| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+6naPhD_XJ-qjQ8mRGN1aQdSzMy1446d+0iOk_UjpMOw@mail.gmail.com>
Date: Sat, 13 Sep 2025 01:10:58 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: rodgepritesh@...il.com
Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>, kuba@...nel.org,
pabeni@...hat.com, linux-hams@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+7d660d9b8bd5efc7ee6e@...kaller.appspotmail.com
Subject: Re: [PATCH] net/rose: Fix uninitialized values in rose_add_node
On Fri, Sep 12, 2025 at 2:22 PM <rodgepritesh@...il.com> wrote:
>
> From: Pritesh Rodge <rodgepritesh@...il.com>
>
> The rose_add_node() function uses kmalloc to allocate a new rose_node
> but only initializes the first element of the 'neighbour' array. If
> the node's count is later incremented, other parts of the kernel may
> access the uninitialized pointers in the array.
>
> This was discovered by KMSAN, which reported a crash in
> __run_timer_base. When a timer tried to clean up a resource using
> one of these garbage pointers.
>
> Fix this by switching from kmalloc() to kzalloc() to ensure the
> entire rose_node struct is initialized to zero upon allocation. This
> sets all unused neighbour pointers to NULL.
Which part exactly of rose node being not initialized would lead to
the syzbot report ?
BUG: KMSAN: uninit-value in __hlist_del include/linux/list.h:980 [inline]
BUG: KMSAN: uninit-value in detach_timer kernel/time/timer.c:891 [inline]
BUG: KMSAN: uninit-value in expire_timers kernel/time/timer.c:1781 [inline]
BUG: KMSAN: uninit-value in __run_timers kernel/time/timer.c:2372 [inline]
BUG: KMSAN: uninit-value in __run_timer_base+0x690/0xd90
kernel/time/timer.c:2384
__hlist_del include/linux/list.h:980 [inline]
detach_timer kernel/time/timer.c:891 [inline]
expire_timers kernel/time/timer.c:1781 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x690/0xd90 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0x3a/0x80 kernel/time/timer.c:2403
handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
>
> [1] https://syzkaller.appspot.com/bug?extid=7d660d9b8bd5efc7ee6e
>
> Reported-by: syzbot+7d660d9b8bd5efc7ee6e@...kaller.appspotmail.com
> Signed-off-by: Pritesh Rodge <rodgepritesh@...il.com>
> ---
> net/rose/rose_route.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index a1e9b05ef6f5..6ca41cbe867a 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -148,7 +148,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
> }
>
> /* create new node */
> - rose_node = kmalloc(sizeof(*rose_node), GFP_ATOMIC);
> + rose_node = kzalloc(sizeof(*rose_node), GFP_ATOMIC);
> if (rose_node == NULL) {
> res = -ENOMEM;
> goto out;
I doubt this will fix anything really, given this code is followed by :
rose_node->address = rose_route->address;
rose_node->mask = rose_route->mask;
rose_node->count = 1;
rose_node->loopback = 0;
rose_node->neighbour[0] = rose_neigh;
rose is certainly full of bugs, but I do not see your patch fixing one of them.
Powered by blists - more mailing lists