From: "侯伟桃 Vincent Hou" <houweitao@didiglobal.com>
To: "syzbot+92ef9ee419803871020e@syzkaller.appspotmail.com"
<syzbot+92ef9ee419803871020e@syzkaller.appspotmail.com>
Cc: "akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"glider@google.com" <glider@google.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_listxattr
Date: Mon, 22 May 2023 10:12:38 +0000 [thread overview]
Message-ID: <a2f03e2ab9c34dcaabcf9fb11c0a1f45@didiglobal.com> (raw)
Since the strbuf in hfsplus_listxattr was allocated with kmalloc and filled with hfsplus_uni2asc,
which did not fill "\0" in last byte, in some cases, the uninited byte may be accessed when
compare the strbuf with known namespace. But I still need check the value of xattr in strbuf
to confirm the root cause. Please help test with below debug patch.
#syz test: https://github.com/google/kmsan.git 80383273f7a0
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -671,6 +671,7 @@ static ssize_t hfsplus_listxattr_finder_info(struct dentry *dentry,
return res;
}
+extern bool kmsan_enabled;
ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
{
ssize_t err;
@@ -681,6 +682,8 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
struct hfsplus_attr_key attr_key;
char *strbuf;
int xattr_name_len;
+ int off = 0;
+ char *dumpinfo;
if ((!S_ISREG(inode->i_mode) &&
!S_ISDIR(inode->i_mode)) ||
@@ -705,6 +708,12 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
res = -ENOMEM;
goto out;
}
+ dumpinfo = kzalloc(200, GFP_KERNEL);
+ if (!dumpinfo) {
+ kfree(strbuf);
+ res = -ENOMEM;
+ goto out;
+ }
err = hfsplus_find_attr(inode->i_sb, inode->i_ino, NULL, &fd);
if (err) {
@@ -741,6 +750,15 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
goto end_listxattr;
}
+ pr_info("find xattr size:%ld and dump strbuf pre 20 bytes:\n", size);
+ WRITE_ONCE(kmsan_enabled, false);
+ if (kmsan_enabled == false) {
+ for (off = 0; off < 20; off++) {
+ sprintf(dumpinfo + off * 5, " 0x%02x", strbuf[off]);
+ }
+ pr_info("%s\n", dumpinfo);
+ }
+ WRITE_ONCE(kmsan_enabled, true);
if (!buffer || !size) {
if (can_list(strbuf))
res += name_len(strbuf, xattr_name_len);
@@ -759,6 +777,7 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
end_listxattr:
kfree(strbuf);
+ kfree(dumpinfo);
out:
hfs_find_exit(&fd);
return res;
next reply other threads:[~2023-05-22 10:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-22 10:12 侯伟桃 Vincent Hou [this message]
2023-05-22 10:56 ` [syzbot] [hfs?] KMSAN: uninit-value in hfsplus_listxattr Christian Brauner
-- strict thread matches above, loose matches on Subject: below --
2023-03-06 18:06 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2f03e2ab9c34dcaabcf9fb11c0a1f45@didiglobal.com \
--to=houweitao@didiglobal.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=glider@google.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+92ef9ee419803871020e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.