Possible uninitialized read in `decompress_blob_lz4`

[mrc0mmand]

Yet another (possible) issue found by MemorySanitizer.

Uninitialized bytes in __interceptor_memcmp at offset 0 inside [0x734000000000, 120052)
==21757==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x499691 in test_compress_decompress /home/fsumsal/repos/systemd/build/../src/journal/test-compress-benchmark.c:124:17
    #1 0x495d12 in main /home/fsumsal/repos/systemd/build/../src/journal/test-compress-benchmark.c:169:17
    #2 0x7ff8d794bf32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #3 0x41c3bd in _start (/home/fsumsal/repos/systemd/build/test-compress-benchmark+0x41c3bd)

  Uninitialized value was created by a heap allocation
    #0 0x425193 in realloc (/home/fsumsal/repos/systemd/build/test-compress-benchmark+0x425193)
    #1 0x7ff8d8fccb30 in decompress_blob_lz4 /home/fsumsal/repos/systemd/build/../src/journal/compress.c:194:23
    #2 0x4991fd in test_compress_decompress /home/fsumsal/repos/systemd/build/../src/journal/test-compress-benchmark.c:119:21
    #3 0x495d12 in main /home/fsumsal/repos/systemd/build/../src/journal/test-compress-benchmark.c:169:17
    #4 0x7ff8d794bf32 in __libc_start_main (/lib64/libc.so.6+0x23f32)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/fsumsal/repos/systemd/build/../src/journal/test-compress-benchmark.c:124:17 in test_compress_decompress
Exiting

The issue itself is caused by passing dst_alloc_size = 0 (in this particular case) to decompress_blob_lz4() which then calls realloc(), where the new memory blob is treated as uninitialized by MSan.

https://github.com/systemd/systemd/blob/master/src/journal/compress.c#L193-L198

I'm not sure if this is a real issue here, as the uninitialized memory should get initialized later by the LZ4_decompress_safe() function, so it's possible MSan is just confused (which could be solved by msan_unpoison()); calling memset/memzero on the new memory blob makes MSan happy though.

[mrc0mmand]

Actually, apart from the test-compress-benchmark, this issue seems to affect journal as well:

--- command ---
PATH='/build/build:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' SYSTEMD_KBD_MODEL_MAP='/build/src/locale/kbd-model-map' SYSTEMD_LANGUAGE_FALLBACK_MAP='/build/src/locale/language-fallback-map' /build/build/test-journal-flush
--- stderr ---
==20336==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7efd403e9afb in journal_file_find_data_object_with_hash /build/build/../src/journal/journal-file.c:1336:43
    #1 0x7efd403f3a6e in journal_file_append_data /build/build/../src/journal/journal-file.c:1492:13
    #2 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #3 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #4 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #5 0x41e379 in _start (/build/build/test-journal-flush+0x41e379)
  Uninitialized value was stored to memory at
    #0 0x7efd404df2b0 in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:492:7
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was stored to memory at
    #0 0x7efd404df09d in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:492:7
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was stored to memory at
    #0 0x7efd404dee8a in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:492:7
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was stored to memory at
    #0 0x7efd404dec77 in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:492:7
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was stored to memory at
    #0 0x7efd404dea64 in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:492:7
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was stored to memory at
    #0 0x7efd404de75c in jenkins_hashlittle2 /build/build/../src/journal/lookup3.c:490:9
    #1 0x7efd403e83ad in hash64 /build/build/../src/journal/lookup3.h:19:9
    #2 0x7efd403f3911 in journal_file_append_data /build/build/../src/journal/journal-file.c:1490:16
    #3 0x7efd4044c234 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3672:21
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  Uninitialized value was created by a heap allocation
    #0 0x42a032 in realloc (/build/build/test-journal-flush+0x42a032)
    #1 0x7efd403b9dcc in decompress_blob_lz4 /build/build/../src/journal/compress.c:194:23
    #2 0x7efd403bb2bc in decompress_blob /build/build/../src/journal/compress.c:220:24
    #3 0x7efd4044bdd0 in journal_file_copy_entry /build/build/../src/journal/journal-file.c:3659:29
    #4 0x496821 in main /build/build/../src/journal/test-journal-flush.c:46:21
    #5 0x7efd3ed5a09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
SUMMARY: MemorySanitizer: use-of-uninitialized-value /build/build/../src/journal/journal-file.c:1336:43 in journal_file_find_data_object_with_hash
Exiting

[horusscope]

int decompress_blob_lz4(const void *src, uint64_t src_size,
                        void **dst, size_t *dst_alloc_size, size_t* dst_size, size_t dst_max)

dst_alloc_size is a pointer
a value of zero is equal to NULL
try this instead

size_t * size = new size_t;
*size = 0;
...
delete size;

[mrc0mmand]

I admit I wrote it somewhat confusingly, but I indeed meant the actual value of dst_alloc_size, not the pointer address itself:

(gdb) print dst_alloc_size
$1 = (size_t *) 0x7fffffffcf88
(gdb) print *dst_alloc_size
$2 = 0

Sorry for the confusion :-)

[horusscope]

https://linux.die.net/man/3/malloc

If size is 0, then malloc() returns either NULL, or a unique pointer value that can later be successfully passed to free().

__interceptor_memcmp at offset 0 inside [0x734000000000
implies in fact that realloc (which defaults to malloc when a NULL destination is passed) allocated a 0 byte length segment, and then the testing function prodded offset 0, which was out of range.

[mrc0mmand]

Actually, thinking about this a little bit more, this happens to be a yet another false positive, as we don't use instrumented lz4 library (which completely slipped my mind). Thus, MSan can't update its shadow map accordingly, after the LZ4_decompress_safe() function.

Before LZ4_decompress_safe()

202             r = LZ4_decompress_safe((char*)src + 8, out, src_size - 8, size);                                                                                                 
(gdb) p (void)__msan_print_shadow(out, 100)
Shadow map of [0x2ffff5826000, 0x2ffff5826064), 100 bytes:
0x2ffff5826000: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826010: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826020: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826030: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826040: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826050: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826060: ffffffff ........ ........ ........  |A . . .|
...

After LZ4_decompress_safe():

203             if (r < 0 || r != size)
(gdb) p (void)__msan_print_shadow(out, 100)
Shadow map of [0x2ffff5826000, 0x2ffff5826064), 100 bytes:
0x2ffff5826000: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826010: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826020: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826030: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826040: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826050: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5826060: ffffffff ........ ........ ........  |A . . .|
...

Also, a basic sanity check to verify the shadow map works as expected:

(gdb) step
194                     out = realloc(*dst, size);
(gdb) step
195                     if (!out)
(gdb) p (void)__msan_print_shadow(out, 100)
Shadow map of [0x2ffff5a20000, 0x2ffff5a20064), 100 bytes:
0x2ffff5a20000: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20010: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20020: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20030: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20040: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20050: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20060: ffffffff ........ ........ ........  |A . . .|
...

(gdb) call (void)memset(out, 0xAA, 4)
(gdb) p (void)__msan_print_shadow(out, 100)
Shadow map of [0x2ffff5a20000, 0x2ffff5a20064), 100 bytes:
0x2ffff5a20000: 00000000 ffffffff ffffffff ffffffff  |. A A A|
0x2ffff5a20010: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20020: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20030: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20040: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20050: ffffffff ffffffff ffffffff ffffffff  |A A A A|
0x2ffff5a20060: ffffffff ........ ........ ........  |A . . .|

[evverx]

@horusscope I'm not sure how you found this issue but based on what was discussed here I'm just going to assume (and please correct me if I'm wrong) you're interested in MSan and lz4. I'm wondering if you've seen lz4/lz4#731 (which should help to discover real issues in lz4 with ASan/UBSan/MSan). I'm not sure why it hasn't been integrated yet. Probably they are waiting for external contributors who are ready to help to roll it out.