| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Oct 2016 19:57:41 +0200
From: Denys Vlasenko <dvlasenk@...hat.com>
To: Josh Poimboeuf <jpoimboe@...hat.com>, Arnd Bergmann <arnd@...db.de>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
linux-kernel@...r.kernel.org, Emese Revfy <re.emese@...il.com>
Subject: Re: Another gcc corruption bug (was Re: [PATCH] [RFC] x86: avoid
-mtune=atom for objtool warnings)
On 10/13/2016 02:46 PM, Josh Poimboeuf wrote:
> On Tue, Oct 11, 2016 at 10:38:42PM +0200, Arnd Bergmann wrote:
>> On Tuesday, October 11, 2016 10:51:46 AM CEST Josh Poimboeuf wrote:
>>> Notice how it just falls off the end of the function. We had a similar
>>> bug before:
>>>
>>> https://lkml.kernel.org/r/20160413033649.7r3msnmo3trtq47z@treble
>>
>> I remember that nightmare :(
>>
>>> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70646
>>>
>>> I'm not sure yet if this is the same gcc bug or a different one. Maybe
>>> it's related to the new GCC_PLUGIN_SANCOV?
>>
>> I've reduced one of the test cases to this now:
>>
>> /* gcc-6 -O2 -fno-strict-aliasing -fno-reorder-blocks -fno-omit-frame-pointer -Wno-pointer-sign -fsanitize-coverage=trace-pc -Wall -Werror -c snic_res.c -o snic_res.o */
>> typedef int spinlock_t;
>> extern unsigned int ioread32(void *);
>> struct vnic_wq_ctrl {
>> unsigned int error_status;
>> };
>> struct vnic_wq {
>> struct vnic_wq_ctrl *ctrl;
>> } mempool_t;
>> struct snic {
>> unsigned int wq_count;
>> __attribute__ ((__aligned__)) struct vnic_wq wq[1];
>> spinlock_t wq_lock[1];
>> };
>> unsigned int snic_log_q_error_err_status;
>> void snic_log_q_error(struct snic *snic)
>> {
>> unsigned int i;
>> for (i = 0; i < snic->wq_count; i++)
>> snic_log_q_error_err_status =
>> ioread32(&snic->wq[i].ctrl->error_status);
>> }
>>
>> which gets compiled into
>>
>> 0000000000000000 <snic_log_q_error>:
>> 0: 55 push %rbp
>> 1: 48 89 e5 mov %rsp,%rbp
>> 4: 53 push %rbx
>> 5: 48 89 fb mov %rdi,%rbx
>> 8: 48 83 ec 08 sub $0x8,%rsp
>> c: e8 00 00 00 00 callq 11 <snic_log_q_error+0x11>
>> d: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
>> 11: 8b 03 mov (%rbx),%eax
>> 13: 85 c0 test %eax,%eax
>> 15: 75 11 jne 28 <snic_log_q_error+0x28>
>> 17: 48 83 c4 08 add $0x8,%rsp
>> 1b: 5b pop %rbx
>> 1c: 5d pop %rbp
>> 1d: e9 00 00 00 00 jmpq 22 <snic_log_q_error+0x22>
>> 1e: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
>> 22: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
>> 28: e8 00 00 00 00 callq 2d <snic_log_q_error+0x2d>
>> 29: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
>> 2d: 48 8b 7b 10 mov 0x10(%rbx),%rdi
>> 31: e8 00 00 00 00 callq 36 <snic_log_q_error+0x36>
>> 32: R_X86_64_PC32 ioread32-0x4
>> 36: 89 05 00 00 00 00 mov %eax,0x0(%rip) # 3c <snic_log_q_error+0x3c>
>> 38: R_X86_64_PC32 snic_log_q_error_err_status-0x4
>> 3c: 83 3b 01 cmpl $0x1,(%rbx)
>> 3f: 76 d6 jbe 17 <snic_log_q_error+0x17>
>> 41: e8 00 00 00 00 callq 46 <snic_log_q_error+0x46>
>> 42: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
>
> I opened a bug:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77966
>
Surprisingly, it's really "not a bug". The only way you can end up in this branch
is if you have a bug and run off the end of wq[1] array member: i.e.
if snic->wq_count >= 2. (See gcc BZ for smaller example)
It's debatable whether it's okay for gcc to just let buggy code to run off
and execute something random. It is surely surprising, and not debug-friendly.
An option to emit a crashing instruction (HLT, INT3, that sort of thing)
instead of just stopping code generation might be useful.
Powered by blists - more mailing lists