Bug 508328 - Memory allegedly uninitialized after ioctl(PROCMAP_QUERY)
Summary: Memory allegedly uninitialized after ioctl(PROCMAP_QUERY)
Status: RESOLVED FIXED
Alias: None
Product: valgrind
Classification: Developer tools
Component: memcheck (other bugs)
Version First Reported In: 3.25.0
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: mcermak
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-08-16 10:49 UTC by blubban
Modified: 2025-11-25 15:52 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
WIP hotfix that avoids the false positive. (2.26 KB, patch)
2025-11-19 15:57 UTC, mcermak 		Details
proposed patch (7.25 KB, patch)
2025-11-20 15:04 UTC, mcermak 		Details
additional patch addressing Comment#3 (4.54 KB, patch)
2025-11-21 10:39 UTC, mcermak 		Details
updated patch (10.44 KB, patch)
2025-11-25 14:13 UTC, mcermak 		Details
Show Obsolete (3) View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description blubban 2025-08-16 10:49:18 UTC 
#include <stdio.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/fs.h>

int main(int argc, char** argv)
{
	char name[256];
	struct procmap_query pq = {
		.size = sizeof(pq), .query_addr = (uintptr_t)main,
		.vma_name_size = 256, .vma_name_addr = (uintptr_t)name
	};
	int fd = open("/proc/self/maps", O_RDONLY);
	ioctl(fd, PROCMAP_QUERY, &pq);
	puts(name);
}


Install Linux >= 6.11, then compile and run the above. No particular flags needed, gcc's and valgrind's defaults are fine.

Expected: Print the usual Valgrind header/footer, and the path of the executable.
Actual: Also prints various warnings about the name variable being uninitialized.

Discovered on Debian stable (3.24), also reproduces on 3.25.1. Probably needs something similar to bug 333817.
Comment 1 mcermak 2025-11-19 15:57:11 UTC 
Created attachment 186956 [details]
WIP hotfix that avoids the false positive.
Comment 2 mcermak 2025-11-20 15:04:59 UTC 
Created attachment 186990 [details]
proposed patch

Also checked in to try-branch so that it can get buildbot-tested:
https://sourceware.org/git/?p=valgrind.git;a=shortlog;h=refs/heads/users/mcermak/try-bug508328
Comment 3 blubban 2025-11-20 15:13:43 UTC 
I can't determine how (or if) the first patch works, but the second one looks good to my (admittedly inexperienced in this project) eyes.

Except the kernel will use the build_id_{size,addr} fields the same way as vma_name_{size,addr}. You should duplicate that.
Comment 4 mcermak 2025-11-21 10:39:37 UTC 
Created attachment 187024 [details]
additional patch addressing Comment#3

Agreed.  Follow-up patch addressing Comment#3 attached.  Try-branch updated.

The previous patch passed testing [1].  Buildbots should pick up this update soon..

[1] https://builder.sourceware.org/buildbot/#/builders/243/builds/109
Comment 5 Mark Wielaard 2025-11-21 13:17:29 UTC 
The new testcase needs to be moved under memcheck/tests/linux since it is linux kernel specific.

You will want to check ML_(safe_to_deref) (pq, sizeof(struct vki_procmap_query) in the PRE handler before doing any checks that need dereferencing pq.

Also check the other "in" fields (size, query_flags and query_addr) with PRE_FIELD_READ in the PRE handler.

Also mark the other "out" fields (vma_*, inode, dev_*) as written  with POST_FIELD_WRITE in the POST handler.
(In the POST handler you can probably just assume everything is written/defined with POST_MEM_WRITE(pq, pq-<size) instead of doing individual POST_FIELD_WRITEs)
Comment 6 Mark Wielaard 2025-11-21 13:32:00 UTC 
Also looking at the try builds (thanks for doing those!) it looks like for the testcase you also need a configure check to make sure PROCMAP_QUERY is defined in linux/fs.h.

https://builder.sourceware.org/buildbot/#/changes/102828 shows various systems with an older kernel that doesn't define it.
Comment 7 mcermak 2025-11-21 16:46:58 UTC 
Thank you for your review!  I've addressed your comments in my branch users/mcermak/try-bug508328:

$ git log --pretty --oneline -4
6605bba9b (HEAD -> users/mcermak/try-bug508328, origin/users/mcermak/try-bug508328) PR508328:  Run ioctl_procmap_query.vgtest conditionally
0a779b583 PR508328:  Reflect the testcase move in .gitignore
b99a16afb PR508328:  Check all the members of struct procmap_query
257ba83ca PR508328:  Move ioctl_procmap_query.vgtest to the linux subdirectory
$ 

https://sourceware.org/git/?p=valgrind.git;a=shortlog;h=refs/heads/users/mcermak/try-bug508328
Comment 8 mcermak 2025-11-24 12:43:38 UTC 
Buildbot test results green: https://builder.sourceware.org/buildbot/#/builders/243/builds/111 .
Comment 9 Mark Wielaard 2025-11-24 14:11:43 UTC 
Could you post that as a squash patch?
I think it looks good. I would only remove the SET_STATUS_Failure(VKI_EFAULT) after the safe_to_deref check.
The kernel will return that anyway, but it might accept a larger/smaller struct in the future?
Comment 10 mcermak 2025-11-25 14:13:40 UTC 
Created attachment 187159 [details]
updated patch

Attaching squashed patch addressing the previous comment.
Comment 11 Mark Wielaard 2025-11-25 15:29:57 UTC 
(In reply to mcermak from comment #10)
> Created attachment 187159 [details]
> updated patch
> 
> Attaching squashed patch addressing the previous comment.

Looks good.

Since it might be that the testcase isn't build (if the configure check fails) I think you should have something like:
prereq: test -x ioctl_procmap_query
in ioctl_procmap_query.vgtest otherwise you get failures on old kernels, where the test should be skipped.

Please push with that change.
Comment 12 mcermak 2025-11-25 15:52:10 UTC 
Makes sense, thanks a ton for the review.  Pushed as commit 2b4b31de6965c3af5ecaca2c33b039eb72ec3706 .