| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ae1d05f6-cd65-4ca4-87c5-af0ae34e21ce@suse.com>
Date: Fri, 16 May 2025 15:42:54 +0200
From: Jürgen Groß <jgross@...e.com>
To: Xin Li <xin@...or.com>, Ingo Molnar <mingo@...nel.org>
Cc: linux-kernel@...r.kernel.org, xen-devel@...ts.xenproject.org,
linux-acpi@...r.kernel.org, tglx@...utronix.de, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
peterz@...radead.org, boris.ostrovsky@...cle.com, rafael@...nel.org,
lenb@...nel.org
Subject: Re: [PATCH v1 2/3] x86/xen/msr: Fix uninitialized symbol 'err'
On 15.05.25 20:11, Xin Li wrote:
> On 5/15/2025 8:29 AM, Ingo Molnar wrote:
>>
>> * Xin Li (Intel) <xin@...or.com> wrote:
>>
>>> xen_read_msr_safe() currently passes an uninitialized argument err to
>>> xen_do_read_msr(). But as xen_do_read_msr() may not set the argument,
>>> xen_read_msr_safe() could return err with an unpredictable value.
>>>
>>> To ensure correctness, initialize err to 0 (representing success)
>>> in xen_read_msr_safe().
>>>
>>> Because xen_read_msr_safe() is essentially a wrapper of xen_do_read_msr(),
>>> the latter should be responsible for initializing the value of *err to 0.
>>> Thus initialize *err to 0 in xen_do_read_msr().
>>>
>>> Fixes: 502ad6e5a619 ("x86/msr: Change the function type of
>>> native_read_msr_safe()")
>>> Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
>>> Closes: https://lore.kernel.org/xen-devel/aBxNI_Q0-MhtBSZG@stanley.mountain/
>>> Signed-off-by: Xin Li (Intel) <xin@...or.com>
>>> ---
>>> arch/x86/xen/enlighten_pv.c | 5 ++++-
>>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
>>> index 3be38350f044..01f1d441347e 100644
>>> --- a/arch/x86/xen/enlighten_pv.c
>>> +++ b/arch/x86/xen/enlighten_pv.c
>>> @@ -1091,6 +1091,9 @@ static u64 xen_do_read_msr(u32 msr, int *err)
>>> {
>>> u64 val = 0; /* Avoid uninitialized value for safe variant. */
>>> + if (err)
>>> + *err = 0;
>>> +
>>> if (pmu_msr_chk_emulated(msr, &val, true))
>>> return val;
>>> @@ -1162,7 +1165,7 @@ static void xen_do_write_msr(u32 msr, u64 val, int *err)
>>> static int xen_read_msr_safe(u32 msr, u64 *val)
>>> {
>>> - int err;
>>> + int err = 0;
>>> *val = xen_do_read_msr(msr, &err);
>>> return err;
>>
>> So why not initialize 'err' with 0 in both callers, xen_read_msr_safe()
>> and xen_read_msr(), and avoid all the initialization trouble in
>> xen_do_read_msr()?
>
> Yeah, I should make the change in xen_read_msr() too.
>
> However xen_do_read_msr() should be implemented in a defensive way to
> set *err properly as it's part of its return value. Actually it was so,
> but one of my previous cleanup patch removed it because err is no longer
> passed to pmu_msr_chk_emulated().
xen_do_read_msr() is usable only in enlighten_pv.c as it is static.
So I'd prefer to drop setting err to 0 in xen_do_read_msr() initially
and to set err to 0 in all callers.
Juergen
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists