lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG_fn=WZ=i2WLAVcLGhXkfm_9CouEf8v9PoLL-zJ0TJZZSXZ6Q@mail.gmail.com>
Date: Tue, 28 May 2024 10:19:02 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Kent Overstreet <kent.overstreet@...ux.dev>
Cc: syzbot <syzbot+eceea46e8838baeeba67@...kaller.appspotmail.com>, 
	bfoster@...hat.com, linux-bcachefs@...r.kernel.org, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_extent_update_i_size_sectors

On Thu, May 23, 2024 at 10:15 AM Alexander Potapenko <glider@...glecom> wrote:
>
> On Thu, May 23, 2024 at 1:49 AM Kent Overstreet
> <kent.overstreet@...ux.dev> wrote:
> >
> > This (and a few others I've looked at) look more likely to be bugs in
> > KMSAN, not bcachefs.
>
> Yeah, this is possible if we are missing some initialization.
>
> >
> > here, the supposedly uninitialized key was read in from disk, so the key
> > couldn't possibly have been legitimately marked uninitialized.
>
> Am I right that the key is supposed to be initialized before the first
> call of memcpy_u64s_small() (the _lower_ "Uninit was stored to memory
> at:" stack trace)?
> Do you have an idea what code performed the actual load of the data from disk?
> If that load was done by some assembly routine, we could've easily
> missed that - in that case we'll need to annotate it to fix the false
> positives.

I thought the initialization here was done by constructing a `struct
bio` in fs/bcachefs/btree_io.c and passing it to
submit_bio()/submit_bio_wait(), but I couldn't see return values of
btree_bounce_alloc() being used in bio_vec elements.
Are there other places that perform disk I/O?

We need something similar to kmsan_handle_dma()
(https://elixir.bootlin.com/linux/latest/source/mm/kmsan/hooks.c#L328),
but for block IO, so that data copied from the device can be marked as
initialized.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ