Linux-Fsdevel Archive on lore.kernel.org
 help / color / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: vegard.nossum@gmail.com, viro@zeniv.linux.org.uk,
	akpm@linux-foundation.org
Cc: linux-fsdevel@vger.kernel.org
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()
Date: Wed, 13 Sep 2017 19:12:07 +0900
Message-ID: <201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAOMGZ=HCtLUFvhy727b=pCE+BapVZobRaRqymTYr48FqZncBoA@mail.gmail.com>

Vegard Nossum wrote:
> kmemcheck knows how to memcpy() the shadow memory state between two
> slab-allocated objects, but it doesn't track memory state for the
> stack so if you're copying partially uninitialised object to the stack
> (which I'm guessing is the case here?) then it will produce the
> warning Tetsuo Handa saw.
> 
> BTW as soon as msan/kmsan support for the kernel [1] is merged I am
> planning to nuke kmemcheck from the kernel. msan/kmsan should handle
> it properly.
> 
> [1]: https://github.com/google/kmsan

I think kmemcheck is correct and msan/kmsan must as well splat here,
for they won't be able to know that this

  unsigned char d_iname[DNAME_INLINE_LEN];        /* small names */

field is interpreted as "only bytes up to first '\0' are valid".

----------
>>From c4fe364445f7b2490209aba90b289f0543b3cfa8 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed, 13 Sep 2017 18:47:50 +0900
Subject: [PATCH] dentry: Fix kmemcheck splat at take_dentry_name_snapshot()

Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes are
initialized at __d_alloc(), we can't copy the whole size unconditionally.

 WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
 636f6e66696766732e746d70000000000010000000000000020000000188ffff
  i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
                                  ^
 RIP: 0010:take_dentry_name_snapshot+0x28/0x50
 RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
 RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
 RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
 RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
 R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
 R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
 FS:  00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
  take_dentry_name_snapshot+0x28/0x50
  vfs_rename+0x128/0x870
  SyS_rename+0x3b2/0x3d0
  entry_SYSCALL_64_fastpath+0x1a/0xa4
  0xffffffffffffffff

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/dcache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index f901413..ad6d328 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -291,7 +291,8 @@ void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry
 		spin_unlock(&dentry->d_lock);
 		name->name = p->name;
 	} else {
-		memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
+		memcpy(name->inline_name, dentry->d_iname,
+		       dentry->d_name.len + 1);
 		spin_unlock(&dentry->d_lock);
 		name->name = name->inline_name;
 	}
-- 
1.8.3.1

      reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-04 12:12 fs: Uninitialized memory read at take_dentry_name_snapshot Tetsuo Handa
2017-09-04 13:21 ` Al Viro
2017-09-04 14:11   ` Tetsuo Handa
2017-09-04 14:22     ` Al Viro
2017-09-04 16:56       ` Vegard Nossum
2017-09-13 10:12         ` Tetsuo Handa [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=akpm@linux-foundation.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=vegard.nossum@gmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Fsdevel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \
		linux-fsdevel@vger.kernel.org linux-fsdevel@archiver.kernel.org
	public-inbox-index linux-fsdevel


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox