lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5063d525-d9df-4aaf-991d-bcb9f495c041@linux.dev>
Date: Tue, 26 Mar 2024 21:47:14 -0700
From: Yonghong Song <yonghong.song@...ux.dev>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
 Martin KaFai Lau <martin.lau@...ux.dev>
Cc: Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
 Daniel Borkmann <daniel@...earbox.net>,
 syzbot <syzbot+1a3cf6f08d68868f9db3@...kaller.appspotmail.com>,
 bpf <bpf@...r.kernel.org>, "David S. Miller" <davem@...emloft.net>,
 Eddy Z <eddyz87@...il.com>, Hao Luo <haoluo@...gle.com>,
 Jesper Dangaard Brouer <hawk@...nel.org>,
 John Fastabend <john.fastabend@...il.com>, Jiri Olsa <jolsa@...nel.org>,
 KP Singh <kpsingh@...nel.org>, Jakub Kicinski <kuba@...nel.org>,
 LKML <linux-kernel@...r.kernel.org>,
 Network Development <netdev@...r.kernel.org>,
 Stanislav Fomichev <sdf@...gle.com>, Song Liu <song@...nel.org>,
 syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] [bpf?] [net?] KMSAN: uninit-value in dev_map_lookup_elem


On 3/26/24 6:07 PM, Alexei Starovoitov wrote:
> On Tue, Mar 26, 2024 at 5:54 PM Martin KaFai Lau <martin.lau@...ux.dev> wrote:
>> On 3/25/24 2:36 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    5e74df2f8f15 Merge tag 'x86-urgent-2024-03-24' of git://gi..
>>> git tree:       upstream
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=148872a5180000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=e6bd769cb793b98a
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=1a3cf6f08d68868f9db3
>>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15921a6e180000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12e081f1180000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/1a82880723a7/disk-5e74df2f.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/fd3046ac43b9/vmlinux-5e74df2f.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/2097be59cbc1/bzImage-5e74df2f.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+1a3cf6f08d68868f9db3@...kaller.appspotmail.com
>>>
>>> =====================================================
>>> BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
>>> BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
>>>    __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
>>>    dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
>>>    ____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]
>>>    bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38
>>>    ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
>>>    __bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237
>> It should be in the interpreter mode.
>>
>> The C reproducer is trying to run the following bpf prog:
>>
>>      0: (18) r0 = 0x0
>>      2: (18) r1 = map[id:49]
>>      4: (b7) r8 = 16777216
>>      5: (7b) *(u64 *)(r10 -8) = r8
>>      6: (bf) r2 = r10
>>      7: (07) r2 += -229
>>              ^^^^^^^^^^
>>
>>      8: (b7) r3 = 8
>>      9: (b7) r4 = 0
>>     10: (85) call dev_map_lookup_elem#1543472
>>     11: (95) exit
>>
>> I think this KMSAN report (and a few others related to lookup/delete_elem)
>> should only happen in the interpreter mode.
>>
>> Does it worth to suppress it by always initializing the stack in the interpreter
>> mode considering the interpreter is not very speed sensitive ?
> Maybe we can mark it as initialized from kmsan pov ?
> There are kasan_poison/unpoison helpers that may fit ?

Maybe use kmsan_unpoison_memory()?

In lib/Kconfig.kmsan, we have

config KMSAN
         bool "KMSAN: detector of uninitialized values use"
         depends on HAVE_ARCH_KMSAN && HAVE_KMSAN_COMPILER
         depends on DEBUG_KERNEL && !KASAN && !KCSAN
         depends on !PREEMPT_RT
         select STACKDEPOT
         select STACKDEPOT_ALWAYS_INIT
         help
           KernelMemorySanitizer (KMSAN) is a dynamic detector of uses of
           uninitialized values in the kernel. It is based on compiler
           instrumentation provided by Clang and thus requires Clang to build.

           An important note is that KMSAN is not intended for production use,
           because it drastically increases kernel memory footprint and slows
           the whole system down.

           See <file:Documentation/dev-tools/kmsan.rst> for more details.

So enable KMSAN, KASAN and KCSAN needs to be disabled.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ