lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z_6WsC9f0mby1nV7@google.com>
Date: Tue, 15 Apr 2025 17:26:08 +0000
From: Mostafa Saleh <smostafa@...gle.com>
To: Kees Cook <kees@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org,
	kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org,
	elver@...gle.com, andreyknvl@...il.com, ryabinin.a.a@...il.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds

On Tue, Apr 15, 2025 at 10:09:00AM -0700, Kees Cook wrote:
> On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote:
> > On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> > > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@...gle.com> wrote:
> > > 
> > > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > > > kernel
> > > > 
> > > > [   31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > > > [   31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > > > [   31.648153] Hardware name: linux,dummy-virt (DT)
> > > > [   31.648970] Call trace:
> > > > [   31.649345]  show_stack+0x18/0x24 (C)
> > > > [   31.650960]  dump_stack_lvl+0x40/0x84
> > > > [   31.651559]  dump_stack+0x18/0x24
> > > > [   31.652264]  panic+0x138/0x3b4
> > > > [   31.652812]  __ktime_get_real_seconds+0x0/0x10
> > > > [   31.653540]  test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > > > [   31.654388]  init_module+0x24/0xff4 [test_ubsan]
> > > > [   31.655077]  do_one_initcall+0xd4/0x280
> > > > [   31.655680]  do_init_module+0x58/0x2b4
> > > > 
> > > > That happens because the test corrupts other data in the stack:
> > > > 400:   d5384108        mrs     x8, sp_el0
> > > > 404:   f9426d08        ldr     x8, [x8, #1240]
> > > > 408:   f85f83a9        ldur    x9, [x29, #-8]
> > > > 40c:   eb09011f        cmp     x8, x9
> > > > 410:   54000301        b.ne    470 <test_ubsan_out_of_bounds+0x154>  // b.any
> > > > 
> > > > As there is no guarantee the compiler will order the local variables
> > > > as declared in the module:
> > > 
> > > argh.
> > > 
> > > > 	volatile char above[4] = { }; /* Protect surrounding memory. */
> > > > 	volatile int arr[4];
> > > > 	volatile char below[4] = { }; /* Protect surrounding memory. */
> > > > 
> > > > So, instead of writing out-of-bound, we can read out-of-bound which
> > > > still triggers UBSAN but doesn't corrupt the stack.
> > > 
> > > Would it be better to put the above three items into a struct, so we
> > > specify the layout?
> > 
> > Yes, that also should work, but I ran into a panic because of another
> > problem, where the padding before and after the arr is 4 bytes, but
> > the index is "5", which is 8 bytes out of bound.
> > As we can only use 4/-1 as out of bounds.
> > That should also work:
> > 
> > diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
> > index 8772e5edaa4f..4533e9cb52e6 100644
> > --- a/lib/test_ubsan.c
> > +++ b/lib/test_ubsan.c
> > @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
> >  
> >  static void test_ubsan_out_of_bounds(void)
> >  {
> > -	volatile int i = 4, j = 5, k = -1;
> > -	volatile char above[4] = { }; /* Protect surrounding memory. */
> > -	volatile int arr[4];
> > -	volatile char below[4] = { }; /* Protect surrounding memory. */
> > -
> > -	above[0] = below[0];
> > +	volatile int i = 4, j = 4, k = -1;
> > +	struct {
> > +		volatile char above[4]; /* Protect surrounding memory. */
> > +		volatile int arr[4];
> > +		volatile char below[4]; /* Protect surrounding memory. */
> > +	} data;
> 
> Instead of all the volatiles, I recommend using:
> 
> 	OPTIMIZER_HIDE_VAR(i);
> 	OPTIMIZER_HIDE_VAR(j);
> 	OPTIMIZER_HIDE_VAR(k);
> 	OPTIMIZER_HIDE_VAR(data);
> 

I can do that in v2, although the rest of the test still
uses volatile, I can convert them in a separate patch if
it's worth it.

Also, OPTIMIZER_HIDE_VAR(), doesn't seem to work for structs
or arrays. Instead of using it per elements, I guess READ/WRITE_ONCE
might be more suitable for that.

> >  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> > -	arr[j] = i;
> > +	data.arr[j] = i;
> >  
> >  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> > -	arr[k] = i;
> > +	data.arr[k] = i;
> >  }
> >  
> >  enum ubsan_test_enum {
> > 
> > ---
> > 
> > I can send v2 with this approach if it's better.
> 
> Yes please, the struct is the right solution to keep the memory
> contiguous.

Will do.

Thanks,
Mostafa


> 
> -- 
> Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ