KMSAN: uninit-value in pppol2tp_connect

[syzbot]

Hello,

syzbot hit the following crash on
https://github.com/google/kmsan.git/master commit
a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +0000)
kmsan: disable assembly checksums
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=a70ac890b23b1bf29f5c

So far this crash happened 3 times on
https://github.com/google/kmsan.git/master.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=4946656566968320
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=5395971013869568
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5936570024591360
Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
compiler: clang version 7.0.0 (trunk 329391)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a70ac8...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

==================================================================
BUG: KMSAN: uninit-value in pppol2tp_connect+0x258/0x1c50
net/l2tp/l2tp_ppp.c:622
CPU: 1 PID: 4524 Comm: syzkaller735385 Not tainted 4.16.0+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
pppol2tp_connect+0x258/0x1c50 net/l2tp/l2tp_ppp.c:622
SYSC_connect+0x41a/0x510 net/socket.c:1639
SyS_connect+0x54/0x80 net/socket.c:1620
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x445559
RSP: 002b:00007f0b96f0ddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445559
RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec2b0929f R14: 00007f0b96f0e9c0 R15: 0000000000000001

Local variable description: ----address@SYSC_connect
Variable was created at:
SYSC_connect+0x6f/0x510 net/socket.c:1622
SyS_connect+0x54/0x80 net/socket.c:1620
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
CC=/syzkaller/clang-kmsan/bin/clang]: exit status 2
arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.



Tested on net commit
7e5a206ab686f098367b61aca989f5cdfa8114a3 (Fri Apr 20 13:57:30 2018 +0000)
tcp: don't read out-of-bounds opsize

compiler: clang version 7.0.0 (trunk 329391)

Patch: https://syzkaller.appspot.com/x/patch.diff?id=5018397217652736

[Dmitry Vyukov]

Hi,

This is a false error, should now be fixed with:
https://github.com/google/syzkaller/commit/8b5dcf17b0f9fa01f9a4f93c144c56fe3f7468f2
Sorry for that.

Let's try again:

#syz fix: https://github.com/google/kmsan.git master

But note that KMSAN bugs can only be tested on KMSAN tree, because the
tool is not upstream yet (not present in net tree):
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs

[Dmitry Vyukov]

On Mon, Apr 23, 2018 at 4:42 PM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Mon, Apr 23, 2018 at 4:10 PM, syzbot
> <syzbot+a70ac8...@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzbot tried to test the proposed patch but build/boot failed:
>>
>> kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
>> CC=/syzkaller/clang-kmsan/bin/clang]: exit status 2
>> arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.
>>
>>
>>
>> Tested on net commit
>> 7e5a206ab686f098367b61aca989f5cdfa8114a3 (Fri Apr 20 13:57:30 2018 +0000)
>> tcp: don't read out-of-bounds opsize
>>
>> compiler: clang version 7.0.0 (trunk 329391)
>> Patch: https://syzkaller.appspot.com/x/patch.diff?id=5018397217652736
>
>
> Hi,
>
> This is a false error, should now be fixed with:
> https://github.com/google/syzkaller/commit/8b5dcf17b0f9fa01f9a4f93c144c56fe3f7468f2
> Sorry for that.
>
> Let's try again:
>
> #syz fix: https://github.com/google/kmsan.git master

of course, this should be:

#syz test: https://github.com/google/kmsan.git master

[syzbot]

> On Mon, Apr 23, 2018 at 4:42 PM, Dmitry Vyukov <dvy...@google.com> wrote:
>> On Mon, Apr 23, 2018 at 4:10 PM, syzbot
>> <syzbot+a70ac8...@syzkaller.appspotmail.com> wrote:
>>> Hello,

>>> syzbot tried to test the proposed patch but build/boot failed:

>>> kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
>>> CC=/syzkaller/clang-kmsan/bin/clang]: exit status 2
>>> arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.



>>> Tested on net commit
>>> 7e5a206ab686f098367b61aca989f5cdfa8114a3 (Fri Apr 20 13:57:30 2018
>>> +0000)
>>> tcp: don't read out-of-bounds opsize

>>> compiler: clang version 7.0.0 (trunk 329391)
>>> Patch: https://syzkaller.appspot.com/x/patch.diff?id=5018397217652736


>> Hi,

>> This is a false error, should now be fixed with:
>> https://github.com/google/syzkaller/commit/8b5dcf17b0f9fa01f9a4f93c144c56fe3f7468f2
>> Sorry for that.

>> Let's try again:

>> #syz fix: https://github.com/google/kmsan.git master

> of course, this should be:

> #syz test: https://github.com/google/kmsan.git master

I don't see any patch attached to the request.

[Dmitry Vyukov]

On Mon, Apr 23, 2018 at 4:44 PM, syzbot
<syzbot+a70ac8...@syzkaller.appspotmail.com> wrote:
>> On Mon, Apr 23, 2018 at 4:42 PM, Dmitry Vyukov <dvy...@google.com> wrote:
>>>
>>> On Mon, Apr 23, 2018 at 4:10 PM, syzbot
>>> <syzbot+a70ac8...@syzkaller.appspotmail.com> wrote:
>>>>
>>>> Hello,
>
>
>>>> syzbot tried to test the proposed patch but build/boot failed:
>
>
>>>> kernel build failed: failed to run /usr/bin/make [make bzImage -j 32
>>>> CC=/syzkaller/clang-kmsan/bin/clang]: exit status 2
>>>> arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.
>
>
>
>
>>>> Tested on net commit
>>>> 7e5a206ab686f098367b61aca989f5cdfa8114a3 (Fri Apr 20 13:57:30 2018
>>>> +0000)
>>>> tcp: don't read out-of-bounds opsize
>
>
>>>> compiler: clang version 7.0.0 (trunk 329391)
>>>> Patch: https://syzkaller.appspot.com/x/patch.diff?id=5018397217652736
>
>
>
>>> Hi,
>
>
>>> This is a false error, should now be fixed with:
>>>
>>> https://github.com/google/syzkaller/commit/8b5dcf17b0f9fa01f9a4f93c144c56fe3f7468f2
>>> Sorry for that.
>
>
>>> Let's try again:
>
>
>>> #syz fix: https://github.com/google/kmsan.git master
>
>
>> of course, this should be:
>
>

not my day!

[Guillaume Nault]

Yes, I realised that when I saw the compilation error message.
Thanks for having re-submitted the test.

In the mean time, and since this issue was quite straightforward, I've
submitted the fix to netdev ("l2tp: check sockaddr length in pppol2tp_connect()").

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a70ac8...@syzkaller.appspotmail.com

Note: the tag will also help syzbot to understand when the bug is fixed.

Tested on https://github.com/google/kmsan.git/master commit
d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +0000)
kmsan: add initialization for shmem pages

compiler: clang version 7.0.0 (trunk 329391)

Patch: https://syzkaller.appspot.com/x/patch.diff?id=5023082490101760
Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367


---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.

[Dmitry Vyukov]

Test that testing of KMSAN bugs now fails on non-KMSAN tree:

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

[syzbot]

> Test that testing of KMSAN bugs now fails on non-KMSAN tree:

> #syz test:
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

KMSAN bugs can only be tested on https://github.com/google/kmsan.git tree
because KMSAN tool is not upstreamed yet.
See
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs
for details.

[Dmitry Vyukov]

Now test on the right tree, but without a patch:

#syz test: https://github.com/google/kmsan.git master

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

test patch is empty

Tested on https://github.com/google/kmsan.git/master commit

[unknown]

[Dmitry Vyukov]

And again:

#syz test: https://github.com/google/kmsan.git master

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000510ef2056a979b81%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Dmitry Vyukov]

Also test on exact commit:

#syz test: https://github.com/google/kmsan.git
496516422fea2b241bdc078d6d042e8ffba73ede

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo https://github.com/google/kmsan.git on
commit 496516422fea2b241bdc078d6d042e8ffba73ede: failed to run /usr/bin/git
[git checkout 496516422fea2b241bdc078d6d042e8ffba73ede]: exit status 128
fatal: reference is not a tree: 496516422fea2b241bdc078d6d042e8ffba73ede



Tested on
https://github.com/google/kmsan.git/496516422fea2b241bdc078d6d042e8ffba73ede

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KMSAN: uninit-value in pppol2tp_connect

bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KMSAN: uninit-value in pppol2tp_connect+0x251/0x1c80
net/l2tp/l2tp_ppp.c:622
CPU: 0 PID: 4840 Comm: syz-executor3 Not tainted 4.16.0+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53

IPVS: ftp: loaded support on port[0] = 21

kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683

pppol2tp_connect+0x251/0x1c80 net/l2tp/l2tp_ppp.c:622
SYSC_connect+0x41f/0x520 net/socket.c:1639
SyS_connect+0x54/0x80 net/socket.c:1620
do_syscall_64+0x2f1/0x440 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389
RSP: 002b:00007ff7709fdc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007ff7709fe6d4 RCX: 0000000000455389

RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003

RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000005c R14: 00000000006f3940 R15: 0000000000000000

Local variable description: ----address@SYSC_connect
Variable was created at:

SYSC_connect+0x6f/0x520 net/socket.c:1622
SyS_connect+0x54/0x80 net/socket.c:1620
==================================================================

Tested on https://github.com/google/kmsan.git/master commit

d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +0000)
kmsan: add initialization for shmem pages

compiler: clang version 7.0.0 (trunk 329391)

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5450480054435840

[Dmitry Vyukov]

Again with exact commit:

#syz test: https://github.com/google/kmsan.git
496516422fea2b241bdc078d6d042e8ffba73ede

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KMSAN: uninit-value in pppol2tp_connect

bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KMSAN: uninit-value in pppol2tp_connect+0x251/0x1c80
net/l2tp/l2tp_ppp.c:622

CPU: 0 PID: 4872 Comm: syz-executor3 Not tainted 4.16.0+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
IPVS: ftp: loaded support on port[0] = 21
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
pppol2tp_connect+0x251/0x1c80 net/l2tp/l2tp_ppp.c:622
SYSC_connect+0x41f/0x520 net/socket.c:1639
SyS_connect+0x54/0x80 net/socket.c:1620
do_syscall_64+0x2f1/0x440 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455389

RSP: 002b:00007f219cb55c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a

IPVS: ftp: loaded support on port[0] = 21

RAX: ffffffffffffffda RBX: 00007f219cb566d4 RCX: 0000000000455389

RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000005c R14: 00000000006f3940 R15: 0000000000000000

Local variable description: ----address@SYSC_connect
Variable was created at:
SYSC_connect+0x6f/0x520 net/socket.c:1622
SyS_connect+0x54/0x80 net/socket.c:1620
==================================================================

IPVS: ftp: loaded support on port[0] = 21

Tested on https://github.com/google/kmsan.git commit
496516422fea2b241bdc078d6d042e8ffba73ede (Sun Apr 22 15:02:35 2018 +0000)
kmsan: fix NULL deref

compiler: clang version 7.0.0 (trunk 329391)

Kernel config: https://syzkaller.appspot.com/x/.config?id=328654897048964367
Raw console output:

https://syzkaller.appspot.com/x/log.txt?id=6154167496212480