KMSAN (KernelMemorySanitier)

KMSAN is a detector of uninitialized memory use for the Linux kernel. It is currently in development.

Contact: ramosian-glider@

Code

The kernel branch with KMSAN patches is available at https://github.com/google/kmsan
Patches for LLVM r313704: LLVM patch, Clang patch
Clang wrapper: https://github.com/google/kmsan/blob/master/clang_wrapper.py

How to build

In order to build a kernel with KMSAN you'll need a custom Clang built from a patched tree on LLVM r298239.

export WORLD=`pwd`

Build Clang

R=313704
svn co -r $R http://llvm.org/svn/llvm-project/llvm/trunk llvm
cd llvm
(cd tools && svn co -r $R http://llvm.org/svn/llvm-project/cfe/trunk clang)
(cd projects && svn co -r $R http://llvm.org/svn/llvm-project/compiler-rt/trunk compiler-rt)
wget https://raw.githubusercontent.com/google/kmsan/master/kmsan-llvm.patch
patch -p0 -i kmsan-llvm.patch
wget https://raw.githubusercontent.com/google/kmsan/master/kmsan-clang.patch
patch -p0 -i kmsan-clang.patch
mkdir llvm_cmake_build && cd llvm_cmake_build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON ../
make -j64 clang
export KMSAN_CLANG_PATH=`pwd`/bin/clang

Configure and build the kernel

cd $WORLD
git clone https://github.com/google/kmsan.git kmsan
cd kmsan
# Now configure the kernel. You basically need to enable CONFIG_KMSAN and CONFIG_KCOV,
# plus maybe some 9P options to interact with QEMU.
cp .config.example .config
# Note that clang_wrapper.py expects $KMSAN_CLANG_PATH to point to a Clang binary!
make CC=`pwd`/clang_wrapper.py -j64 -k 2>&1 | tee build.log

Run the kernel

You can refer to https://github.com/ramosian-glider/clang-kernel-build for the instructions on running the freshly built kernel in a QEMU VM. Also consider running a KMSAN-instrumented kernel under syzkaller.

Trophies

tmp.b_page uninitialized in generic_block_bmap()
- Writeup: https://github.com/google/kmsan/blob/master/kmsan-first-bug-writeup.txt
- Status: fixed upstream
strlen() called on non-terminated string in bind() for AF_PACKET
- Status: fixed upstream
too short socket address passed to selinux_socket_bind()
- Status: reported upstream
uninitialized msg.msg_flags in recvfrom syscall
- Status: fixed upstream
incorrect input length validation in nl_fib_input()
- Status: fixed upstream by Eric Dumazet
uninitialized sockc.tsflags in udpv6_sendmsg()
- Status: fixed upstream
incorrect input length validation in packet_getsockopt()
- Status: fixed upstream
incorrect input length validation in raw_send_hdrinc() and rawv6_send_hdrinc()
- Status: fixed upstream
missing check of nlmsg_parse() return value in rtnl_fdb_dump()
- Status: fixed upstream
Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)
- Status: fixed upstream (1, 2)
strlen() incorrectly called on user-supplied memory in dev_set_alias()
- Status: fixed upstream

Failed to load latest commit information.
Documentation	kmsan: docs and README.md	Sep 19, 2017
arch	kmsan: don't instrument arch/x86/kernel/stacktrace.c	Sep 25, 2017
block	blk-mq-debugfs: Add names for recently added flags	Aug 25, 2017
certs	modsign: add markers to endif-statements in certs/Makefile	Jul 14, 2017
crypto	crypto: algif_skcipher - only call put_page on referenced and used pages	Aug 22, 2017
drivers	scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE	Sep 29, 2017
firmware	firmware/Makefile: force recompilation if makefile changes	May 9, 2017
fs	Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6	Sep 2, 2017
include	kmsan: handle csum_partial_copy_generic()	Sep 25, 2017
init	kmsan: allow building KMSAN without clang_wrapper.py	Sep 19, 2017
ipc
kernel	kmsan: whack-a-moleing the false positives	Sep 19, 2017
lib
mm	kmsan: use the caller of kmsan_copy_to_user() to report bugs.	Sep 29, 2017
net
samples	samples/bpf: fix bpf tunnel cleanup	Aug 1, 2017
scripts	kmsan: allow building KMSAN without clang_wrapper.py	Sep 19, 2017
security	Merge tag 'gcc-plugins-v4.13-rc2' of git://git.kernel.org/pub/scm/lin…	Jul 19, 2017
sound
tools	Merge tag 'ntb-4.13-bugfixes' of git://github.com/jonmason/ntb	Aug 28, 2017
usr	ramfs: clarify help text that compression applies to ramfs as well as…	Jul 6, 2017
virt
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	Jul 22, 2016
.config.example
.get_maintainer.ignore	Add hch to .get_maintainer.ignore	Aug 21, 2015
.gitattributes	.gitattributes: set git diff driver for C source code files	Oct 8, 2016
.gitignore
.mailmap	Merge tag 'for-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/…	May 12, 2017
COPYING
CREDITS
Kbuild	kbuild: Consolidate header generation from ASM offset information	Apr 12, 2017
Kconfig	kbuild: migrate all arch to the kconfig mainmenu upgrade	Sep 20, 2010
MAINTAINERS	Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/l…	Aug 20, 2017
Makefile	kmsan: config changes	Sep 19, 2017
README	README: add a new README file, pointing to the Documentation/	Oct 24, 2016
README.md	kmsan: update README.md	Sep 26, 2017
clang_wrapper.py	kmsan: clang_wrapper.py	Sep 19, 2017
false-kmsan-cfq_init_cfqq.txt
kmsan-cfq_init_cfqq.txt	kmsan: add writeups	Sep 19, 2017
kmsan-clang.patch
kmsan-epoll_ctl.txt	kmsan: add writeups	Sep 19, 2017
kmsan-first-bug-writeup.txt	kmsan: add writeups	Sep 19, 2017
kmsan-llvm.patch	kmsan: update kmsan-clang.patch and kmsan-llvm.patch to LLVM v313704	Sep 25, 2017
kmsan-packet_bind_spkt.txt
kmsan-radix_tree_insert.txt	kmsan: add writeups	Sep 19, 2017

google/kmsan

Join GitHub today

Clone with HTTPS

README.md