From 3d69515cfea2781b318ebe1c6e6018d817cde358 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Fri, 13 Aug 2021 09:52:05 -0400
Subject: [PATCH] arc4random: Avoid KMSAN false positives from pre-seeding
 results

If code calls arc4random(), and our RNG is not yet seeded and
random_bypass_before_seeding is true, we'll compute a key using the
SHA256 hash of some hopefully hard-to-predict data, including the
contents of an uninitialized stack buffer (which is also the output
buffer).

When KMSAN is enabled, this use of uninitialized state propagtes through
to the arc4random() output, resulting in false positives.  To address
this, lie to KMSAN and explicitly mark the buffer as initialized.

Reviewed by:	cem (previous version)
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31510
---
 sys/libkern/arc4random.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/libkern/arc4random.c b/sys/libkern/arc4random.c
index a4bee71c0efd..fd362dd83608 100644
--- a/sys/libkern/arc4random.c
+++ b/sys/libkern/arc4random.c
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/linker.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/msan.h>
 #include <sys/mutex.h>
 #include <sys/random.h>
 #include <sys/smp.h>
@@ -106,6 +107,14 @@ chacha20_randomstir(struct chacha20_s *chacha20)
 				    "enabled.\n");
 		}
 
+		/*
+		 * "key" is intentionally left uninitialized here, so with KMSAN
+		 * enabled the arc4random() return value may be marked
+		 * uninitialized, leading to spurious reports.  Lie to KMSAN to
+		 * avoid this situation.
+		 */
+		kmsan_mark(key, sizeof(key), KMSAN_STATE_INITED);
+
 		/* Last ditch effort to inject something in a bad condition. */
 		cc = get_cyclecount();
 		SHA256_Init(&ctx);