KMSAN is a detector of uninitialized memory use for the Linux kernel. It is
currently in development.
Contact: ramosian-glider@
- The kernel branch with KMSAN patches is available at https://github.com/google/kmsan
- Patches for LLVM r298239: LLVM patch, Clang patch
- Clang wrapper: https://github.com/google/kmsan/blob/master/clang_wrapper.py
In order to build a kernel with KMSAN you'll need a custom Clang built from a patched tree on LLVM r298239.
export WORLD=`pwd`
R=298239
svn co -r $R http://llvm.org/svn/llvm-project/llvm/trunk llvm
cd llvm
(cd tools && svn co -r $R http://llvm.org/svn/llvm-project/cfe/trunk clang)
(cd projects && svn co -r $R http://llvm.org/svn/llvm-project/compiler-rt/trunk compiler-rt)
wget https://raw.githubusercontent.com/google/kmsan/master/kmsan-llvm.patch
patch -p0 -i kmsan-llvm.patch
# Apply a patch fixing https://bugs.llvm.org/show_bug.cgi?id=32842
wget https://reviews.llvm.org/file/data/sktw7c6s7lpz7ah3p6ib/PHID-FILE-v75mhkvsosaxnkl55lki/D32915.diff
patch -p0 -i D32915.diff
wget https://raw.githubusercontent.com/google/kmsan/master/kmsan-clang.patch
(cd tools/clang && patch -p0 -i ../../kmsan-clang.patch)
mkdir llvm_cmake_build && cd llvm_cmake_build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON ../
make -j64 clang
export KMSAN_CLANG_PATH=`pwd`/bin/clang
cd $WORLD
git clone https://github.com/google/kmsan.git kmsan
cd kmsan
# Now configure the kernel. You basically need to enable CONFIG_KMSAN and CONFIG_KCOV,
# plus maybe some 9P options to interact with QEMU.
cp .config.example .config
# Note that clang_wrapper.py expects $KMSAN_CLANG_PATH to point to a Clang binary!
make CC=`pwd`/clang_wrapper.py -j64 -k 2>&1 | tee build.log
You can refer to https://github.com/ramosian-glider/clang-kernel-build for the instructions on running the freshly built kernel in a QEMU VM. Also consider running a KMSAN-instrumented kernel under syzkaller.
tmp.b_pageuninitialized ingeneric_block_bmap()strlen()called on non-terminated string inbind()forAF_PACKET- Status: fixed upstream
- too short socket address passed to
selinux_socket_bind()- Status: reported upstream
- uninitialized
msg.msg_flagsinrecvfromsyscall- Status: fixed upstream
- incorrect input length validation in
nl_fib_input()- Status: fixed upstream by Eric Dumazet
- uninitialized
sockc.tsflagsinudpv6_sendmsg()- Status: fixed upstream
- incorrect input length validation in
packet_getsockopt()- Status: fixed upstream< 67EA /li>
- incorrect input length validation in
raw_send_hdrinc()andrawv6_send_hdrinc()- Status: fixed upstream
- missing check of
nlmsg_parse()return value inrtnl_fdb_dump()- Status: fixed upstream
- Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer (CVE-2017-1000380)
strlen()incorrectly called on user-supplied memory indev_set_alias()- Status: fixed upstream