| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACT4Y+bqD=EkkQB6hm+FVWVraDBChnRgqViLTqvmVrVM=1gH+w@mail.gmail.com>
Date: Mon, 11 Oct 2021 07:56:05 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: asmadeus@...ewreck.org
Cc: syzbot <syzbot+06472778c97ed94af66d@...kaller.appspotmail.com>,
davem@...emloft.net, ericvh@...il.com, glider@...gle.com,
kuba@...nel.org, linux-kernel@...r.kernel.org, lucho@...kov.net,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com,
v9fs-developer@...ts.sourceforge.net
Subject: Re: [syzbot] KMSAN: uninit-value in p9pdu_readf
On Sun, 10 Oct 2021 at 10:36, <asmadeus@...ewreck.org> wrote:
>
> Question for people who know about KMSAN: which of the backtrace or the
> 'Local variable' message should I trust?
Hi Dominique,
Both.
The first is the use of the unit, the second is the origin of the uninit.
> syzbot wrote on Sat, Oct 09, 2021 at 10:48:17PM -0700:
> > =====================================================
> > BUG: KMSAN: uninit-value in p9pdu_vreadf net/9p/protocol.c:147 [inline]
> > BUG: KMSAN: uninit-value in p9pdu_readf+0x46cf/0x4fc0 net/9p/protocol.c:526
> > p9pdu_vreadf net/9p/protocol.c:147 [inline]
> > p9pdu_readf+0x46cf/0x4fc0 net/9p/protocol.c:526
> > p9pdu_vreadf net/9p/protocol.c:198 [inline]
> > p9pdu_readf+0x2080/0x4fc0 net/9p/protocol.c:526
> > p9_client_stat+0x2b3/0x710 net/9p/client.c:1724
> > v9fs_mount+0xc14/0x12c0 fs/9p/vfs_super.c:170
>
> would be 'len' in p9pdu_vreadf, which has to be set as far as I can understand:
> > uint16_t len;
> >
> > errcode = p9pdu_readf(pdu, proto_version,
> > "w", &len);
> > if (errcode)
> > break;
> >
> > *sptr = kmalloc(len + 1, GFP_NOFS);
>
> with relevant part of p9pdu_readf being:
> > case 'w':{
> > int16_t *val = va_arg(ap, int16_t *);
> > __le16 le_val;
> > if (pdu_read(pdu, &le_val, sizeof(le_val))) {
> > errcode = -EFAULT;
> > break;
> > }
> > *val = le16_to_cpu(le_val);
> > }
> > ...
> > return errcode;
>
> e.g. either len or errcode should be set...
>
> But:
> > Local variable ----ecode@...check_errors created at:
> > p9_check_errors+0x68/0xb90 net/9p/client.c:506
> > p9_client_rpc+0xd90/0x1410 net/9p/client.c:801
>
> is something totally different, p9_client_rpc happens before the
> p9pdu_readf call in p9_client_stat, and ecode is local to
> p9_check_errors, I don't see how it could get that far.
>
> Note that inspecting p9_check_errors manually, there is a case where
> ecode is returned (indirectly through err = -ecode) without being
> initialized,
Does this connect both stacks? So the uinit is ecode, is it used in
p9pdu_vreadf? If yes, then that's what KMSAN reported.
> so I will send a patch for that at least, but I have no
> idea if that is what has been reported and it should be trivial to
> reproduce so I do not see why syzbot does not have a reproducer -- it
> retries running the last program that triggered the error before sending
> the report, right?
Yes.
>
> --
> Dominique Martinet | Asmadeus
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/YWKmBWfBS3oshQ/z%40codewreck.org.
Powered by blists - more mailing lists