| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <74c9a88d79b7c65e2fdc2dc1609e13590225cb60.camel@gmail.com>
Date: Mon, 07 Aug 2023 16:48:40 +0300
From: Eduard Zingerman <eddyz87@...il.com>
To: yonghong.song@...ux.dev, syzbot
<syzbot+d61b595e9205573133b3@...kaller.appspotmail.com>, andrii@...nel.org,
ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net,
davem@...emloft.net, haoluo@...gle.com, hawk@...nel.org,
john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
kuba@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev,
netdev@...r.kernel.org, sdf@...gle.com, song@...nel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bpf?] KMSAN: uninit-value in
ieee802154_subif_start_xmit
On Mon, 2023-08-07 at 16:11 +0300, Eduard Zingerman wrote:
[...]
> $ bpftool prog dump jited id <some-id>
> bpf_prog_ebeed182d92b487f:
> 0: nopl (%rax,%rax)
> 5: nop
> 7: pushq %rbp
> 8: movq %rsp, %rbp
> b: subq $8, %rsp
> 12: movl $553656332, -8(%rbp)
> 19: movswq %bp, %rdi ; <---- Note movswq %bp !
> 1d: addq $-8, %rdi
> 21: movl $3, %esi
> 26: cmpq %rdi, %rsi
> 29: jbe 0x2b
> 2b: callq 0xffffffffe11c484c
> 30: xorl %eax, %eax
> 32: leave
> 33: retq
>
> Note jit instruction #19 corresponding to BPF instruction #1, which
> loads truncated and sign-extended value of %rbp's first byte as an
> address of format string.
Correction: sign-extended value of %rbp's first *two* bytes,
disassembly with opcodes:
19: movswq %bp, %rdi
48 0f bf fd
[...]
Powered by blists - more mailing lists