| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <mcgs5qsnhmsg3iaxzzdhgiab36pb5zlt56lbxpiaxxotykpzgv@ipvgvrj2w4jf> Date: Mon, 22 Apr 2024 22:00:29 +0000 From: Justin Stitt <justinstitt@...gle.com> To: Kees Cook <keescook@...omium.org> Cc: Nathan Chancellor <nathan@...nel.org>, gustavoars@...nel.org, linux-hardening@...r.kernel.org, patches@...ts.linux.dev Subject: Re: [PATCH 0/2] configs/hardening: Some fixes for UBSAN On Mon, Apr 15, 2024 at 11:15:05AM -0700, Kees Cook wrote: > On Thu, Apr 11, 2024 at 11:11:05AM -0700, Nathan Chancellor wrote: > > [ 0.189542] Internal error: UBSAN: unrecognized failure code: 00000000f2005515 [#1] PREEMPT SMP > > Oops! Yes, I didn't update the (arm64) trap handler to notice integer > overflows. I think I need something like: > > diff --git a/lib/ubsan.c b/lib/ubsan.c > index 5fc107f61934..a2fb19f75825 100644 > --- a/lib/ubsan.c > +++ b/lib/ubsan.c > @@ -77,6 +77,14 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type) > return "UBSAN: alignment assumption"; > case ubsan_type_mismatch: > return "UBSAN: type mismatch"; > +#endif > +#ifdef CONFIG_UBSAN_SIGNED_INTEGER_WRAP > + case ubsan_add_overflow: > + return "UBSAN: integer addition overflow"; > + case ubsan_sub_overflow: > + return "UBSAN: integer subtraction overflow"; > + case ubsan_mul_overflow: > + return "UBSAN: integer multiplication overflow"; > #endif > default: > return "UBSAN: unrecognized failure code"; > > > [ 0.198326] Call trace: > > [ 0.198544] cancel_delayed_work+0x54/0x94 > > [ 0.198810] deferred_probe_extend_timeout+0x20/0x6c > > [ 0.198988] driver_register+0xa8/0x10c > > [ 0.199122] __platform_driver_register+0x28/0x38 > > [ 0.199258] tegra194_cbb_init+0x24/0x34 > > Justin, does this trace match anything you found running syzkaller > against SIO? (I assume not -- this seems to be a tegra code path...) Nope, here's a full list of the SIO (just signed-IO, not unsigned-IO) crashes I encountered with about 10 days of syzkaller title|frequency*|date|repro UBSAN: signed-integer-overflow in __do_adjtimex 100 2024/03/13 08:54 has C repro UBSAN: signed-integer-overflow in __gup_longterm_locked 1 2024/03/13 00:48 UBSAN: signed-integer-overflow in accumulate_nsecs_to_secs 7 2024/03/11 23:35 has C repro UBSAN: signed-integer-overflow in ata1 3 2024/03/11 12:45 UBSAN: signed-integer-overflow in blkpg_do_ioctl 100 2024/03/13 07:53 has C repro UBSAN: signed-integer-overflow in cdrom_ioctl 100 2024/03/13 08:31 has C repro UBSAN: signed-integer-overflow in corrupted 10 2024/03/12 08:03 UBSAN: signed-integer-overflow in dcache_dir_lseek 10 2024/03/13 07:55 has C repro UBSAN: signed-integer-overflow in do_io_getevents 38 2024/03/13 07:59 has C repro UBSAN: signed-integer-overflow in done 4 2024/03/05 22:31 UBSAN: signed-integer-overflow in generic_file_llseek_size 100 2024/03/13 09:04 has C repro UBSAN: signed-integer-overflow in hugetlbfs_fallocate 1 2024/03/01 14:29 has C repro UBSAN: signed-integer-overflow in init_file 100 2024/03/13 07:47 has C repro UBSAN: signed-integer-overflow in ioctl_preallocate 95 2024/03/13 01:33 has C repro UBSAN: signed-integer-overflow in scrollfront 31 2024/03/13 06:16 has C repro UBSAN: signed-integer-overflow in seq_lseek 100 2024/03/13 08:29 has C repro UBSAN: signed-integer-overflow in sr_select_speed 100 2024/03/13 08:26 has C repro UBSAN: signed-integer-overflow in sync_file_range 100 2024/03/13 08:09 has C repro UBSAN: signed-integer-overflow in timekeeping_inject_offset 100 2024/03/13 07:57 has C repro UBSAN: signed-integer-overflow in udpv6_sendmsg 25 2024/03/13 07:12 has C repro UBSAN: signed-integer-overflow in vfs_copy_file_range 100 2024/03/13 08:51 has C repro UBSAN: signed-integer-overflow in vfs_fallocate 100 2024/03/13 08:24 has C repro *duplicate crashes past 100 are not reported or attempted to be reproduced. I don't believe any of these match the trace Nathan reported. > > -- > Kees Cook
Powered by blists - more mailing lists