Project

General

Profile

Actions

Bug #398

closed

KMSAN: uninit-value in batadv_iv_send_outstanding_bat_ogm_packet

Added by Sven Eckelmann over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
08/22/2019
Due date:
% Done:

0%

Estimated time:

Description

syzbot found the following crash on:

HEAD commit:    61ccdad1 Revert "drm/bochs: Use shadow buffer for bochs fr..
git tree:       https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=13d6909c600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=27abc558ecb16a3b
dashboard link: https://syzkaller.appspot.com/bug?extid=355cab184197dbbfa384
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1612b9d2600000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11d388ac600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com

==================================================================
BUG: KMSAN: uninit-value in batadv_iv_ogm_send_to_if  
net/batman-adv/bat_iv_ogm.c:317 [inline]
BUG: KMSAN: uninit-value in batadv_iv_ogm_emit  
net/batman-adv/bat_iv_ogm.c:383 [inline]
BUG: KMSAN: uninit-value in  
batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0  
net/batman-adv/bat_iv_ogm.c:1657
CPU: 1 PID: 290 Comm: kworker/u4:7 Not tainted 5.3.0-rc3+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x191/0x1f0 lib/dump_stack.c:113
  kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
  __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
  batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:317 [inline]
  batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:383 [inline]
  batadv_iv_send_outstanding_bat_ogm_packet+0x6cd/0xcc0  
net/batman-adv/bat_iv_ogm.c:1657
  process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
  worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
  kthread+0x4b5/0x4f0 kernel/kthread.c:256
  ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

The referenced line (317) is the loop header:

 311         packet_num = 0;
 312         buff_pos = 0;
 313         packet_pos = forw_packet->skb->data;
 314         batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
 315 
 316         /* adjust all flags and log packets */
 317         while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
 318                                          batadv_ogm_packet->tvlv_len)) {
 319                 /* we might have aggregated direct link packets with an
 320                  * ordinary base packet
 321                  */

I would guess (without really knowing it) that there is a too short batadv_ogm_packet which doesn't contain tvlv_len.


Full output in https://lore.kernel.org/r/000000000000226dc30590a83a39@google.com

Actions

Also available in: Atom PDF