Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751200AbdGNTGN (ORCPT ); Fri, 14 Jul 2017 15:06:13 -0400 Received: from mail-oi0-f42.google.com ([209.85.218.42]:35947 "EHLO mail-oi0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751145AbdGNTGL (ORCPT ); Fri, 14 Jul 2017 15:06:11 -0400 MIME-Version: 1.0 In-Reply-To: References: <20170714165453.112098-1-glider@google.com> From: Neal Cardwell Date: Fri, 14 Jul 2017 15:05:40 -0400 Message-ID: Subject: Re: [PATCH] ipv6: initialize treq->txhash in cookie_v6_check() To: Alexander Potapenko Cc: Dmitry Vyukov , Kostya Serebryany , Eric Dumazet , David Miller , LKML , Netdev Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1605 Lines: 39 On Fri, Jul 14, 2017 at 1:35 PM, Alexander Potapenko wrote: > On Fri, Jul 14, 2017 at 7:04 PM, Neal Cardwell wrote: >> On Fri, Jul 14, 2017 at 12:54 PM, Alexander Potapenko wrote: >>> KMSAN reported use of uninitialized memory in skb_set_hash_from_sk(), >>> which originated from the TCP request socket created in >>> cookie_v6_check(): >> ... >>> --- a/net/ipv6/syncookies.c >>> +++ b/net/ipv6/syncookies.c >>> @@ -216,6 +216,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) >>> treq->rcv_isn = ntohl(th->seq) - 1; >>> treq->snt_isn = cookie; >>> treq->ts_off = 0; >>> + treq->txhash = 0; >>> >>> /* >>> * We need to lookup the dst_entry to get the correct window size. >> >> I would have thought that the same fix is needed in the corresponding >> line in cookie_v4_check() in net/ipv4/syncookies.c? (I do not see >> txhash being initialized for the IPv4 side.) If it's not needed for >> some reason, then it would be worth a comment in the commit >> description to explain why not. > Most certainly it is needed. I haven't seen reports for that in the > wild and couldn't forge a repro triggering the bug in IPv4, but I'll > give it another shot. If you force syncookies to be used, with: sysctl -q net.ipv4.tcp_syncookies=2 then every passive IPv4 TCP connection that is accepted by a TCP server app should be using that uninitialized memory, I would think (and thus should be liable to fire the KMSAN use of uninitialized memory warning). Does that work? neal