = {};
>         struct sg_table *out, *in;
>         unsigned out_num = 0, in_num = 0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ