Page MenuHomeFreeBSD
Differential D31510

arc4random: Avoid KMSAN false positives from pre-seeding results
ClosedPublic
Actions

Authored by markj on Aug 11 2021, 8:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 7, 4:55 AM
Unknown Object (File)
Sat, Nov 30, 10:50 AM
Unknown Object (File)
Thu, Nov 28, 5:55 PM
Unknown Object (File)
Mon, Nov 25, 2:35 AM
Unknown Object (File)
Sun, Nov 24, 5:42 AM
Unknown Object (File)
Sat, Nov 23, 7:35 PM
Unknown Object (File)
Fri, Nov 22, 7:06 PM
Unknown Object (File)
Fri, Nov 22, 8:35 AM
View All Files
Subscribers
imp
jmg

Details

Reviewers
cem
delphij
Commits
rG3d69515cfea2: arc4random: Avoid KMSAN false positives from pre-seeding results
Summary

If code calls arc4random(), and our RNG is not yet seeded and
random_bypass_before_seeding is true, we'll compute a key using the
SHA256 hash of some hopefully hard-to-predict data, including the
contents of an uninitialized stack buffer (which is also the output
buffer).

When KMSAN is enabled, this use of uninitialized state propagtes through
to the arc4random() output, resulting in false positives. To fix this,
lie to KMSAN and explicitly mark the buffer as initialized.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Aug 11 2021, 8:07 PM
Herald added subscribers: jmg, imp. · View Herald TranscriptAug 11 2021, 8:07 PM
markj requested review of this revision.Aug 11 2021, 8:07 PM
Harbormaster completed remote builds in B41002: Diff 93562.Aug 11 2021, 8:07 PM
cem accepted this revision.Aug 11 2021, 11:05 PM

It's not exactly a false positive, although poisoning the output as uninitialized is sort of unhelpful. Are we confident the compiler isn't eliminating access to it (due to UB) outside of KMSAN? In the abstract, I think we would prefer to eliminate bypass_before_seeding.

I'd probably add some summarized form of the commit message as a comment adjacent to the kmsan_mark() invocation.

This revision is now accepted and ready to land.Aug 11 2021, 11:05 PM
markj added a comment.Aug 12 2021, 1:59 PM
In D31510#710348, @cem wrote:

It's not exactly a false positive, although poisoning the output as uninitialized is sort of unhelpful.

Yeah, everything is working as expected here, I've just been tending to use "false positive" to mean, "any KMSAN report that doesn't correspond to a code bug."

Are we confident the compiler isn't eliminating access to it (due to UB) outside of KMSAN? In the abstract, I think we would prefer to eliminate bypass_before_seeding.

What exactly is the UB here? I'm not sure how the compiler could legally eliminate SHA256_Update(&ctx, key, sizeof(key)).

I'd probably add some summarized form of the commit message as a comment adjacent to the kmsan_mark() invocation.

Will do, thanks.

cem added a comment.Aug 12 2021, 2:15 PM
In D31510#710608, @markj wrote:

What exactly is the UB here? I'm not sure how the compiler could legally eliminate SHA256_Update(&ctx, key, sizeof(key)).

Any use of uninitialized variables is UB, I think?

markj added a comment.Aug 12 2021, 2:34 PM
In D31510#710613, @cem wrote:
In D31510#710608, @markj wrote:

What exactly is the UB here? I'm not sure how the compiler could legally eliminate SHA256_Update(&ctx, key, sizeof(key)).

Any use of uninitialized variables is UB, I think?

I believe so, I just don't see how the compiler can infer that key is being accessed here.

cem added a comment.Aug 12 2021, 2:38 PM

LTO builds can see across CUs. I don’t know of any particular pass that would eliminate this, though.

Closed by commit rG3d69515cfea2: arc4random: Avoid KMSAN false positives from pre-seeding results (authored by markj). · Explain WhyAug 13 2021, 1:59 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG3d69515cfea2: arc4random: Avoid KMSAN false positives from pre-seeding results.

Revision Contents
Changeset List

PathSize
sys/
libkern/
9 lines

Diff 93648

View Options

sys/libkern/arc4random.c

Loading...