<div dir="ltr">and one more set of data, this time regarding MSAN findings in the Linux kernel (thanks to <a class="gmail_plusreply" id="plusReplyChip-3" href="mailto:dvyukov@google.com" tabindex="-1">@Dmitry Vyukov</a> and <a class="gmail_plusreply" id="plusReplyChip-4" href="mailto:glider@google.com" tabindex="-1">@Alexander Potapenko</a>). <div>Again, as you can see, stack UUMs are ~40% of all UUMs. <br><div><br></div><div><span style="text-decoration-line:underline;font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><a href="https://github.com/google/kmsan/wiki/KMSAN-Trophies" style="text-decoration-line:none">KMSAN trophies</a></span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:11pt;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://groups.google.com/forum/#!searchin/syzkaller-bugs/subject$3Akmsan" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">more trophies</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-size:11pt;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">, </span><a href="https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">CVEs</span></a><br></div>This includes info about all syzbot reports (90) + manually reported infoleaks (6).<br><br>96 bugs total<br>stack: 41<br>heap: 55<br>At least 17 of these are confirmed info leaks. <br><br>Detailed breakdown for info leaks:<br><br>uninit fields in structs (9):<br><a href="https://syzkaller.appspot.com/bug?id=d0d39d5cbbf35a2161298bd1724e8e88f75ed0e9">https://syzkaller.appspot.com/bug?id=d0d39d5cbbf35a2161298bd1724e8e88f75ed0e9</a><br><a href="https://syzkaller.appspot.com/bug?id=7c86e19e2b252ed8113e07ed622699db13d3d2f4">https://syzkaller.appspot.com/bug?id=7c86e19e2b252ed8113e07ed622699db13d3d2f4</a><br><a href="https://syzkaller.appspot.com/bug?id=2bca8d385b9f50b1758d47333afd1ded073110ed">https://syzkaller.appspot.com/bug?id=2bca8d385b9f50b1758d47333afd1ded073110ed</a><br><a href="https://syzkaller.appspot.com/bug?id=ec842e5517a7de1a24951059e7746db582a0cda2">https://syzkaller.appspot.com/bug?id=ec842e5517a7de1a24951059e7746db582a0cda2</a><br><a href="https://syzkaller.appspot.com/bug?id=34abc06dce2b5eb8e6aeae7665940815b64f4575">https://syzkaller.appspot.com/bug?id=34abc06dce2b5eb8e6aeae7665940815b64f4575</a><br><a href="https://syzkaller.appspot.com/bug?id=cb98d4633cad367e239e527e64850e1ddf489e70">https://syzkaller.appspot.com/bug?id=cb98d4633cad367e239e527e64850e1ddf489e70</a><br><a href="https://lkml.org/lkml/2017/3/7/361">https://lkml.org/lkml/2017/3/7/361</a><br><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14954">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14954</a><br><a href="https://github.com/torvalds/linux/commit/7c8a61d9ee1df0fb4747879fa67a99614eb62fec">https://github.com/torvalds/linux/commit/7c8a61d9ee1df0fb4747879fa67a99614eb62fec</a><br><br>padding in structs (2):<br><a href="https://syzkaller.appspot.com/bug?id=d91d2d6a23bf5f081051dd48f232688fdb083af7">https://syzkaller.appspot.com/bug?id=d91d2d6a23bf5f081051dd48f232688fdb083af7</a><br><a href="https://lkml.org/lkml/2018/4/27/833">https://lkml.org/lkml/2018/4/27/833</a><br><br>uninit byte arrays (6):<br><a href="https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a">https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a</a><br><a href="https://syzkaller.appspot.com/bug?id=737a192d45b90420ee837241d390e65fcdec7371">https://syzkaller.appspot.com/bug?id=737a192d45b90420ee837241d390e65fcdec7371</a><br><a href="https://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8">https://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8</a><br><a href="https://syzkaller.appspot.com/bug?id=eaf2836e848d856b93361d3f3a86b36830f9c045">https://syzkaller.appspot.com/bug?id=eaf2836e848d856b93361d3f3a86b36830f9c045</a><br><a href="https://www.openwall.com/lists/oss-security/2017/06/12/2">https://www.openwall.com/lists/oss-security/2017/06/12/2</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991</a><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 27, 2018 at 10:19 AM Kostya Serebryany <<a href="mailto:kcc@google.com">kcc@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>One more data point: among the bugs found by MSAN in Chrome over the past few years 449 were uninitialized heap and 295 were uninitialized stack. </div><div>So, the proposed functionality would prevent ~40% (i.e. quite a bit!) of all UUMs in software like Chrome. </div><br><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 27, 2018 at 1:24 AM Andrea Bocci via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">On Sat, 17 Nov 2018 at 18:00, David Blaikie via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Would it be that drastic to have this require a code change/compiler rebuild to enable? It could be designed so the change is small/easy (changing a constant) but that the default compilers we all ship around (& especially not the official releases) don't allow access to this functionality.<br><br>Anyone wanting to gather data would have to make this small change, rebuild their compiler, build their target with this feature & gatehr results from there.</div></blockquote><div><br></div>Then you might as well maintain a patchset outside the main repository and require patching the sources.</div><div class="gmail_quote">What is time consuming and discouraging is not the complexity of the changes, but the fact that one has to rebuild the compiler in the first place, and make any changes at all.</div><div class="gmail_quote"><br></div><div class="gmail_quote">It would also make it much harder to build only part of a complex environment with the feature enabled - for example, building the underlying libraries with the default compiler, and the tools on top with the patched compiler.</div></div></blockquote><div><br></div><div>+1<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><br></div><div class="gmail_quote">.Andrea<br></div></div>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div></div>
</blockquote></div>