[syzbot] [lsm?] [integrity?] KMSAN: uninit-value in ima_add_template_entry (3)
Kent Overstreet
kent.overstreet at linux.dev
Thu May 15 16:48:13 UTC 2025
On Thu, May 15, 2025 at 06:39:48PM +0200, Roberto Sassu wrote:
> On Thu, 2025-05-15 at 12:37 -0400, Kent Overstreet wrote:
> > On Thu, May 15, 2025 at 04:30:09PM +0200, Roberto Sassu wrote:
> > > On Thu, 2025-05-15 at 10:18 -0400, Kent Overstreet wrote:
> > > > On Thu, May 15, 2025 at 04:06:02PM +0200, Roberto Sassu wrote:
> > > > > On Wed, 2025-05-14 at 07:54 -0700, syzbot wrote:
> > > > > > Hello,
> > > > >
> > > > > + Kent, bcachefs mailing list
> > > > >
> > > > > I have the feeling that this was recently fixed in one of the latest
> > > > > pull requests in bcachefs. I don't see it occurring anymore, and there
> > > > > are more commits after the one reported by syzbot.
> > > >
> > > > I have no idea how any of the ima stuff works or even what it does, I'm
> > > > not even sure where I'd start...
> > >
> > > Basically, I got a clue that bcachefs would be the cause from the
> > > bottom of the report:
> > >
> > > page_cache_sync_ra+0x108a/0x13e0 mm/readahead.c:621
> > > filemap_get_pages+0xfb3/0x3a70 mm/filemap.c:2591
> > > filemap_read+0x5c6/0x2190 mm/filemap.c:2702
> > > bch2_read_iter+0x559/0x21c0 fs/bcachefs/fs-io-direct.c:221
> > > __kernel_read+0x750/0xda0 fs/read_write.c:528
> > > integrity_kernel_read+0x77/0x90 security/integrity/iint.c:28
> > >
> > > This means that IMA is reading a file and calculating a digest over it:
> > >
> > > ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:498 [inline]
> > > ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
> > > ima_calc_file_hash+0x240a/0x3fd0 security/integrity/ima/ima_crypto.c:568
> > > ima_collect_measurement+0x45d/0xe60 security/integrity/ima/ima_api.c:293
> > > process_measurement+0x2d1a/0x40e0 security/integrity/ima/ima_main.c:385
> > > ima_file_check+0x8e/0xd0 security/integrity/ima/ima_main.c:613
> > >
> > > syzbot is complaining that the data the digest was calculated from was
> > > not initialized (e.g. zeroed).
> > >
> > > There is a reproducer, we would be probably able to do a bisection and
> > > find the commit that caused it (and maybe the one that fixed it).
> >
> > Ok, that would be fixed by the - multiple - KMSAN fixes, most of those
> > were spurious but code was lacking annotations. Probably this one:
> >
> > 9c3a2c9b471a bcachefs: Disable asm memcpys when kmsan enabled
>
> Perfect, thanks a lot!
>
> Will check it and mark this report as fixed.
Btw, since you mentioned syzbot reproducers, I have a tool for running
those locally, with a single command. It's one of the "tests" in ktest:
https://evilpiepirate.org/git/ktest.git/
With that, you can do
build-test-kernel run -IP ~/ktest/tests/syzbot-repro.ktest <syz id>
in your kernel tree, and it'll build a kernel, launch a vm, and run the
reproducer, all in a single command :)
More information about the Linux-security-module-archive
mailing list