lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250911175145.GA1376@sol>
Date: Thu, 11 Sep 2025 10:51:45 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Alexander Potapenko <glider@...gle.com>
Cc: Marco Elver <elver@...gle.com>, kasan-dev@...glegroups.com,
	Dmitry Vyukov <dvyukov@...gle.com>, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] kmsan: Fix out-of-bounds access to shadow memory

On Thu, Sep 11, 2025 at 11:09:17AM +0200, Alexander Potapenko wrote:
> On Wed, Sep 10, 2025 at 9:49 PM Eric Biggers <ebiggers@...nel.org> wrote:
> >
> > On Fri, Aug 29, 2025 at 09:45:00AM -0700, Eric Biggers wrote:
> > > Running sha224_kunit on a KMSAN-enabled kernel results in a crash in
> > > kmsan_internal_set_shadow_origin():
> > >
> > >     BUG: unable to handle page fault for address: ffffbc3840291000
> > >     #PF: supervisor read access in kernel mode
> > >     #PF: error_code(0x0000) - not-present page
> > >     PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0
> > >     Oops: 0000 [#1] SMP NOPTI
> > >     CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc3 #10 PREEMPT(voluntary)
> > >     Tainted: [N]=TEST
> > >     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
> > >     RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100
> > >     [...]
> > >     Call Trace:
> > >     <TASK>
> > >     __msan_memset+0xee/0x1a0
> > >     sha224_final+0x9e/0x350
> > >     test_hash_buffer_overruns+0x46f/0x5f0
> > >     ? kmsan_get_shadow_origin_ptr+0x46/0xa0
> > >     ? __pfx_test_hash_buffer_overruns+0x10/0x10
> > >     kunit_try_run_case+0x198/0xa00
> >
> > Any thoughts on this patch from the KMSAN folks?  I'd love to add
> > CONFIG_KMSAN=y to my crypto subsystem testing, but unfortunately the
> > kernel crashes due to this bug :-(
> >
> > - Eric
> 
> Sorry, I was out in August and missed this email when digging through my inbox.
> 
> Curiously, I couldn't find any relevant crashes on the KMSAN syzbot
> instance, but the issue is legit.
> Thank you so much for fixing this!
> 
> Any chance you can add a test case for it to mm/kmsan/kmsan_test.c?

Unfortunately most of the KMSAN test cases already fail on upstream,
which makes it difficult to develop new ones:

[    1.322395] KTAP version 1
[    1.322899] 1..1
[    1.323644]     KTAP version 1
[    1.324142]     # Subtest: kmsan
[    1.324650]     # module: kmsan_test
[    1.324667]     1..24
[    1.325990]     # test_uninit_kmalloc: uninitialized kmalloc test (UMR report)
[    1.327078] *ptr is true
[    1.327525]     # test_uninit_kmalloc: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:173
                   Expected report_matches(&expect) to be true, but is false
[    1.330117]     not ok 1 test_uninit_kmalloc
[    1.330474]     # test_init_kmalloc: initialized kmalloc test (no reports)
[    1.332129] *ptr is false
[    1.333384]     ok 2 test_init_kmalloc
[    1.333729]     # test_init_kzalloc: initialized kzalloc test (no reports)
[    1.335285] *ptr is false
[    1.339418]     ok 3 test_init_kzalloc
[    1.339791]     # test_uninit_stack_var: uninitialized stack variable (UMR report)
[    1.341484] cond is false
[    1.341927]     # test_uninit_stack_var: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:211
                   Expected report_matches(&expect) to be true, but is false
[    1.344844]     not ok 4 test_uninit_stack_var
[    1.345262]     # test_init_stack_var: initialized stack variable (no reports)
[    1.347083] cond is true
[    1.347847]     ok 5 test_init_stack_var
[    1.348145]     # test_params: uninit passed through a function parameter (UMR report)
[    1.349926] arg1 is false
[    1.350338] arg2 is false
[    1.350746] arg is false
[    1.351154] arg1 is false
[    1.351561] arg2 is true
[    1.351987]     # test_params: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:262
                   Expected report_matches(&expect) to be true, but is false
[    1.354751]     not ok 6 test_params
[    1.355229]     # test_uninit_multiple_params: uninitialized local passed to fn (UMR report)
[    1.357056] signed_sum3(a, b, c) is true
[    1.357677]     # test_uninit_multiple_params: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:282
                   Expected report_matches(&expect) to be true, but is false
[    1.360393]     not ok 7 test_uninit_multiple_params
[    1.360676]     # test_uninit_kmsan_check_memory: kmsan_check_memory() called on uninit local (UMR report)
[    1.362916]     # test_uninit_kmsan_check_memory: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:309
                   Expected report_matches(&expect) to be true, but is false
[    1.365946]     not ok 8 test_uninit_kmsan_check_memory
[    1.366415]     # test_init_kmsan_vmap_vunmap: pages initialized via vmap (no reports)
[    1.368805]     ok 9 test_init_kmsan_vmap_vunmap
[    1.369223]     # test_init_vmalloc: vmalloc buffer can be initialized (no reports)
[    1.371106] buf[0] is true
[    1.371937]     ok 10 test_init_vmalloc
[    1.372396]     # test_uaf: use-after-free in kmalloc-ed buffer (UMR report)
[    1.374021] value is true
[    1.374463]     # test_uaf: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:378
                   Expected report_matches(&expect) to be true, but is false
[    1.376867]     not ok 11 test_uaf
[    1.377229]     # test_percpu_propagate: uninit local stored to per_cpu memory (UMR report)
[    1.378951] check is false
[    1.379432]     # test_percpu_propagate: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:396
                   Expected report_matches(&expect) to be true, but is false
[    1.382201]     not ok 12 test_percpu_propagate
[    1.382625]     # test_printk: uninit local passed to pr_info() (UMR report)
[    1.384329] ffffc900002bfcd4 contains 0
[    1.384933]     # test_printk: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:418
                   Expected report_matches(&expect) to be true, but is false
[    1.387474]     not ok 13 test_printk
[    1.387824]     # test_init_memcpy: memcpy()ing aligned initialized src to aligned dst (no reports)
[    1.390061]     ok 14 test_init_memcpy
[    1.390327]     # test_memcpy_aligned_to_aligned: memcpy()ing aligned uninit src to aligned dst (UMR report)
[    1.392359]     # test_memcpy_aligned_to_aligned: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:459
                   Expected report_matches(&expect) to be true, but is false
[    1.395181]     not ok 15 test_memcpy_aligned_to_aligned
[    1.395467]     # test_memcpy_aligned_to_unaligned: memcpy()ing aligned uninit src to unaligned dst (UMR report)
[    1.397845]     # test_memcpy_aligned_to_unaligned: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:483
                   Expected report_matches(&expect) to be true, but is false
[    1.400221]     # test_memcpy_aligned_to_unaligned: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:486
                   Expected report_matches(&expect) to be true, but is false
[    1.403059]     not ok 16 test_memcpy_aligned_to_unaligned
[    1.403437]     # test_memcpy_initialized_gap: unaligned 4-byte initialized value gets a nonzero origin after memcpy() - (2 UMR reports)
[    1.406077]     # test_memcpy_initialized_gap: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:532
                   Expected report_matches(&expect) to be true, but is false
[    1.408340]     # test_memcpy_initialized_gap: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:538
                   Expected report_matches(&expect) to be true, but is false
[    1.411063]     not ok 17 test_memcpy_initialized_gap
[    1.411338]     # test_memset16: memset16() should initialize memory
[    1.413393]     ok 18 test_memset16
[    1.413651]     # test_memset32: memset32() should initialize memory
[    1.415427]     ok 19 test_memset32
[    1.415739]     # test_memset64: memset64() should initialize memory
[    1.417513]     ok 20 test_memset64
[    1.417783]     # test_long_origin_chain: origin chain exceeding KMSAN_MAX_ORIGIN_DEPTH (UMR report)
[    1.419805]     # test_long_origin_chain: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:584
                   Expected report_matches(&expect) to be true, but is false
[    1.422415]     not ok 21 test_long_origin_chain
[    1.422752]     # test_stackdepot_roundtrip: testing stackdepot roundtrip (no reports)
[    1.424598]  kunit_try_run_case+0x19d/0xa50
[    1.425243]  kunit_generic_run_threadfn_adapter+0x62/0xe0
[    1.426252]  kthread+0x8cd/0xb40
[    1.426747]  ret_from_fork+0x189/0x2b0
[    1.427320]  ret_from_fork_asm+0x1a/0x30
[    1.428245]     ok 22 test_stackdepot_roundtrip
[    1.428519]     # test_unpoison_memory: unpoisoning via the instrumentation vs. kmsan_unpoison_memory() (2 UMR reports)
[    1.430771] =====================================================
[    1.431682] BUG: KMSAN: uninit-value in test_unpoison_memory+0x146/0x3e0
[    1.432705]  test_unpoison_memory+0x146/0x3e0
[    1.433356]  kunit_try_run_case+0x19d/0xa50
[    1.433979]  kunit_generic_run_threadfn_adapter+0x62/0xe0
[    1.434773]  kthread+0x8cd/0xb40
[    1.435263]  ret_from_fork+0x189/0x2b0
[    1.435846]  ret_from_fork_asm+0x1a/0x30

[    1.436692] Local variable a created at:
[    1.437270]  test_unpoison_memory+0x41/0x3e0
[    1.437903]  kunit_try_run_case+0x19d/0xa50

[    1.438766] Bytes 0-2 of 3 are uninitialized
[    1.439433] Memory access of size 3 starts at ffffc90000347cd5

[    1.440517] CPU: 3 UID: 0 PID: 99 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc5-00110-ge59a039119c3 #3 PREEMPT(none) 
[    1.442247] Tainted: [N]=TEST
[    1.442725] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[    1.444376] =====================================================
[    1.445263] Disabling lock debugging due to kernel taint
[    1.446103] =====================================================
[    1.447007] BUG: KMSAN: uninit-value in test_unpoison_memory+0x23f/0x3e0
[    1.447996]  test_unpoison_memory+0x23f/0x3e0
[    1.448650]  kunit_try_run_case+0x19d/0xa50
[    1.449319]  kunit_generic_run_threadfn_adapter+0x62/0xe0
[    1.450122]  kthread+0x8cd/0xb40
[    1.450611]  ret_from_fork+0x189/0x2b0
[    1.451181]  ret_from_fork_asm+0x1a/0x30

[    1.452010] Local variable b created at:
[    1.452894]  test_unpoison_memory+0x56/0x3e0
[    1.453537]  kunit_try_run_case+0x19d/0xa50

[    1.454407] Bytes 0-2 of 3 are uninitialized
[    1.455043] Memory access of size 3 starts at ffffc90000347cd1

[    1.456182] CPU: 3 UID: 0 PID: 99 Comm: kunit_try_catch Tainted: G    B            N  6.17.0-rc5-00110-ge59a039119c3 #3 PREEMPT(none) 
[    1.457925] Tainted: [B]=BAD_PAGE, [N]=TEST
[    1.458545] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[    1.460239] =====================================================
[    1.461617]     ok 23 test_unpoison_memory
[    1.462056]     # test_copy_from_kernel_nofault: testing copy_from_kernel_nofault with uninitialized memory
[    1.464122] ret is false
[    1.464538]     # test_copy_from_kernel_nofault: EXPECTATION FAILED at mm/kmsan/kmsan_test.c:656
                   Expected report_matches(&expect) to be true, but is false
[    1.467250]     not ok 24 test_copy_from_kernel_nofault
[    1.482563] # kmsan: pass:11 fail:13 skip:0 total:24
[    1.483790] # Totals: pass:11 fail:13 skip:0 total:24
[    1.484532] not ok 1 kmsan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ