| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66fc6d2e.050a0220.f28ec.04d5.GAE@google.com>
Date: Tue, 01 Oct 2024 14:44:14 -0700
From: syzbot <syzbot+d395b0c369e492a17530@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] Re: [syzbot] [hfs?] KMSAN: uninit-value in
__hfs_ext_cache_extent (2)
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: Re: [syzbot] [hfs?] KMSAN: uninit-value in __hfs_ext_cache_extent (2)
Author: surajsonawane0215@...il.com
This change ensures that the extent and cached_extents structures are fully
initialized before use.
By adding memset, it prevents uninitialized memory issues reported by
KMSAN, avoiding undefined
behavior and possible crashes during extent handling.
#syz test
Signed-off-by: SurajSonawane2415 <surajsonawane0215@...il.com>
---
fs/hfs/extent.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
index 4a0ce131e..cee1b4504 100644
--- a/fs/hfs/extent.c
+++ b/fs/hfs/extent.c
@@ -154,6 +154,7 @@ static inline int __hfs_ext_read_extent(struct
hfs_find_data *fd, struct hfs_ext
hfs_ext_build_key(fd->search_key, cnid, block, type);
fd->key->ext.FNum = 0;
+ memset(extent, 0, sizeof(struct hfs_extent));
res = hfs_brec_find(fd);
if (res && res != -ENOENT)
return res;
@@ -176,6 +177,7 @@ static inline int __hfs_ext_cache_extent(struct
hfs_find_data *fd, struct inode
return res;
}
+ memset(HFS_I(inode)->cached_extents, 0,
sizeof(HFS_I(inode)->cached_extents));
res = __hfs_ext_read_extent(fd, HFS_I(inode)->cached_extents,
inode->i_ino,
block, HFS_IS_RSRC(inode) ? HFS_FK_RSRC : HFS_FK_DATA);
if (!res) {
--
2.34.1
On Tue, Oct 1, 2024 at 2:57 PM syzbot <
syzbot+d395b0c369e492a17530@...kaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ad46e8f95e93 Merge tag 'pm-6.12-rc1-2' of
> git://git.kernel..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b9be27980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=85d8f50d88ddf2a
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=d395b0c369e492a17530
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b9be27980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ddd507980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/265feec46ffa/disk-ad46e8f9.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/d0f41ea693d3/vmlinux-ad46e8f9.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/45082d33d192/bzImage-ad46e8f9.xz
> mounted in repro:
> https://storage.googleapis.com/syzbot-assets/c19549ac916f/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+d395b0c369e492a17530@...kaller.appspotmail.com
>
> loop0: detected capacity change from 0 to 64
> =====================================================
> BUG: KMSAN: uninit-value in __hfs_ext_read_extent fs/hfs/extent.c:160
> [inline]
> BUG: KMSAN: uninit-value in __hfs_ext_cache_extent+0x69f/0x7e0
> fs/hfs/extent.c:179
> __hfs_ext_read_extent fs/hfs/extent.c:160 [inline]
> __hfs_ext_cache_extent+0x69f/0x7e0 fs/hfs/extent.c:179
> hfs_ext_read_extent fs/hfs/extent.c:202 [inline]
> hfs_get_block+0x733/0xf50 fs/hfs/extent.c:366
> __block_write_begin_int+0xa6b/0x2f80 fs/buffer.c:2121
> block_write_begin fs/buffer.c:2231 [inline]
> cont_write_begin+0xf82/0x1940 fs/buffer.c:2582
> hfs_write_begin+0x85/0x120 fs/hfs/inode.c:52
> cont_expand_zero fs/buffer.c:2509 [inline]
> cont_write_begin+0x32f/0x1940 fs/buffer.c:2572
> hfs_write_begin+0x85/0x120 fs/hfs/inode.c:52
> hfs_file_truncate+0x1a5/0xd30 fs/hfs/extent.c:494
> hfs_inode_setattr+0x998/0xab0 fs/hfs/inode.c:654
> notify_change+0x1a8e/0x1b80 fs/attr.c:503
> do_truncate+0x22a/0x2b0 fs/open.c:65
> vfs_truncate+0x5d4/0x680 fs/open.c:111
> do_sys_truncate+0x104/0x240 fs/open.c:134
> __do_sys_truncate fs/open.c:146 [inline]
> __se_sys_truncate fs/open.c:144 [inline]
> __x64_sys_truncate+0x6c/0xa0 fs/open.c:144
> x64_sys_call+0x2ce3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:77
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Uninit was created at:
> slab_post_alloc_hook mm/slub.c:4092 [inline]
> slab_alloc_node mm/slub.c:4135 [inline]
> __do_kmalloc_node mm/slub.c:4264 [inline]
> __kmalloc_noprof+0x661/0xf30 mm/slub.c:4277
> kmalloc_noprof include/linux/slab.h:882 [inline]
> hfs_find_init+0x91/0x250 fs/hfs/bfind.c:21
> hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
> hfs_get_block+0x68d/0xf50 fs/hfs/extent.c:366
> __block_write_begin_int+0xa6b/0x2f80 fs/buffer.c:2121
> block_write_begin fs/buffer.c:2231 [inline]
> cont_write_begin+0xf82/0x1940 fs/buffer.c:2582
> hfs_write_begin+0x85/0x120 fs/hfs/inode.c:52
> cont_expand_zero fs/buffer.c:2509 [inline]
> cont_write_begin+0x32f/0x1940 fs/buffer.c:2572
> hfs_write_begin+0x85/0x120 fs/hfs/inode.c:52
> hfs_file_truncate+0x1a5/0xd30 fs/hfs/extent.c:494
> hfs_inode_setattr+0x998/0xab0 fs/hfs/inode.c:654
> notify_change+0x1a8e/0x1b80 fs/attr.c:503
> do_truncate+0x22a/0x2b0 fs/open.c:65
> vfs_truncate+0x5d4/0x680 fs/open.c:111
> do_sys_truncate+0x104/0x240 fs/open.c:134
> __do_sys_truncate fs/open.c:146 [inline]
> __se_sys_truncate fs/open.c:144 [inline]
> __x64_sys_truncate+0x6c/0xa0 fs/open.c:144
> x64_sys_call+0x2ce3/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:77
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> CPU: 0 UID: 0 PID: 5188 Comm: syz-executor246 Not tainted
> 6.11.0-syzkaller-11728-gad46e8f95e93 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 09/13/2024
> =====================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/66fbc081.050a0220.6bad9.0056.GAE%40google.com
> .
>
Powered by blists - more mailing lists