>Hi,
>
>1.
>Are you sure this leak really happens on 64-bit and not on 32-bit instead?
>
>I remember I got the problems with bcm msg head on the 32bit raspberry
>pi because I missed the alignment by accident.
>
>When I calculate the size of msg head on a Ryzen 1800X with Python
>3.9.5, I get:
>
>struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>(56, 56)
>
>First Value is raw, the second value is the alignment hack with the zero
>length quad word "0q".
>
>On the 32bit raspberry pi, same op results in the gap.
>
>struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>(36, 40)
Hey Patrick,
having reproduced this leak I could only observe the issue on 64-bit systems.
I've just tested it on a 32-bit OS running on a raspberry pi and I couldn't observe
any leak. The offset difference on 32-bit between count and ival1 is 4.
On 64-bit systems, it's 8:
(gdb) ptype struct bcm_msg_head
type = struct bcm_msg_head {
__u32 opcode;
__u32 flags;
__u32 count;
struct bcm_timeval ival1;
struct bcm_timeval ival2;
canid_t can_id;
__u32 nframes;
struct can_frame frames[0];
}
(gdb) p/x &((struct bcm_msg_head *)0x0)->count
$1 = 0x8
(gdb) p/x &((struct bcm_msg_head *)0x0)->ival1
$2 = 0x10
(gdb) p sizeof(((struct bcm_msg_head *)0x0)->count)
$3 = 4
>2.
>Finding stucts with non-zero-ed gaps should be easy with a skript or
>even better with a GCC directive. I believe Syzbot does such a thing too.
>
>Kind Regards,
>Patrick Menschel
I didn't notice any syzbot report about this leak, nor did I find it with syzkaller.
Norbert
