lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4febd8ae-8d25-41b1-81cd-da79002b09d5@kernel.dk>
Date: Sat, 16 Mar 2024 09:46:20 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Pavel Begunkov <asml.silence@...il.com>,
 syzbot <syzbot+f8e9a371388aa62ecab4@...kaller.appspotmail.com>,
 io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] KMSAN: uninit-value in io_sendrecv_fail

On 3/16/24 9:28 AM, Pavel Begunkov wrote:
> On 3/16/24 13:37, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> KMSAN: uninit-value in io_sendrecv_fail
> 
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 3ae4bb988906..826989e2f601 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1063,6 +1063,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
>      /* not necessary, but safer to zero */
>      memset(&req->cqe, 0, sizeof(req->cqe));
>      memset(&req->big_cqe, 0, sizeof(req->big_cqe));
> +    memset(&req->cmd, 0, sizeof(req->cmd));
>  }
> 
> What's the point of testing it? You said it yourself, it hides the
> problem under the carpet but doesn't solve it. Do some valid IO first,
> then send that failed request. If done_io is aliased with with some
> interesting field of a previously completed request you're royally
> screwed, but syz would be just happy about it.

Yeah I agree, as per my email. I think we're better off just doing the
EARLY_FAIL in general, and forget about the specific case. I just wanted
to make sure I wasn't off in the weeds, since I can't trigger this.
Could probably write a specific test case for it, but the syzbot
reproducer didn't for me.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ