lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d3d93d11-9895-4d4b-853d-729be06ead4e@paragon-software.com>
Date: Mon, 27 Oct 2025 11:24:44 +0100
From: Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
To: Nirbhay Sharma <nirbhay.lkd@...il.com>
CC: <david.hunter.linux@...il.com>, <skhan@...uxfoundation.org>,
	<linux-kernel-mentees@...ts.linuxfoundation.org>, <khalid@...nel.org>,
	<syzbot+83c9dd5c0dcf6184fdbf@...kaller.appspotmail.com>,
	<ntfs3@...ts.linux.dev>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fs/ntfs3: fix KMSAN uninit-value in ni_create_attr_list

On 10/25/25 17:07, Nirbhay Sharma wrote:
>
>
> On 10/7/25 4:08 AM, Nirbhay Sharma wrote:
>> The call to kmalloc() to allocate the attribute list buffer is given a
>> size of al_aligned(rs). This size can be larger than the data
>> subsequently copied into the buffer, leaving trailing bytes 
>> uninitialized.
>>
>> This can trigger a KMSAN "uninit-value" warning if that memory is
>> later accessed.
>>
>> Fix this by using kzalloc() instead, which ensures the entire
>> allocated buffer is zero-initialized, preventing the warning.
>>
>> Reported-by: syzbot+83c9dd5c0dcf6184fdbf@...kaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=83c9dd5c0dcf6184fdbf
>> Signed-off-by: Nirbhay Sharma <nirbhay.lkd@...il.com>
>> ---
>> The following syzbot test commands were used to verify the fix against
>> both linux-next and a specific mainline commit. Both kernels were
>> configured with CONFIG_KMSAN=y, and no KMSAN warnings were observed
>> with the patch applied.
>>
>> An attempt to test against the latest mainline tip failed due to an
>> unrelated boot failure in the SCSI subsystem (KMSAN: use-after-free in
>> scsi_get_vpd_buf). Therefore, testing was done on the last known-good
>> mainline commit below.
>>
>> For mainline commit 9b0d551bcc05 ("Merge tag 'pull-misc' of..."):
>> #syz test: 
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
>> 9b0d551bcc05
>>
>> For the linux-next branch:
>> #syz test: 
>> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 
>> master
>>
>>   fs/ntfs3/frecord.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
>> index 8f9fe1d7a690..4fe8da7fc034 100644
>> --- a/fs/ntfs3/frecord.c
>> +++ b/fs/ntfs3/frecord.c
>> @@ -767,7 +767,7 @@ int ni_create_attr_list(struct ntfs_inode *ni)
>>        * Skip estimating exact memory requirement.
>>        * Looks like one record_size is always enough.
>>        */
>> -    le = kmalloc(al_aligned(rs), GFP_NOFS);
>> +    le = kzalloc(al_aligned(rs), GFP_NOFS);
>>       if (!le)
>>           return -ENOMEM;
> Hi Konstantin,
>
> I sent this patch about 3 weeks ago and haven't heard back yet. I wanted
> to check if there are any concerns with the patch or if any changes are
> needed. The fix addresses a KMSAN uninit-value bug and has been tested
> successfully on both linux-next and the commit from the syzbot report.
>
> Please let me know if you need any additional information or testing.
>
> Thanks,
> Nirbhay

Hello,

Your patch has been applied, but it hasn’t been pushed to our repository
yet. It will be there as soon as possible.

I’ll let you know once it’s merged into kernel. Thanks for your patience.

Regards,
Konstantin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ