[syzbot] [erofs?] KMSAN: uninit-value in z_erofs_lz4_decompress (2)
22 views
Skip to first unread message
syzbot
Dec 27, 2023, 7:31:26 AM12/27/23
to ch...@kernel.org, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, xi...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b0a595e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169fac19e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14aafc81e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fcf70b38bafb/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6c746e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5006 Comm: syz-executor342 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b0a595e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169fac19e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14aafc81e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fcf70b38bafb/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6c746e...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x257e/0x2a70 fs/erofs/decompressor.c:311
z_erofs_decompress_pcluster fs/erofs/zdata.c:1290 [inline]
z_erofs_decompress_queue+0x338c/0x6460 fs/erofs/zdata.c:1372
z_erofs_runqueue+0x36cd/0x3830
z_erofs_read_folio+0x435/0x810 fs/erofs/zdata.c:1843
filemap_read_folio+0xce/0x370 mm/filemap.c:2323
do_read_cache_folio+0x3b4/0x11e0 mm/filemap.c:3691
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591
alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
alloc_pages mm/mempolicy.c:2204 [inline]
folio_alloc+0x1da/0x380 mm/mempolicy.c:2211
filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974
do_read_cache_folio+0x163/0x11e0 mm/filemap.c:3655
read_cache_folio+0x60/0x80 mm/filemap.c:3723
erofs_bread+0x286/0x6f0 fs/erofs/data.c:46
erofs_find_target_block fs/erofs/namei.c:103 [inline]
erofs_namei+0x2fe/0x1790 fs/erofs/namei.c:177
erofs_lookup+0x100/0x3c0 fs/erofs/namei.c:206
lookup_one_qstr_excl+0x233/0x520 fs/namei.c:1609
filename_create+0x2fc/0x6d0 fs/namei.c:3876
do_mkdirat+0x69/0x800 fs/namei.c:4121
__do_sys_mkdirat fs/namei.c:4144 [inline]
__se_sys_mkdirat fs/namei.c:4142 [inline]
__x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4142
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5006 Comm: syz-executor342 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Dec 27, 2023, 8:11:40 PM12/27/23
to syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/lib/hexdump.c b/lib/hexdump.c
index 06833d404398..68b30bf6c6a3 100644
--- a/lib/hexdump.c
+++ b/lib/hexdump.c
@@ -263,12 +263,14 @@ void print_hex_dump(const char *level, const char *prefix_str, int prefix_type,
const void *buf, size_t len, bool ascii)
{
const u8 *ptr = buf;
- int i, linelen, remaining = len;
+ int i, linelen, remaining;
unsigned char linebuf[32 * 3 + 2 + 32 + 1];
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
+ len = len > sizeof(linebuf) ? sizeof(linebuf) : len;
+ remaining = len;
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
diff --git a/lib/hexdump.c b/lib/hexdump.c
index 06833d404398..68b30bf6c6a3 100644
--- a/lib/hexdump.c
+++ b/lib/hexdump.c
@@ -263,12 +263,14 @@ void print_hex_dump(const char *level, const char *prefix_str, int prefix_type,
const void *buf, size_t len, bool ascii)
{
const u8 *ptr = buf;
- int i, linelen, remaining = len;
+ int i, linelen, remaining;
unsigned char linebuf[32 * 3 + 2 + 32 + 1];
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
+ len = len > sizeof(linebuf) ? sizeof(linebuf) : len;
+ remaining = len;
for (i = 0; i < len; i += rowsize) {
linelen = min(remaining, rowsize);
remaining -= rowsize;
Gao Xiang
Dec 27, 2023, 10:36:11 PM12/27/23
to syzbot, ch...@kernel.org, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, xi...@kernel.org
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
syzbot
Dec 27, 2023, 10:38:05 PM12/27/23
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x14c/0x3d0 lib/hexdump.c:278
CPU: 1 PID: 5483 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=167c416ee80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
=====================================================
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=167c416ee80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1576ce6ee80000
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 27, 2023, 11:23:07 PM12/27/23
to ch...@kernel.org, hsia...@linux.alibaba.com, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, xi...@kernel.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
Tested on:
commit: 94da00a0 erofs: avoid debugging output for (de)compres..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=13715b95e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f711bc2a7eb1db25
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
Tested on:
commit: 94da00a0 erofs: avoid debugging output for (de)compres..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test
console output: https://syzkaller.appspot.com/x/log.txt?x=13715b95e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f711bc2a7eb1db25
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Lizhi Xu
Dec 28, 2023, 12:56:47 AM12/28/23
to syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/lib/hexdump.c b/lib/hexdump.c
index 06833d404398..e146b1bf73dc 100644
diff --git a/lib/hexdump.c b/lib/hexdump.c
--- a/lib/hexdump.c
+++ b/lib/hexdump.c
@@ -264,7 +264,7 @@ void print_hex_dump(const char *level, const char *prefix_str, int prefix_type,
{
const u8 *ptr = buf;
int i, linelen, remaining = len;
- unsigned char linebuf[32 * 3 + 2 + 32 + 1];
+ unsigned char linebuf[32 * 3 + 2 + 32 + 1] = "";
syzbot
Dec 28, 2023, 1:17:05 AM12/28/23
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
CPU: 1 PID: 5491 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3-dirty #0
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x14f/0x3f0 lib/hexdump.c:276
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1101d8f6e80000
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=118f5f9ee80000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Dec 28, 2023, 8:54:16 AM12/28/23
to syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test uninit-value in z_erofs_lz4_decompress (2)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..1c19731c8fc6 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,7 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret > 0 ? ret : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..1c19731c8fc6 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,7 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret > 0 ? ret : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
Edward Adam Davis
Dec 28, 2023, 9:08:59 AM12/28/23
to syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test uninit-value in z_erofs_lz4_decompress (2)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..c0983c3db77f 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret < 0 ? min_t(unsigned int,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ rq->outputsize, rq->inputsize) : rq->outputsize, true);
syzbot
Dec 28, 2023, 9:32:05 AM12/28/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x2624/0x2b30 fs/erofs/decompressor.c:311
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14751455e80000
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=128ea2a1e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 28, 2023, 10:09:05 AM12/28/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
z_erofs_lz4_decompress+0x28d0/0x2ae0 fs/erofs/decompressor.c:312
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in z_erofs_lz4_decompress
loop0: detected capacity change from 0 to 16
erofs: (device loop0): mounted with root inode @ nid 36.
erofs: (device loop0): z_erofs_lz4_decompress_mem: failed to decompress -12 in[46, 4050] out[917]
=====================================================
BUG: KMSAN: uninit-value in hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
hex_dump_to_buffer+0xae9/0x10f0 lib/hexdump.c:194
print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276
z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:252 [inline]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12bcb509e80000
=====================================================
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16888cb5e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Dec 28, 2023, 5:12:30 PM12/28/23
to syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test uninit-value in z_erofs_lz4_decompress (2)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..f4cc77e3255f 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fbafc3e621c3
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, ret < 0 ? (ret + rq->inputsize) :
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ rq->outputsize, true);
syzbot
Dec 28, 2023, 7:33:05 PM12/28/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
Tested on:
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=132559bee80000
commit: fbafc3e6 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12db5255e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=6c746eea496f34b3161d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Dec 29, 2023, 6:09:51 AM12/29/23
to syzbot+6c746e...@syzkaller.appspotmail.com, ch...@kernel.org, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, xi...@kernel.org
When LZ4 decompression fails, the number of bytes read from out should be
inputsize plus the returned overflow value ret.
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/erofs/decompressor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..8ac3f96676c4 100644
+ (ret + rq->inputsize) : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
--
2.43.0
inputsize plus the returned overflow value ret.
Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/erofs/decompressor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
index 021be5feb1bc..8ac3f96676c4 100644
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
+++ b/fs/erofs/decompressor.c
@@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
16, 1, src + inputmargin, rq->inputsize, true);
print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
- 16, 1, out, rq->outputsize, true);
+ (ret + rq->inputsize) : rq->outputsize, true);
if (ret >= 0)
memset(out + ret, 0, rq->outputsize - ret);
2.43.0
Gao Xiang
Dec 30, 2023, 8:14:19 PM12/30/23
to Edward Adam Davis, syzbot+6c746e...@syzkaller.appspotmail.com, ch...@kernel.org, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, xi...@kernel.org
with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
Also, the issue was already fixed by avoiding debugging messages as
https://lore.kernel.org/r/20231227151903.29...@linux.alibaba.com
Thanks,
Gao Xiang
Edward Adam Davis
Dec 30, 2023, 9:32:40 PM12/30/23
to hsia...@linux.alibaba.com, ch...@kernel.org, ead...@qq.com, huy...@coolpad.com, jeff...@linux.alibaba.com, linux...@lists.ozlabs.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzbot+6c746e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, xi...@kernel.org
On Sun, 31 Dec 2023 09:14:11 +0800, Gao Xiang wrote:
> > When LZ4 decompression fails, the number of bytes read from out should be
> > inputsize plus the returned overflow value ret.
> >
> > Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <ead...@qq.com>
> > ---
> > fs/erofs/decompressor.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> > index 021be5feb1bc..8ac3f96676c4 100644
> > --- a/fs/erofs/decompressor.c
> > +++ b/fs/erofs/decompressor.c
> > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
> > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
> > 16, 1, src + inputmargin, rq->inputsize, true);
> > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> > - 16, 1, out, rq->outputsize, true);
> > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> > + (ret + rq->inputsize) : rq->outputsize, true);
>
> It's incorrect since output decompressed buffer has no relationship
> with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
In this case, the value of ret is -12.
> > When LZ4 decompression fails, the number of bytes read from out should be
> > inputsize plus the returned overflow value ret.
> >
> > Reported-and-tested-by: syzbot+6c746e...@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <ead...@qq.com>
> > ---
> > fs/erofs/decompressor.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> > index 021be5feb1bc..8ac3f96676c4 100644
> > --- a/fs/erofs/decompressor.c
> > +++ b/fs/erofs/decompressor.c
> > @@ -250,7 +250,8 @@ static int z_erofs_lz4_decompress_mem(struct z_erofs_lz4_decompress_ctx *ctx,
> > print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET,
> > 16, 1, src + inputmargin, rq->inputsize, true);
> > print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET,
> > - 16, 1, out, rq->outputsize, true);
> > + 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
> > + (ret + rq->inputsize) : rq->outputsize, true);
>
> It's incorrect since output decompressed buffer has no relationship
> with `rq->inputsize` and `ret + rq->inputsize` is meaningless too.
When LZ4_decompress_generic() fails, it will return "return (int) (- ((const char *) ip) - src) -1;"
Therefore, it can be clearly stated that the decompression has been carried out
to the 11 bytes of src, so reading the value of the first 11 bytes of out is
effective. Therefore, my patch should be more accurate as follows:
- 16, 1, out, rq->outputsize, true);
+ 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
+ (0 - ret) : rq->outputsize, true);
+ 16, 1, out, (ret < 0 && rq->inputsize > 0) ?
>
> Also, the issue was already fixed by avoiding debugging messages as
> https://lore.kernel.org/r/20231227151903.29...@linux.alibaba.com
This just deleted the output.
> Also, the issue was already fixed by avoiding debugging messages as
> https://lore.kernel.org/r/20231227151903.29...@linux.alibaba.com
BR,
Edward
Reply all
Reply to author
Forward
0 new messages