arc4random: Avoid KMSAN false positives from pre-seeding results

If code calls arc4random(), and our RNG is not yet seeded and random_bypass_before_seeding is true, we'll compute a key using the SHA256 hash of some hopefully hard-to-predict data, including the contents of an uninitialized stack buffer (which is also the output buffer). When KMSAN is enabled, this use of uninitialized state propagtes through to the arc4random() output, resulting in false positives. To address this, lie to KMSAN and explicitly mark the buffer as initialized. Reviewed by: cem (previous version) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31510
2021-08-13 09:52:05 -04:00 · 2021-08-13 09:52:05 -04:00 · 3d69515cfe
commit 3d69515cfe
parent e0e3ded78a
1 changed files with 9 additions and 0 deletions
--- a/sys/libkern/arc4random.c
+++ b/sys/libkern/arc4random.c
@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/linker.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/msan.h>
 #include <sys/mutex.h>
 #include <sys/random.h>
 #include <sys/smp.h>
@ -106,6 +107,14 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 				    "enabled.\n");
 		}

+		/*
+		 * "key" is intentionally left uninitialized here, so with KMSAN
+		 * enabled the arc4random() return value may be marked
+		 * uninitialized, leading to spurious reports.  Lie to KMSAN to
+		 * avoid this situation.
+		 */
+		kmsan_mark(key, sizeof(key), KMSAN_STATE_INITED);
+
 		/* Last ditch effort to inject something in a bad condition. */
 		cc = get_cyclecount();
 		SHA256_Init(&ctx);