lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250929081110.11618-1-abinashsinghlalotra@gmail.com>
Date: Mon, 29 Sep 2025 13:41:10 +0530
From: Abinash Singh <abinashsinghlalotra@...il.com>
To: kent.overstreet@...ux.dev
Cc: linux-bcachefs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Abinash Singh <abinashsinghlalotra@...il.com>,
	syzbot+7fb23a5461e8c9d38a3e@...kaller.appspotmail.com
Subject: [PATCH RFC] bcachefs: Fix KMSAN uninit-value in __bch2_read_endio

KMSAN reported a use of uninitialized memory in __bch2_read_endio():

  BUG: KMSAN: uninit-value in __bch2_read_endio+0xb2a/0x2240
  fs/bcachefs/io_read.c:832
  ...
  Uninit was stored to memory at:
  poly1305_core_emit+0x46a/0x480 lib/crypto/poly1305-donna64.c:183
  ...
  __bch2_checksum_bio+0x1048/0x1130 fs/bcachefs/checksum.c:237

The local `digest` buffer in __bch2_checksum_bio() was left
uninitialized before being passed into Poly1305 routines, which
caused KMSAN to flag it as an uninitialized read.

Fix this by explicitly zero-initializing `digest`.

Reported-by: syzbot+7fb23a5461e8c9d38a3e@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7fb23a5461e8c9d38a3e
Fixes: 1c6fdbd8f246 ("bcachefs: Initial commit")
Signed-off-by: Abinash Singh <abinashsinghlalotra@...il.com>
---
 fs/bcachefs/checksum.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/bcachefs/checksum.c b/fs/bcachefs/checksum.c
index a6795e73f0b9..433ded62c77a 100644
--- a/fs/bcachefs/checksum.c
+++ b/fs/bcachefs/checksum.c
@@ -216,7 +216,7 @@ static struct bch_csum __bch2_checksum_bio(struct bch_fs *c, unsigned type,
 	case BCH_CSUM_chacha20_poly1305_80:
 	case BCH_CSUM_chacha20_poly1305_128: {
 		struct poly1305_desc_ctx dctx;
-		u8 digest[POLY1305_DIGEST_SIZE];
+		u8 digest[POLY1305_DIGEST_SIZE] = { 0 };
 		struct bch_csum ret = { 0 };
 
 		bch2_poly1305_init(&dctx, c, nonce);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ