[cfe-dev] [RFC] automatic variable initialization

Wed Nov 28 12:21:57 PST 2018

and one more set of data, this time regarding MSAN findings in the Linux
kernel (thanks to @Dmitry Vyukov <dvyukov at google.com> and @Alexander
Potapenko <glider at google.com>).
Again, as you can see, stack UUMs are ~40% of all UUMs.

KMSAN trophies <https://github.com/google/kmsan/wiki/KMSAN-Trophies>, more
trophies
<https://groups.google.com/forum/#!searchin/syzkaller-bugs/subject$3Akmsan>,
CVEs
<https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33>
This includes info about all syzbot reports (90) + manually reported
infoleaks (6).

96 bugs total
stack: 41
heap: 55
At least 17 of these are confirmed info leaks.

Detailed breakdown for info leaks:

uninit fields in structs (9):
https://syzkaller.appspot.com/bug?id=d0d39d5cbbf35a2161298bd1724e8e88f75ed0e9
https://syzkaller.appspot.com/bug?id=7c86e19e2b252ed8113e07ed622699db13d3d2f4
https://syzkaller.appspot.com/bug?id=2bca8d385b9f50b1758d47333afd1ded073110ed
https://syzkaller.appspot.com/bug?id=ec842e5517a7de1a24951059e7746db582a0cda2
https://syzkaller.appspot.com/bug?id=34abc06dce2b5eb8e6aeae7665940815b64f4575
https://syzkaller.appspot.com/bug?id=cb98d4633cad367e239e527e64850e1ddf489e70
https://lkml.org/lkml/2017/3/7/361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14954
https://github.com/torvalds/linux/commit/7c8a61d9ee1df0fb4747879fa67a99614eb62fec

padding in structs (2):
https://syzkaller.appspot.com/bug?id=d91d2d6a23bf5f081051dd48f232688fdb083af7
https://lkml.org/lkml/2018/4/27/833

uninit byte arrays (6):
https://syzkaller.appspot.com/bug?id=6eac9890f5b21f7971b7ebc3dd6124f16ec5444a
https://syzkaller.appspot.com/bug?id=737a192d45b90420ee837241d390e65fcdec7371
https://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8
https://syzkaller.appspot.com/bug?id=eaf2836e848d856b93361d3f3a86b36830f9c045
https://www.openwall.com/lists/oss-security/2017/06/12/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991

On Tue, Nov 27, 2018 at 10:19 AM Kostya Serebryany <kcc at google.com> wrote:

> One more data point: among the bugs found by MSAN in Chrome over the past
> few years 449 were uninitialized heap and 295 were uninitialized stack.
> So, the proposed functionality would prevent ~40% (i.e. quite a bit!) of
> all UUMs in software like Chrome.
>
>
> On Tue, Nov 27, 2018 at 1:24 AM Andrea Bocci via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
>
>> On Sat, 17 Nov 2018 at 18:00, David Blaikie via cfe-dev <
>> cfe-dev at lists.llvm.org> wrote:
>>
>>> Would it be that drastic to have this require a code change/compiler
>>> rebuild to enable? It could be designed so the change is small/easy
>>> (changing a constant) but that the default compilers we all ship around (&
>>> especially not the official releases) don't allow access to this
>>> functionality.
>>>
>>> Anyone wanting to gather data would have to make this small change,
>>> rebuild their compiler, build their target with this feature & gatehr
>>> results from there.
>>>
>>
>> Then you might as well maintain a patchset outside the main repository
>> and require patching the sources.
>> What is time consuming and discouraging is not the complexity of the
>> changes, but the fact that one has to rebuild the compiler in the first
>> place, and make any changes at all.
>>
>> It would also make it much harder to build only part of a complex
>> environment with the feature enabled - for example, building the underlying
>> libraries with the default compiler, and the tools on top with the patched
>> compiler.
>>
>
> +1
>
>
>>
>> .Andrea
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20181128/420925ad/attachment.html>