On Tue, Apr 25, 2017 at 7:55 PM, David Miller <da...@davemloft.net> wrote: > From: Alexander Potapenko <gli...@google.com> > Date: Tue, 25 Apr 2017 15:18:27 +0200 > >> rawv6_send_hdrinc() expects that the buffer copied from the userspace >> contains the IPv6 header, so if too few bytes are copied parts of the >> header may remain uninitialized. >> >> This bug has been detected with KMSAN. >> >> Signed-off-by: Alexander Potapenko <gli...@google.com> > > Hmmm, ipv4 seems to lack this check as well. > > I think we need to be careful here and fully understand why KMSAN doesn't > seem to be triggering in the ipv4 case but for ipv6 it is before I apply > this. Maybe I just couldn't come up with a decent test case for ipv4 yet. syzkaller generated the equivalent of the following program for ipv6:
======================================= #define _GNU_SOURCE #include <netinet/in.h> #include <string.h> #include <sys/socket.h> #include <error.h> int main() { int sock = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW); struct sockaddr_in6 dest_addr; memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.sin6_family = AF_INET6; inet_pton(AF_INET6, "ff00::", &dest_addr.sin6_addr); int err = sendto(sock, 0, 0, 0, &dest_addr, sizeof(dest_addr)); if (err == -1) perror("sendto"); return 0; } ======================================= I attempted to replace INET6 and such with INET and provide a legal IPv4 address to inet_pton(), but couldn't trigger the warning. > Thanks. -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg