On 10/14/25 4:41 AM, Jason Wang wrote: > On Mon, Oct 13, 2025 at 4:17 PM Paolo Abeni <[email protected]> wrote: >> On 10/13/25 10:08 AM, Michael S. Tsirkin wrote: >>> On Mon, Oct 13, 2025 at 09:37:29AM +0200, Paolo Abeni wrote: >>>> On 10/13/25 9:20 AM, Jason Wang wrote: >>>>> On Mon, Oct 13, 2025 at 1:29 PM Jason Wang <[email protected]> wrote: >>>>>> On Sat, Oct 11, 2025 at 3:40 PM Jason Wang <[email protected]> wrote: >>>>>>> >>>>>>> #syz test >>>>>>> >>>>>>> On Sat, Oct 11, 2025 at 4:38 AM syzbot >>>>>>> <[email protected]> wrote: >>>>>> >>>>>> Paolo, it looks like the GSO tunnel features will leave uninitialized >>>>>> vnet header field which trigger KMSAN warning. >>>>>> >>>>>> Please have a look at the patch (which has been tested by syzbot) or >>>>>> propose another one. >>>>> >>>>> Forget the attachment. >>>> >>>> I have a few questions. The report mentions both UaF and uninit; the >>>> patch addresses "just" the uninit access. It's not clear to me if and >>>> how the UaF is addressed, and why/if it's related to the uninit access. >>> >>> I'd like to understand that, too. >> >> Somewhat related: the syzbot dashboard reports that the issue is no more >> reproducible on plain Linus' tree: >> >> https://syzkaller.appspot.com/bug?extid=ac856b8b866cca41352c > > Interesting. > >> >> """ >> * repros no longer work on HEAD. >> """ >> >> Possibly there was some external problem? > > I think at least we need to make sure no information as we did in > virtio_net_hdr_from_skb(): > > static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb, > struct virtio_net_hdr *hdr, > bool little_endian, > bool has_data_valid, > int vlan_hlen) > { > memset(hdr, 0, sizeof(*hdr)); /* no info leak */
I agree it makes sense to fully initialize the virtio_net_hdr_v1_hash_tunnel struct. I would prefer to individually zero the related fields (as in your initial patch). Hopefully the compiler is smart enough to generate a single 64bit store instruction. Still the backtrace reported by syzbot makes little sense to me: "uninit created" at skb free time?!? UaF ?!? I suggest avoiding explicitly marking the syzbot report closed with the formal patch. Thanks, Paolo
