When trying to land https://codereview.chromium.org/1759313002/ MSan bot started failing with a warning about uninitialized memory.
Uninitialized value was stored to memory at
#0 0x1a6801e in fe_cmov third_party/boringssl/src/crypto/curve25519/curve25519.c:723:10
#1 0x1a6801e in cmov_cached third_party/boringssl/src/crypto/curve25519/curve25519.c:3559:0
#2 0x1a6801e in x25519_ge_scalarmult third_party/boringssl/src/crypto/curve25519/curve25519.c:3610:0
#3 0x19af4b0 in SPAKE2_process_msg third_party/boringssl/src/crypto/curve25519/spake25519.c:430:3
#4 0x12d3093 in ProcessMessageInternal remoting/protocol/spake2_authenticator.cc:204:18
...............................
Uninitialized value was created by an allocation of 'selected' in the stack frame of function 'x25519_ge_scalarmult'
#0 0x1a67630 in x25519_ge_scalarmult third_party/boringssl/src/crypto/curve25519/curve25519.c:3567:0
The corresponding code snippet:
unsigned j;
ge_cached selected;
for (j = 0; j < 16; j++) {
cmov_cached(&selected, &Ai[j], equal(j, index));
}
Here |selected| is not initialized explicitly, but it's guaranteed to be set by one of the 16 cmov_cached() calls, i.e. it always get initialized. MSan gets confused with how fe_cmov() is implemented:
/* Replace (f,g) with (g,g) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
* Preconditions: b in {0,1}. */
static void fe_cmov(fe f, const fe g, unsigned b) {
b = 0-b;
unsigned i;
for (i = 0; i < 10; i++) {
int32_t x = f[i] ^ g[i];
x &= b;
f[i] ^= x;
}
}
This should either be fixed in MSan or explicit initialization should be added to boringssl.
Comment 1 by davidben@chromium.org
, Mar 10 2016Status: Duplicate (was: Untriaged)