lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89i+6naPhD_XJ-qjQ8mRGN1aQdSzMy1446d+0iOk_UjpMOw@mail.gmail.com>
Date: Sat, 13 Sep 2025 01:10:58 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: rodgepritesh@...il.com
Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>, kuba@...nel.org, 
	pabeni@...hat.com, linux-hams@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzbot+7d660d9b8bd5efc7ee6e@...kaller.appspotmail.com
Subject: Re: [PATCH] net/rose: Fix uninitialized values in rose_add_node

On Fri, Sep 12, 2025 at 2:22 PM <rodgepritesh@...il.com> wrote:
>
> From: Pritesh Rodge <rodgepritesh@...il.com>
>
> The rose_add_node() function uses kmalloc to allocate a new rose_node
> but only initializes the first element of the 'neighbour' array. If
> the node's count is later incremented, other parts of the kernel may
> access the uninitialized pointers in the array.
>
> This was discovered by KMSAN, which reported a crash in
> __run_timer_base. When a timer tried to clean up a resource using
> one of these garbage pointers.
>
> Fix this by switching from kmalloc() to kzalloc() to ensure the
> entire rose_node struct is initialized to zero upon allocation. This
> sets all unused neighbour pointers to NULL.

Which part exactly of rose node being not initialized would lead to
the syzbot report ?

BUG: KMSAN: uninit-value in __hlist_del include/linux/list.h:980 [inline]
BUG: KMSAN: uninit-value in detach_timer kernel/time/timer.c:891 [inline]
BUG: KMSAN: uninit-value in expire_timers kernel/time/timer.c:1781 [inline]
BUG: KMSAN: uninit-value in __run_timers kernel/time/timer.c:2372 [inline]
BUG: KMSAN: uninit-value in __run_timer_base+0x690/0xd90
kernel/time/timer.c:2384
 __hlist_del include/linux/list.h:980 [inline]
 detach_timer kernel/time/timer.c:891 [inline]
 expire_timers kernel/time/timer.c:1781 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x690/0xd90 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0x3a/0x80 kernel/time/timer.c:2403
 handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]



>
> [1] https://syzkaller.appspot.com/bug?extid=7d660d9b8bd5efc7ee6e
>
> Reported-by: syzbot+7d660d9b8bd5efc7ee6e@...kaller.appspotmail.com
> Signed-off-by: Pritesh Rodge <rodgepritesh@...il.com>
> ---
>  net/rose/rose_route.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index a1e9b05ef6f5..6ca41cbe867a 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -148,7 +148,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
>                 }
>
>                 /* create new node */
> -               rose_node = kmalloc(sizeof(*rose_node), GFP_ATOMIC);
> +               rose_node = kzalloc(sizeof(*rose_node), GFP_ATOMIC);
>                 if (rose_node == NULL) {
>                         res = -ENOMEM;
>                         goto out;

I doubt this will fix anything really, given this code is followed by :

rose_node->address      = rose_route->address;
rose_node->mask         = rose_route->mask;
rose_node->count        = 1;
rose_node->loopback     = 0;
rose_node->neighbour[0] = rose_neigh;

rose is certainly full of bugs, but I do not see your patch fixing one of them.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ