* KMSAN: uninit-value in __crc32c_le_base @ 2019-11-23 18:05 syzbot 2019-11-27 6:01 ` Eric Biggers 0 siblings, 1 reply; 4+ messages in thread From: syzbot @ 2019-11-23 18:05 UTC (permalink / raw) To: davem, glider, herbert, linux-crypto, linux-kernel, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 3db92f3b kmsan: process DMA pages separately in kmsan_hand.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=17bad222e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=9e324dfe9c7b0360 dashboard link: https://syzkaller.appspot.com/bug?extid=6dcbfea81cd3d4dd0b02 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128145cee00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com ===================================================== BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 CPU: 1 PID: 12411 Comm: syz-executor.1 Not tainted 5.4.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245 crc32_body lib/crc32.c:112 [inline] crc32_le_generic lib/crc32.c:179 [inline] __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 crc32c+0x150/0x220 lib/libcrc32c.c:47 sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] sctp_packet_pack net/sctp/output.c:528 [inline] sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 __do_sys_setsockopt net/socket.c:2100 [inline] __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f2a8cb65c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a639 RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000004 RBP: 000000000075bfc8 R08: 0000000000000098 R09: 0000000000000000 R10: 0000000020000440 R11: 0000000000000246 R12: 00007f2a8cb666d4 R13: 00000000004d1a88 R14: 00000000004e08f0 R15: 00000000ffffffff Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 skb_put_data include/linux/skbuff.h:2217 [inline] sctp_packet_pack net/sctp/output.c:470 [inline] sctp_packet_transmit+0x1d9e/0x4250 net/sctp/output.c:597 sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 __do_sys_setsockopt net/socket.c:2100 [inline] __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 skb_put_data include/linux/skbuff.h:2217 [inline] sctp_addto_chunk net/sctp/sm_make_chunk.c:1494 [inline] sctp_make_heartbeat+0x612/0x9e0 net/sctp/sm_make_chunk.c:1164 sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 __do_sys_setsockopt net/socket.c:2100 [inline] __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 sctp_make_heartbeat+0x3e9/0x9e0 net/sctp/sm_make_chunk.c:1156 sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 __do_sys_setsockopt net/socket.c:2100 [inline] __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 sctp_transport_init net/sctp/transport.c:47 [inline] sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] sctp_process_init+0x162b/0x3e30 net/sctp/sm_make_chunk.c:2345 sctp_cmd_process_init net/sctp/sm_sideeffect.c:667 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1374 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] sctp_do_sm+0x1b8b/0x9720 net/sctp/sm_sideeffect.c:1155 sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1048 sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:80 sctp_backlog_rcv+0x2d7/0x11a0 net/sctp/input.c:344 sk_backlog_rcv include/net/sock.h:950 [inline] __release_sock+0x448/0x640 net/core/sock.c:2439 release_sock+0x99/0x2a0 net/core/sock.c:2955 sctp_wait_for_connect+0x3d7/0x840 net/sctp/socket.c:9167 __sctp_connect+0x1e9d/0x1f20 net/sctp/socket.c:1226 __sctp_setsockopt_connectx net/sctp/socket.c:1322 [inline] sctp_setsockopt_connectx_old net/sctp/socket.c:1338 [inline] sctp_setsockopt+0x960d/0x19090 net/sctp/socket.c:4647 sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 __do_sys_setsockopt net/socket.c:2100 [inline] __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 Local variable description: ----addr.i@sctp_process_init Variable was created at: sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 ===================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in __crc32c_le_base 2019-11-23 18:05 KMSAN: uninit-value in __crc32c_le_base syzbot @ 2019-11-27 6:01 ` Eric Biggers 2019-11-27 8:49 ` Xin Long 0 siblings, 1 reply; 4+ messages in thread From: Eric Biggers @ 2019-11-27 6:01 UTC (permalink / raw) To: Vlad Yasevich, Neil Horman, Marcelo Ricardo Leitner, linux-sctp Cc: syzbot, davem, glider, herbert, linux-crypto, linux-kernel, syzkaller-bugs Looks like a bug in net/sctp/ where it's passing uninitialized memory into the crc32c() function. SCTP maintainers, can you please take a look? Also, this might be a duplicate of "KMSAN: uninit-value in __skb_checksum_complete (4)" (https://lore.kernel.org/lkml/0000000000000924780598075f4b@google.com/T/#u). On Sat, Nov 23, 2019 at 10:05:09AM -0800, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 3db92f3b kmsan: process DMA pages separately in kmsan_hand.. > git tree: https://github.com/google/kmsan.git master > console output: https://syzkaller.appspot.com/x/log.txt?x=17bad222e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=9e324dfe9c7b0360 > dashboard link: https://syzkaller.appspot.com/bug?extid=6dcbfea81cd3d4dd0b02 > compiler: clang version 9.0.0 (/home/glider/llvm/clang > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128145cee00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com > > ===================================================== > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] > BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 > CPU: 1 PID: 12411 Comm: syz-executor.1 Not tainted 5.4.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245 > crc32_body lib/crc32.c:112 [inline] > crc32_le_generic lib/crc32.c:179 [inline] > __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 > chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 > crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 > crc32c+0x150/0x220 lib/libcrc32c.c:47 > sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 > __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 > sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] > sctp_packet_pack net/sctp/output.c:528 [inline] > sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 > sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] > sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 > sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > __do_sys_setsockopt net/socket.c:2100 [inline] > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > RIP: 0033:0x45a639 > Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff > 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007f2a8cb65c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a639 > RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000004 > RBP: 000000000075bfc8 R08: 0000000000000098 R09: 0000000000000000 > R10: 0000000020000440 R11: 0000000000000246 R12: 00007f2a8cb666d4 > R13: 00000000004d1a88 R14: 00000000004e08f0 R15: 00000000ffffffff > > Uninit was stored to memory at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > skb_put_data include/linux/skbuff.h:2217 [inline] > sctp_packet_pack net/sctp/output.c:470 [inline] > sctp_packet_transmit+0x1d9e/0x4250 net/sctp/output.c:597 > sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] > sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 > sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > __do_sys_setsockopt net/socket.c:2100 [inline] > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > Uninit was stored to memory at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > skb_put_data include/linux/skbuff.h:2217 [inline] > sctp_addto_chunk net/sctp/sm_make_chunk.c:1494 [inline] > sctp_make_heartbeat+0x612/0x9e0 net/sctp/sm_make_chunk.c:1164 > sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] > sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 > sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > __do_sys_setsockopt net/socket.c:2100 [inline] > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > Uninit was stored to memory at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > sctp_make_heartbeat+0x3e9/0x9e0 net/sctp/sm_make_chunk.c:1156 > sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] > sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 > sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > __do_sys_setsockopt net/socket.c:2100 [inline] > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > Uninit was stored to memory at: > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > sctp_transport_init net/sctp/transport.c:47 [inline] > sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 > sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 > sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] > sctp_process_init+0x162b/0x3e30 net/sctp/sm_make_chunk.c:2345 > sctp_cmd_process_init net/sctp/sm_sideeffect.c:667 [inline] > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1374 [inline] > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > sctp_do_sm+0x1b8b/0x9720 net/sctp/sm_sideeffect.c:1155 > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1048 > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:80 > sctp_backlog_rcv+0x2d7/0x11a0 net/sctp/input.c:344 > sk_backlog_rcv include/net/sock.h:950 [inline] > __release_sock+0x448/0x640 net/core/sock.c:2439 > release_sock+0x99/0x2a0 net/core/sock.c:2955 > sctp_wait_for_connect+0x3d7/0x840 net/sctp/socket.c:9167 > __sctp_connect+0x1e9d/0x1f20 net/sctp/socket.c:1226 > __sctp_setsockopt_connectx net/sctp/socket.c:1322 [inline] > sctp_setsockopt_connectx_old net/sctp/socket.c:1338 [inline] > sctp_setsockopt+0x960d/0x19090 net/sctp/socket.c:4647 > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > __do_sys_setsockopt net/socket.c:2100 [inline] > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > Local variable description: ----addr.i@sctp_process_init > Variable was created at: > sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] > sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 > sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] > sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 > ===================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000004b2df0598075fc8%40google.com. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in __crc32c_le_base 2019-11-27 6:01 ` Eric Biggers @ 2019-11-27 8:49 ` Xin Long 2019-11-27 13:22 ` Marcelo Ricardo Leitner 0 siblings, 1 reply; 4+ messages in thread From: Xin Long @ 2019-11-27 8:49 UTC (permalink / raw) To: Eric Biggers Cc: Vlad Yasevich, Neil Horman, Marcelo Ricardo Leitner, linux-sctp, syzbot, davem, Alexander Potapenko, Herbert Xu, linux-crypto, LKML, syzkaller-bugs On Wed, Nov 27, 2019 at 2:02 PM Eric Biggers <ebiggers@kernel.org> wrote: > > Looks like a bug in net/sctp/ where it's passing uninitialized memory into the > crc32c() function. SCTP maintainers, can you please take a look? Thanks. The issue was caused by: transport->ipaddr set with uninit addr param, which was passed by: sctp_transport_init net/sctp/transport.c:47 [inline] sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] where 'addr' is set by sctp_v4_from_addr_param(), which doesn't initialize the padding of addr->v4. later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) will become the part of skb, and the issue occurs. The fix should be: diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 09050c1d5517..0e73405eba4f 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -2516,6 +2516,7 @@ static int sctp_process_param(struct sctp_association *asoc, if (ipv6_only_sock(asoc->base.sk)) break; do_addr_param: + memset(&addr, 0, sizeof(addr)); af = sctp_get_af_specific(param_type2af(param.p->type)); af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0); scope = sctp_scope(peer_addr); @@ -3040,6 +3041,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (unlikely(!af)) return SCTP_ERROR_DNS_FAILED; + memset(&addr, 0, sizeof(addr)); af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0); /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast > > Also, this might be a duplicate of "KMSAN: uninit-value in __skb_checksum_complete (4)" > (https://lore.kernel.org/lkml/0000000000000924780598075f4b@google.com/T/#u). > > On Sat, Nov 23, 2019 at 10:05:09AM -0800, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 3db92f3b kmsan: process DMA pages separately in kmsan_hand.. > > git tree: https://github.com/google/kmsan.git master > > console output: https://syzkaller.appspot.com/x/log.txt?x=17bad222e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=9e324dfe9c7b0360 > > dashboard link: https://syzkaller.appspot.com/bug?extid=6dcbfea81cd3d4dd0b02 > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128145cee00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com > > > > ===================================================== > > BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] > > BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] > > BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 > > CPU: 1 PID: 12411 Comm: syz-executor.1 Not tainted 5.4.0-rc5-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x191/0x1f0 lib/dump_stack.c:113 > > kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 > > __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245 > > crc32_body lib/crc32.c:112 [inline] > > crc32_le_generic lib/crc32.c:179 [inline] > > __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 > > chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 > > crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 > > crc32c+0x150/0x220 lib/libcrc32c.c:47 > > sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 > > __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 > > sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] > > sctp_packet_pack net/sctp/output.c:528 [inline] > > sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 > > sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] > > sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 > > sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] > > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > > sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 > > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > > __do_sys_setsockopt net/socket.c:2100 [inline] > > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > RIP: 0033:0x45a639 > > Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff > > 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007f2a8cb65c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 > > RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a639 > > RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000004 > > RBP: 000000000075bfc8 R08: 0000000000000098 R09: 0000000000000000 > > R10: 0000000020000440 R11: 0000000000000246 R12: 00007f2a8cb666d4 > > R13: 00000000004d1a88 R14: 00000000004e08f0 R15: 00000000ffffffff > > > > Uninit was stored to memory at: > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > > skb_put_data include/linux/skbuff.h:2217 [inline] > > sctp_packet_pack net/sctp/output.c:470 [inline] > > sctp_packet_transmit+0x1d9e/0x4250 net/sctp/output.c:597 > > sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] > > sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 > > sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] > > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > > sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 > > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > > __do_sys_setsockopt net/socket.c:2100 [inline] > > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > Uninit was stored to memory at: > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > > skb_put_data include/linux/skbuff.h:2217 [inline] > > sctp_addto_chunk net/sctp/sm_make_chunk.c:1494 [inline] > > sctp_make_heartbeat+0x612/0x9e0 net/sctp/sm_make_chunk.c:1164 > > sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] > > sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 > > sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 > > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > > __do_sys_setsockopt net/socket.c:2100 [inline] > > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > Uninit was stored to memory at: > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > > sctp_make_heartbeat+0x3e9/0x9e0 net/sctp/sm_make_chunk.c:1156 > > sctp_sf_heartbeat net/sctp/sm_statefuns.c:990 [inline] > > sctp_sf_do_prm_requestheartbeat+0x8f/0x4b0 net/sctp/sm_statefuns.c:5329 > > sctp_do_sm+0x2b2/0x9720 net/sctp/sm_sideeffect.c:1152 > > sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 > > sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 > > sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] > > sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 > > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > > __do_sys_setsockopt net/socket.c:2100 [inline] > > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > Uninit was stored to memory at: > > kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline] > > kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319 > > kmsan_memcpy_memmove_metadata+0x25c/0x2e0 mm/kmsan/kmsan.c:254 > > kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:274 > > __msan_memcpy+0x56/0x70 mm/kmsan/kmsan_instr.c:129 > > sctp_transport_init net/sctp/transport.c:47 [inline] > > sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 > > sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 > > sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] > > sctp_process_init+0x162b/0x3e30 net/sctp/sm_make_chunk.c:2345 > > sctp_cmd_process_init net/sctp/sm_sideeffect.c:667 [inline] > > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1374 [inline] > > sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] > > sctp_do_sm+0x1b8b/0x9720 net/sctp/sm_sideeffect.c:1155 > > sctp_assoc_bh_rcv+0x65a/0xd80 net/sctp/associola.c:1048 > > sctp_inq_push+0x300/0x420 net/sctp/inqueue.c:80 > > sctp_backlog_rcv+0x2d7/0x11a0 net/sctp/input.c:344 > > sk_backlog_rcv include/net/sock.h:950 [inline] > > __release_sock+0x448/0x640 net/core/sock.c:2439 > > release_sock+0x99/0x2a0 net/core/sock.c:2955 > > sctp_wait_for_connect+0x3d7/0x840 net/sctp/socket.c:9167 > > __sctp_connect+0x1e9d/0x1f20 net/sctp/socket.c:1226 > > __sctp_setsockopt_connectx net/sctp/socket.c:1322 [inline] > > sctp_setsockopt_connectx_old net/sctp/socket.c:1338 [inline] > > sctp_setsockopt+0x960d/0x19090 net/sctp/socket.c:4647 > > sock_common_setsockopt+0x13b/0x170 net/core/sock.c:3151 > > __sys_setsockopt+0x7c3/0xa30 net/socket.c:2084 > > __do_sys_setsockopt net/socket.c:2100 [inline] > > __se_sys_setsockopt+0xdd/0x100 net/socket.c:2097 > > __x64_sys_setsockopt+0x62/0x80 net/socket.c:2097 > > do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 > > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > > > Local variable description: ----addr.i@sctp_process_init > > Variable was created at: > > sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] > > sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 > > sctp_process_param net/sctp/sm_make_chunk.c:2495 [inline] > > sctp_process_init+0x603/0x3e30 net/sctp/sm_make_chunk.c:2345 > > ===================================================== > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches > > > > -- > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000004b2df0598075fc8%40google.com. ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: KMSAN: uninit-value in __crc32c_le_base 2019-11-27 8:49 ` Xin Long @ 2019-11-27 13:22 ` Marcelo Ricardo Leitner 0 siblings, 0 replies; 4+ messages in thread From: Marcelo Ricardo Leitner @ 2019-11-27 13:22 UTC (permalink / raw) To: Xin Long Cc: Eric Biggers, Vlad Yasevich, Neil Horman, linux-sctp, syzbot, davem, Alexander Potapenko, Herbert Xu, linux-crypto, LKML, syzkaller-bugs On Wed, Nov 27, 2019 at 04:49:46PM +0800, Xin Long wrote: > On Wed, Nov 27, 2019 at 2:02 PM Eric Biggers <ebiggers@kernel.org> wrote: > > > > Looks like a bug in net/sctp/ where it's passing uninitialized memory into the > > crc32c() function. SCTP maintainers, can you please take a look? > Thanks. > > The issue was caused by: > transport->ipaddr set with uninit addr param, which was passed by: > > sctp_transport_init net/sctp/transport.c:47 [inline] > sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 > sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 > sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] > > where 'addr' is set by sctp_v4_from_addr_param(), which doesn't initialize the > padding of addr->v4. > > later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) > will become the part of skb, and the issue occurs. Sweet. > > The fix should be: > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c > index 09050c1d5517..0e73405eba4f 100644 > --- a/net/sctp/sm_make_chunk.c > +++ b/net/sctp/sm_make_chunk.c > @@ -2516,6 +2516,7 @@ static int sctp_process_param(struct > sctp_association *asoc, > if (ipv6_only_sock(asoc->base.sk)) > break; > do_addr_param: > + memset(&addr, 0, sizeof(addr)); > af = sctp_get_af_specific(param_type2af(param.p->type)); > af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0); > scope = sctp_scope(peer_addr); > @@ -3040,6 +3041,7 @@ static __be16 sctp_process_asconf_param(struct > sctp_association *asoc, > if (unlikely(!af)) > return SCTP_ERROR_DNS_FAILED; > > + memset(&addr, 0, sizeof(addr)); > af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0); In sctp_v4_from_addr_param() itself seems cleaner. (Ditto for sctp_v4_to_addr_param() and related ones, like sctp_v4_dst_saddr()) These functions shouldn't trust that the caller initializes the memory. They are dealing with ipv4 but they know that the buffer they are writting into is larger and the size of it. Marcelo ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-11-27 13:22 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-11-23 18:05 KMSAN: uninit-value in __crc32c_le_base syzbot 2019-11-27 6:01 ` Eric Biggers 2019-11-27 8:49 ` Xin Long 2019-11-27 13:22 ` Marcelo Ricardo Leitner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).