* KMSAN: uninit-value in __dev_mc_add @ 2018-09-26 14:24 syzbot 2018-09-27 21:30 ` Vladis Dronov 2018-10-08 13:06 ` syzbot 0 siblings, 2 replies; 5+ messages in thread From: syzbot @ 2018-09-26 14:24 UTC (permalink / raw) To: davem, edumazet, linux-kernel, netdev, sunlw.fnst, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: eb2e67596de2 kmsan: minor code cleanup git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=136e3b11400000 kernel config: https://syzkaller.appspot.com/x/.config?x=94a9ed72288f7fef dashboard link: https://syzkaller.appspot.com/bug?extid=001516d86dbe88862cec compiler: clang version 8.0.0 (trunk 339414) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com ================================================================== BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863 CPU: 0 PID: 14033 Comm: kworker/0:3 Not tainted 4.19.0-rc4+ #58 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x2f6/0x430 lib/dump_stack.c:113 kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:917 __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:500 memcmp+0x11d/0x180 lib/string.c:863 __hw_addr_add_ex net/core/dev_addr_lists.c:61 [inline] __dev_mc_add+0x215/0x8c0 net/core/dev_addr_lists.c:670 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 igmp6_group_added+0x2c8/0xaa0 net/ipv6/mcast.c:676 __ipv6_dev_mc_inc+0xf4b/0x1270 net/ipv6/mcast.c:934 ipv6_dev_mc_inc+0x70/0x80 net/ipv6/mcast.c:941 addrconf_join_solict net/ipv6/addrconf.c:2098 [inline] addrconf_dad_begin net/ipv6/addrconf.c:3879 [inline] addrconf_dad_work+0x437/0x29b0 net/ipv6/addrconf.c:4006 process_one_work+0x197f/0x2490 kernel/workqueue.c:2153 worker_thread+0x1f6a/0x2b00 kernel/workqueue.c:2296 kthread+0x59c/0x5d0 kernel/kthread.c:247 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:416 Local variable description: ----buf@igmp6_group_added Variable was created at: igmp6_group_added+0x46/0xaa0 net/ipv6/mcast.c:664 __ipv6_dev_mc_inc+0xf4b/0x1270 net/ipv6/mcast.c:934 ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KMSAN: uninit-value in __dev_mc_add 2018-09-26 14:24 KMSAN: uninit-value in __dev_mc_add syzbot @ 2018-09-27 21:30 ` Vladis Dronov 2018-09-27 22:22 ` Eric Dumazet 2018-10-08 13:06 ` syzbot 1 sibling, 1 reply; 5+ messages in thread From: Vladis Dronov @ 2018-09-27 21:30 UTC (permalink / raw) To: syzbot+001516d86dbe88862cec, David S . Miller, Eric Dumazet, netdev, linux-kernel, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 704 bytes --] Hello, This report is actually for the same bug which was reported in: https://syzkaller.appspot.com/bug?id=088efeac32fdde781038a777a63e436c0d4d7036 The note there that the bug was fixed by "Commits: net: fix uninit-value in __hw_addr_add_ex()" is wrong. A C-reproducer from the 2nd syzkaller report can trigger the bug from this one. I've researched this and a result is a proposed patch, the problem is the tun device code allowing to set an arbitrary link type. https://lkml.org/lkml/2018/9/26/416 https://lore.kernel.org/lkml/20180926093018.6646-1-vdronov@redhat.com/T/#u https://marc.info/?l=linux-netdev&m=153795423320016&w=2 A simplified reproducer is attached. Best regards, Vladis Dronov [-- Attachment #2: kmsan-hw_addr_add_ex.c --] [-- Type: text/plain, Size: 2185 bytes --] #define _GNU_SOURCE #include <endian.h> #include <errno.h> #include <fcntl.h> #include <linux/futex.h> #include <pthread.h> #include <sched.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <sys/prctl.h> #include <sys/resource.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/time.h> #include <sys/wait.h> #include <unistd.h> #include <errno.h> #include <stdarg.h> #include <stdint.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { int ret, sockfd, tunfd; syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); // socket(AF_PACKET, SOCK_DGRAM|SOCK_NONBLOCK, 0) sockfd = syscall(__NR_socket, 0x11, 0x100000802, 0); if (sockfd < 0) { perror("socket()"); ret = 1; goto exit_end; } memcpy((void*)0x20000240, "/dev/net/tun", 13); tunfd = open((char *)0x20000240, 0); if (tunfd < 0) { perror("open()"); ret = 2; goto exit_sock_close; } memcpy((void*)0x200000c0, "\x69\x67\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x200000d0 = 0x4012; ret = syscall(__NR_ioctl, tunfd, 0x400454ca, 0x200000c0); // TUNSETIFF _IOW('T', 202, int) if (ret < 0) { perror("ioctl(TUNSETIFF)"); ret = 3; goto exit_tun_close; } // TUNSETLINK _IOW('T', 205, int) / 0x30a = 778 = ARPHRD_IPGRE if (argc < 2) ret = syscall(__NR_ioctl, tunfd, 0x400454cd, 0x30a); else ret = syscall(__NR_ioctl, tunfd, 0x400454cd, atoi(argv[1])); if (ret < 0) { perror("ioctl(TUNSETLINK)"); ret = 4; goto exit_tun_close; } memcpy((void*)0x20000040, "\x69\x67\x62\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16); *(uint16_t*)0x20000050 = 0xa201; ret = syscall(__NR_ioctl, sockfd, 0x8914, 0x20000040); // SIOCSIFFLAGS 0x8914 if (ret < 0) { perror("ioctl(SIOCSIFFLAGS)"); ret = 5; goto exit_tun_close; } printf("done:\n"); system("/usr/sbin/ip -details link show igb0"); exit_tun_close: close(tunfd); exit_sock_close: close(sockfd); exit_end: munmap((void *)0x20000000, 0x1000000); return 0; } ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KMSAN: uninit-value in __dev_mc_add 2018-09-27 21:30 ` Vladis Dronov @ 2018-09-27 22:22 ` Eric Dumazet 2018-09-27 23:10 ` Vladis Dronov 0 siblings, 1 reply; 5+ messages in thread From: Eric Dumazet @ 2018-09-27 22:22 UTC (permalink / raw) To: vdronov Cc: syzbot+001516d86dbe88862cec, David Miller, netdev, LKML, syzkaller-bugs On Thu, Sep 27, 2018 at 2:30 PM Vladis Dronov <vdronov@redhat.com> wrote: > > Hello, > > This report is actually for the same bug which was reported in: > > https://syzkaller.appspot.com/bug?id=088efeac32fdde781038a777a63e436c0d4d7036 > > The note there that the bug was fixed by "Commits: net: fix uninit-value in > __hw_addr_add_ex()" is wrong. A C-reproducer from the 2nd syzkaller report > can trigger the bug from this one. > > I've researched this and a result is a proposed patch, the problem is the tun > device code allowing to set an arbitrary link type. > > https://lkml.org/lkml/2018/9/26/416 > https://lore.kernel.org/lkml/20180926093018.6646-1-vdronov@redhat.com/T/#u > https://marc.info/?l=linux-netdev&m=153795423320016&w=2 > I dunno, your patch looks quite not the right fix. If TUN is able to change dev->type, how comes it does not set the appropriate dev->addr_len at the same time ? Really the bug seems to be deeper, and without setting proper dev->addr_len, we'll need more 'fixes' like yours. Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KMSAN: uninit-value in __dev_mc_add 2018-09-27 22:22 ` Eric Dumazet @ 2018-09-27 23:10 ` Vladis Dronov 0 siblings, 0 replies; 5+ messages in thread From: Vladis Dronov @ 2018-09-27 23:10 UTC (permalink / raw) To: Eric Dumazet Cc: syzbot+001516d86dbe88862cec, David Miller, netdev, LKML, syzkaller-bugs Hello, Eric, all, > I dunno, your patch looks quite not the right fix. I agree, it looks more like a dirty hack. Unfortunately, I lack the deep expertise in the network stack subsystem, so I've posted the patch to, sort of, start a discussion and probably get some hints. > If TUN is able to change dev->type, how comes it does not set the > appropriate dev->addr_len at the same time ? Well,... probably, nobody cared to do so: [drivers/net/tun.c] case TUNSETLINK: ... tun->dev->type = (int) arg; //<--- that's all! tun_debug(KERN_INFO, tun, "linktype set to %d\n", tun->dev->type); ret = 0; } break; > Really the bug seems to be deeper, and without setting proper > dev->addr_len, we'll need more 'fixes' like yours. Absolutely. Unfortunately, I wasn't able to just write such deeper patch. Let me share what I have found and let me hope to get an advise. - So setting just the tun->dev->type makes the dev struct inconsistent. - There are more field to adjust, at least dev->broadcast. Also, there are a number of *_ops fields which are all set for the Ethernet type, most probably they must be adjusted also. - There is no get_addr_len_by_link_type() or a simple way to get link layer properties by dev->type. Such settings are scattered in *_setup and *_init functions, like ipgre_tunnel_init() { ... dev->addr_len = 4; ...} Having these, I can imagine 2 ways for a proper fix. 1) Destroy the net_device in question and recreate it when changing a link type. This way all the dev fields are set right. Create it in a similar way as rtnl_newlink() does. Again, we do not have get_X_by_link_type(), so it probably will be some large switch()/case: $ grep '^#define ARPHRD_' include/uapi/linux/if_arp.h | wc -l 59 2) Leave tun an Ethernet device, add some tun->pretend_to_be_this_link_type field and change only it on TUNSETLINK. And use this field in cases for which TUNSETLINK was invented in the first place. Unfortunately, I do not have such a list. The initial the commit ff4cc3ac93e1 says: For use with wireless and other networking types it should be possible to set the ARP type via an ioctl. Surely, there can be something else which I do not see. Could anyone suggest an advice on this? Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KMSAN: uninit-value in __dev_mc_add 2018-09-26 14:24 KMSAN: uninit-value in __dev_mc_add syzbot 2018-09-27 21:30 ` Vladis Dronov @ 2018-10-08 13:06 ` syzbot 1 sibling, 0 replies; 5+ messages in thread From: syzbot @ 2018-10-08 13:06 UTC (permalink / raw) To: davem, edumazet, linux-kernel, netdev, sunlw.fnst, syzkaller-bugs, vdronov syzbot has found a reproducer for the following crash on: HEAD commit: 43c85fe5a0ee kmsan: suppress false positives in KVM git tree: https://github.com/google/kmsan.git/master console output: https://syzkaller.appspot.com/x/log.txt?x=15ffd5b9400000 kernel config: https://syzkaller.appspot.com/x/.config?x=3ff9630e1f32e076 dashboard link: https://syzkaller.appspot.com/bug?extid=001516d86dbe88862cec compiler: clang version 8.0.0 (trunk 339414) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10adf491400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100c8159400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KMSAN: uninit-value in memcmp+0x117/0x180 lib/string.c:863 CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.19.0-rc4+ #64 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x306/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 memcmp+0x117/0x180 lib/string.c:863 __hw_addr_add_ex net/core/dev_addr_lists.c:61 [inline] __dev_mc_add+0x1f9/0x8b0 net/core/dev_addr_lists.c:670 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 igmp6_group_added+0x2d7/0xab0 net/ipv6/mcast.c:676 __ipv6_dev_mc_inc+0xeff/0x10f0 net/ipv6/mcast.c:934 ipv6_dev_mc_inc+0x70/0x80 net/ipv6/mcast.c:941 addrconf_join_solict net/ipv6/addrconf.c:2098 [inline] addrconf_dad_begin net/ipv6/addrconf.c:3879 [inline] addrconf_dad_work+0x3e7/0x2690 net/ipv6/addrconf.c:4006 process_one_work+0x19c4/0x24f0 kernel/workqueue.c:2153 worker_thread+0x206d/0x2b30 kernel/workqueue.c:2296 kthread+0x59c/0x5d0 kernel/kthread.c:247 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:416 Local variable description: ----buf@igmp6_group_added Variable was created at: igmp6_group_added+0x57/0xab0 net/ipv6/mcast.c:664 __ipv6_dev_mc_inc+0xeff/0x10f0 net/ipv6/mcast.c:934 ================================================================== ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-08 13:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-09-26 14:24 KMSAN: uninit-value in __dev_mc_add syzbot 2018-09-27 21:30 ` Vladis Dronov 2018-09-27 22:22 ` Eric Dumazet 2018-09-27 23:10 ` Vladis Dronov 2018-10-08 13:06 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).