[syzbot] [reiserfs?] KMSAN: uninit-value in reiserfs_security_init
7 views
Skip to first unread message
syzbot
May 10, 2023, 5:49:16 PM5/10/23
to gli...@google.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, reiserf...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 46e8b6e7cfeb string: use __builtin_memcpy() in strlcpy/str..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13ea03bc280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a7a1059074b7bdce
dashboard link: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad7fff770529/disk-46e8b6e7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ca6a66fcd14c/vmlinux-46e8b6e7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9dc8f5fe8588/bzImage-46e8b6e7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00a377...@syzkaller.appspotmail.com
REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop5): checking transaction log (loop5)
REISERFS (device loop5): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
=====================================================
BUG: KMSAN: uninit-value in reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
reiserfs_mkdir+0x418/0xfc0 fs/reiserfs/namei.c:823
xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
create_privroot fs/reiserfs/xattr.c:890 [inline]
reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006
reiserfs_remount+0xf9c/0x2390
legacy_reconfigure+0x182/0x1d0 fs/fs_context.c:633
reconfigure_super+0x346/0xdf0 fs/super.c:956
do_remount fs/namespace.c:2701 [inline]
path_mount+0x19c1/0x1ee0 fs/namespace.c:3361
do_mount fs/namespace.c:3382 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x725/0x810 fs/namespace.c:3568
__ia32_sys_mount+0xe3/0x150 fs/namespace.c:3568
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Local variable security created at:
reiserfs_mkdir+0x5f/0xfc0 fs/reiserfs/namei.c:791
xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
create_privroot fs/reiserfs/xattr.c:890 [inline]
reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006
CPU: 1 PID: 7610 Comm: syz-executor.5 Not tainted 6.4.0-rc1-syzkaller-g46e8b6e7cfeb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 46e8b6e7cfeb string: use __builtin_memcpy() in strlcpy/str..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13ea03bc280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a7a1059074b7bdce
dashboard link: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad7fff770529/disk-46e8b6e7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ca6a66fcd14c/vmlinux-46e8b6e7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9dc8f5fe8588/bzImage-46e8b6e7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00a377...@syzkaller.appspotmail.com
REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop5): checking transaction log (loop5)
REISERFS (device loop5): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
=====================================================
BUG: KMSAN: uninit-value in reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
reiserfs_mkdir+0x418/0xfc0 fs/reiserfs/namei.c:823
xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
create_privroot fs/reiserfs/xattr.c:890 [inline]
reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006
reiserfs_remount+0xf9c/0x2390
legacy_reconfigure+0x182/0x1d0 fs/fs_context.c:633
reconfigure_super+0x346/0xdf0 fs/super.c:956
do_remount fs/namespace.c:2701 [inline]
path_mount+0x19c1/0x1ee0 fs/namespace.c:3361
do_mount fs/namespace.c:3382 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x725/0x810 fs/namespace.c:3568
__ia32_sys_mount+0xe3/0x150 fs/namespace.c:3568
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
entry_SYSENTER_compat_after_hwframe+0x70/0x82
Local variable security created at:
reiserfs_mkdir+0x5f/0xfc0 fs/reiserfs/namei.c:791
xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
create_privroot fs/reiserfs/xattr.c:890 [inline]
reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006
CPU: 1 PID: 7610 Comm: syz-executor.5 Not tainted 6.4.0-rc1-syzkaller-g46e8b6e7cfeb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Tetsuo Handa
May 11, 2023, 10:49:00 AM5/11/23
to syzbot, syzkall...@googlegroups.com, Paul Moore, Roberto Sassu, Mimi Zohar, Casey Schaufler, reiserf...@vger.kernel.org, gli...@google.com, linux-...@vger.kernel.org
syzbot is reporting that sec->length is not initialized.
Since security_inode_init_security() returns 0 when initxattrs is provided
but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
reach to "if (sec->length && ...) {" without initializing sec->length.
Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
---
fs/reiserfs/xattr_security.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
index 6e0a099dd788..078dd8cc312f 100644
--- a/fs/reiserfs/xattr_security.c
+++ b/fs/reiserfs/xattr_security.c
@@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
sec->name = NULL;
sec->value = NULL;
+ sec->length = 0;
/* Don't add selinux attributes on xattrs - they'll never get used */
if (IS_PRIVATE(dir))
--
2.18.4
Since security_inode_init_security() returns 0 when initxattrs is provided
but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
reach to "if (sec->length && ...) {" without initializing sec->length.
Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
---
fs/reiserfs/xattr_security.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
index 6e0a099dd788..078dd8cc312f 100644
--- a/fs/reiserfs/xattr_security.c
+++ b/fs/reiserfs/xattr_security.c
@@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
sec->name = NULL;
sec->value = NULL;
+ sec->length = 0;
/* Don't add selinux attributes on xattrs - they'll never get used */
if (IS_PRIVATE(dir))
--
2.18.4
Paul Moore
May 20, 2023, 3:47:15 PM5/20/23
to Tetsuo Handa, syzbot, syzkall...@googlegroups.com, Roberto Sassu, Mimi Zohar, Casey Schaufler, reiserf...@vger.kernel.org, gli...@google.com, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org
On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting that sec->length is not initialized.
>
> Since security_inode_init_security() returns 0 when initxattrs is provided
> but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> reach to "if (sec->length && ...) {" without initializing sec->length.
>
> Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> ---
> fs/reiserfs/xattr_security.c | 1 +
> 1 file changed, 1 insertion(+)
Adding the LSM list to the CC line.
<penguin...@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting that sec->length is not initialized.
>
> Since security_inode_init_security() returns 0 when initxattrs is provided
> but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> reach to "if (sec->length && ...) {" without initializing sec->length.
>
> Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> ---
> fs/reiserfs/xattr_security.c | 1 +
> 1 file changed, 1 insertion(+)
> diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
> index 6e0a099dd788..078dd8cc312f 100644
> --- a/fs/reiserfs/xattr_security.c
> +++ b/fs/reiserfs/xattr_security.c
> @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
>
> sec->name = NULL;
> sec->value = NULL;
> + sec->length = 0;
>
> /* Don't add selinux attributes on xattrs - they'll never get used */
> if (IS_PRIVATE(dir))
> --
> 2.18.4
paul-moore.com
Paul Moore
May 25, 2023, 5:49:39 PM5/25/23
to Tetsuo Handa, syzbot, syzkall...@googlegroups.com, Roberto Sassu, Mimi Zohar, Casey Schaufler, reiserf...@vger.kernel.org, gli...@google.com, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org
On Sat, May 20, 2023 at 3:47 PM Paul Moore <pa...@paul-moore.com> wrote:
> On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
> <penguin...@i-love.sakura.ne.jp> wrote:
> >
> > syzbot is reporting that sec->length is not initialized.
> >
> > Since security_inode_init_security() returns 0 when initxattrs is provided
> > but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> > reach to "if (sec->length && ...) {" without initializing sec->length.
> >
> > Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
> > Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> > Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> > Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> > ---
> > fs/reiserfs/xattr_security.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> Adding the LSM list to the CC line.
I haven't seen any objections, and it looks reasonable to me so I've
> On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
> <penguin...@i-love.sakura.ne.jp> wrote:
> >
> > syzbot is reporting that sec->length is not initialized.
> >
> > Since security_inode_init_security() returns 0 when initxattrs is provided
> > but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> > reach to "if (sec->length && ...) {" without initializing sec->length.
> >
> > Reported-by: syzbot <syzbot+00a377...@syzkaller.appspotmail.com>
> > Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> > Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> > Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> > ---
> > fs/reiserfs/xattr_security.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> Adding the LSM list to the CC line.
gone ahead and merged it into lsm/next. This is arguably
lsm/stable-6.4 material, but I'm going to stick with lsm/next in hopes
that Roberto can resolve the other reiserfs issue and we can push all
the reiser fixes up to Linus in one shot.
The reality is that LSM xattrs have been broken on reiserfs for a long
time and no one has complained, I figure a few more weeks isn't going
to matter that much.
Regardless, thanks for digging into this syzbot failure and sending a patch.
Reply all
Reply to author
Forward
0 new messages