All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] [reiserfs?] KMSAN: uninit-value in reiserfs_security_init
@ 2023-05-10 21:49 syzbot
  2023-05-11 14:48 ` [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init() Tetsuo Handa
  0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2023-05-10 21:49 UTC (permalink / raw)
  To: glider, linux-fsdevel, linux-kernel, reiserfs-devel, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    46e8b6e7cfeb string: use __builtin_memcpy() in strlcpy/str..
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13ea03bc280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a7a1059074b7bdce
dashboard link: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad7fff770529/disk-46e8b6e7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ca6a66fcd14c/vmlinux-46e8b6e7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9dc8f5fe8588/bzImage-46e8b6e7.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com

REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop5): checking transaction log (loop5)
REISERFS (device loop5): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
=====================================================
BUG: KMSAN: uninit-value in reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
 reiserfs_security_init+0x663/0x750 fs/reiserfs/xattr_security.c:84
 reiserfs_mkdir+0x418/0xfc0 fs/reiserfs/namei.c:823
 xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
 create_privroot fs/reiserfs/xattr.c:890 [inline]
 reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006
 reiserfs_remount+0xf9c/0x2390
 legacy_reconfigure+0x182/0x1d0 fs/fs_context.c:633
 reconfigure_super+0x346/0xdf0 fs/super.c:956
 do_remount fs/namespace.c:2701 [inline]
 path_mount+0x19c1/0x1ee0 fs/namespace.c:3361
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x725/0x810 fs/namespace.c:3568
 __ia32_sys_mount+0xe3/0x150 fs/namespace.c:3568
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Local variable security created at:
 reiserfs_mkdir+0x5f/0xfc0 fs/reiserfs/namei.c:791
 xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
 create_privroot fs/reiserfs/xattr.c:890 [inline]
 reiserfs_xattr_init+0x47e/0xc00 fs/reiserfs/xattr.c:1006

CPU: 1 PID: 7610 Comm: syz-executor.5 Not tainted 6.4.0-rc1-syzkaller-g46e8b6e7cfeb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init().
  2023-05-10 21:49 [syzbot] [reiserfs?] KMSAN: uninit-value in reiserfs_security_init syzbot
@ 2023-05-11 14:48 ` Tetsuo Handa
  2023-05-20 19:47     ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2023-05-11 14:48 UTC (permalink / raw)
  To: syzbot, syzkaller-bugs, Paul Moore, Roberto Sassu, Mimi Zohar,
	Casey Schaufler
  Cc: reiserfs-devel, glider, linux-fsdevel

syzbot is reporting that sec->length is not initialized.

Since security_inode_init_security() returns 0 when initxattrs is provided
but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
reach to "if (sec->length && ...) {" without initializing sec->length.

Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
---
 fs/reiserfs/xattr_security.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
index 6e0a099dd788..078dd8cc312f 100644
--- a/fs/reiserfs/xattr_security.c
+++ b/fs/reiserfs/xattr_security.c
@@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
 
 	sec->name = NULL;
 	sec->value = NULL;
+	sec->length = 0;
 
 	/* Don't add selinux attributes on xattrs - they'll never get used */
 	if (IS_PRIVATE(dir))
-- 
2.18.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init().
  2023-05-11 14:48 ` [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init() Tetsuo Handa
@ 2023-05-20 19:47     ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2023-05-20 19:47 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: syzbot, syzkaller-bugs, Roberto Sassu, Mimi Zohar,
	Casey Schaufler, reiserfs-devel, glider, linux-fsdevel,
	linux-security-module

On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting that sec->length is not initialized.
>
> Since security_inode_init_security() returns 0 when initxattrs is provided
> but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> reach to "if (sec->length && ...) {" without initializing sec->length.
>
> Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> ---
>  fs/reiserfs/xattr_security.c | 1 +
>  1 file changed, 1 insertion(+)

Adding the LSM list to the CC line.

> diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
> index 6e0a099dd788..078dd8cc312f 100644
> --- a/fs/reiserfs/xattr_security.c
> +++ b/fs/reiserfs/xattr_security.c
> @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
>
>         sec->name = NULL;
>         sec->value = NULL;
> +       sec->length = 0;
>
>         /* Don't add selinux attributes on xattrs - they'll never get used */
>         if (IS_PRIVATE(dir))
> --
> 2.18.4

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init().
@ 2023-05-20 19:47     ` Paul Moore
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2023-05-20 19:47 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: syzbot, syzkaller-bugs, Roberto Sassu, Mimi Zohar,
	Casey Schaufler, reiserfs-devel, glider, linux-fsdevel,
	linux-security-module

On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting that sec->length is not initialized.
>
> Since security_inode_init_security() returns 0 when initxattrs is provided
> but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> reach to "if (sec->length && ...) {" without initializing sec->length.
>
> Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> ---
>  fs/reiserfs/xattr_security.c | 1 +
>  1 file changed, 1 insertion(+)

Adding the LSM list to the CC line.

> diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
> index 6e0a099dd788..078dd8cc312f 100644
> --- a/fs/reiserfs/xattr_security.c
> +++ b/fs/reiserfs/xattr_security.c
> @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
>
>         sec->name = NULL;
>         sec->value = NULL;
> +       sec->length = 0;
>
>         /* Don't add selinux attributes on xattrs - they'll never get used */
>         if (IS_PRIVATE(dir))
> --
> 2.18.4

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init().
  2023-05-20 19:47     ` Paul Moore
  (?)
@ 2023-05-25 21:49     ` Paul Moore
  -1 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2023-05-25 21:49 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: syzbot, syzkaller-bugs, Roberto Sassu, Mimi Zohar,
	Casey Schaufler, reiserfs-devel, glider, linux-fsdevel,
	linux-security-module

On Sat, May 20, 2023 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >
> > syzbot is reporting that sec->length is not initialized.
> >
> > Since security_inode_init_security() returns 0 when initxattrs is provided
> > but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will
> > reach to "if (sec->length && ...) {" without initializing sec->length.
> >
> > Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com>
> > Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c
> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> > Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()")
> > ---
> >  fs/reiserfs/xattr_security.c | 1 +
> >  1 file changed, 1 insertion(+)
>
> Adding the LSM list to the CC line.

I haven't seen any objections, and it looks reasonable to me so I've
gone ahead and merged it into lsm/next.  This is arguably
lsm/stable-6.4 material, but I'm going to stick with lsm/next in hopes
that Roberto can resolve the other reiserfs issue and we can push all
the reiser fixes up to Linus in one shot.

The reality is that LSM xattrs have been broken on reiserfs for a long
time and no one has complained, I figure a few more weeks isn't going
to matter that much.

Regardless, thanks for digging into this syzbot failure and sending a patch.

> > diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c
> > index 6e0a099dd788..078dd8cc312f 100644
> > --- a/fs/reiserfs/xattr_security.c
> > +++ b/fs/reiserfs/xattr_security.c
> > @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode,
> >
> >         sec->name = NULL;
> >         sec->value = NULL;
> > +       sec->length = 0;
> >
> >         /* Don't add selinux attributes on xattrs - they'll never get used */
> >         if (IS_PRIVATE(dir))
> > --
> > 2.18.4

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-05-25 21:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-10 21:49 [syzbot] [reiserfs?] KMSAN: uninit-value in reiserfs_security_init syzbot
2023-05-11 14:48 ` [PATCH] reiserfs: Initialize sec->length in reiserfs_security_init() Tetsuo Handa
2023-05-20 19:47   ` Paul Moore
2023-05-20 19:47     ` Paul Moore
2023-05-25 21:49     ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.