lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACbG3084SVkW4r+-RqkbZR=BUH2_fK0bnDqKNXQoRffSJtpTYQ@mail.gmail.com>
Date:	Wed, 18 May 2016 13:08:36 -0500
From:	Nilay Vaish <nilayvaish@...il.com>
To:	Meelis Roos <mroos@...ux.ee>
Cc:	Linux Kernel list <linux-kernel@...r.kernel.org>, x86@...nel.org
Subject: Re: UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:29

On 16 May 2016 at 13:41, Meelis Roos <mroos@...ux.ee> wrote:
> Not sure if this is a genuine warning or a false positive but since some
> UBSAN warnings have been real and google does not find report about this
> specific warning, I'll send it in anyway.
>
> I have seen similar amd pmu warnings from UBSAN but I do not have any
> amd machines from that time frame online for now, so p6 only.
>
> [    0.150000] Performance Events: p6 PMU driver.
> [    0.150000] ================================================================================
> [    0.150000] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:29
> [    0.150000] index 8 is out of range for type 'u64 [8]'
> [    0.150000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0 #21
> [    0.150000] Hardware name: Dell Computer Corporation PowerEdge 1550/933              , BIOS A09 12/10/2004
> [    0.150000]  00000000 c13a4bcc 00000046 f605de88 00000008 c13d5188 c17ddfd4 c13d5725
> [    0.150000]  c176ae8c f605de8c c17ddfec 00000202 00000038 00752101 00000002 00000000
> [    0.150000]  00000000 00000297 000000c2 c17d2b60 00000000 c102b14f 00000008 00000000
> [    0.150000] Call Trace:
> [    0.150000]  [<c13a4bcc>] ? dump_stack+0x45/0x69
> [    0.150000]  [<c13d5188>] ? ubsan_epilogue+0x8/0x30
> [    0.150000]  [<c13d5725>] ? __ubsan_handle_out_of_bounds+0x55/0x60
> [    0.150000]  [<c102b14f>] ? __register_nmi_handler+0xbf/0x300
> [    0.150000]  [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [    0.150000]  [<c101840d>] ? p6_pmu_event_map+0x3d/0x50
> [    0.150000]  [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [    0.150000]  [<c1af0c78>] ? init_hw_perf_events+0x493/0x688
> [    0.150000]  [<c1af07e5>] ? merge_attr+0x1d5/0x1d5
> [    0.150000]  [<c1000412>] ? do_one_initcall+0x82/0x230
> [    0.150000]  [<c10e27ef>] ? vprintk_default+0xf/0x20
> [    0.150000]  [<c116de67>] ? printk+0x11/0x12
> [    0.150000]  [<c103bf46>] ? print_cpu_info+0x86/0x130
> [    0.150000]  [<c1b00754>] ? native_smp_prepare_cpus+0x40e/0x453
> [    0.150000]  [<c1aefd87>] ? kernel_init_freeable+0x117/0x2fd
> [    0.150000]  [<c16a10e6>] ? kernel_init+0x6/0x100
> [    0.150000]  [<c16a9949>] ? ret_from_kernel_thread+0x21/0x38
> [    0.150000]  [<c16a10e0>] ? rest_init+0x60/0x60
> [    0.150000] ================================================================================
> [    0.150000] ================================================================================
> [    0.150000] UBSAN: Undefined behaviour in arch/x86/events/intel/p6.c:115:9
> [    0.150000] load of address c16adf20 with insufficient space
> [    0.150000] for an object of type 'const u64'
> [    0.150000] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0 #21
> [    0.150000] Hardware name: Dell Computer Corporation PowerEdge 1550/933              , BIOS A09 12/10/2004
> [    0.150000]  00000000 c13a4bcc 00000046 f605deb4 c16adf20 c13d5188 c17ddfac c13d5229
> [    0.150000]  c176a901 c17ddfc8 c176aca4 c176a95e c16adf20 00000202 00000008 00000000
> [    0.150000]  c101841d 00000008 c10183d0 00000008 c1af0c78 c17d2c00 f605df08 00000001
> [    0.150000] Call Trace:
> [    0.150000]  [<c13a4bcc>] ? dump_stack+0x45/0x69
> [    0.150000]  [<c13d5188>] ? ubsan_epilogue+0x8/0x30
> [    0.150000]  [<c13d5229>] ? __ubsan_handle_type_mismatch+0x79/0x150
> [    0.150000]  [<c101841d>] ? p6_pmu_event_map+0x4d/0x50
> [    0.150000]  [<c10183d0>] ? p4_pmu_schedule_events+0x740/0x740
> [    0.150000]  [<c1af0c78>] ? init_hw_perf_events+0x493/0x688
> [    0.150000]  [<c1af07e5>] ? merge_attr+0x1d5/0x1d5
> [    0.150000]  [<c1000412>] ? do_one_initcall+0x82/0x230
> [    0.150000]  [<c10e27ef>] ? vprintk_default+0xf/0x20
> [    0.150000]  [<c116de67>] ? printk+0x11/0x12
> [    0.150000]  [<c103bf46>] ? print_cpu_info+0x86/0x130
> [    0.150000]  [<c1b00754>] ? native_smp_prepare_cpus+0x40e/0x453
> [    0.150000]  [<c1aefd87>] ? kernel_init_freeable+0x117/0x2fd
> [    0.150000]  [<c16a10e6>] ? kernel_init+0x6/0x100
> [    0.150000]  [<c16a9949>] ? ret_from_kernel_thread+0x21/0x38
> [    0.150000]  [<c16a10e0>] ? rest_init+0x60/0x60
> [    0.150000] ================================================================================
> [    0.150000] ... version:                0
> [    0.150000] ... bit width:              32
> [    0.150000] ... generic registers:      2
> [    0.150000] ... value mask:             00000000ffffffff
> [    0.150000] ... max period:             000000007fffffff
> [    0.150000] ... fixed-purpose events:   0
> [    0.150000] ... event mask:             0000000000000003
>


I think UBSAN has correctly identified a bug.  I looked at the code in
v4.6.  In file arch/x86/events/core.c, in the function
filter_events(), there is a loop starting at line 1554 that should go
over 10 event counters.  But in file arch/x86/events/intel/p6.c, only
8 event counters have been declared at line 9.

I have a fix but do not for sure if its reasonable.  I think we should
pass on the max_events for the pmu to filter_events() function and
change the loop condition accordingly.  Can you apply the patch below
and test again?  It compiles, but I have not tested it.


diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 041e442..3fd33e6 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1544,14 +1544,14 @@ static struct attribute_group x86_pmu_format_group = {
  * Remove all undefined events (x86_pmu.event_map(id) == 0)
  * out of events_attr attributes.
  */
-static void __init filter_events(struct attribute **attrs)
+static void __init filter_events(struct attribute **attrs, int max_events)
 {
        struct device_attribute *d;
        struct perf_pmu_events_attr *pmu_attr;
        int offset = 0;
        int i, j;

-       for (i = 0; attrs[i]; i++) {
+       for (i = 0; i < max_events && attrs[i]; i++) {
                d = (struct device_attribute *)attrs[i];
                pmu_attr = container_of(d, struct perf_pmu_events_attr, attr);
                /* str trumps id */
@@ -1740,7 +1740,7 @@ static int __init init_hw_perf_events(void)
        if (!x86_pmu.events_sysfs_show)
                x86_pmu_events_group.attrs = &empty_attrs;
        else
-               filter_events(x86_pmu_events_group.attrs);
+               filter_events(x86_pmu_events_group.attrs, x86_pmu.max_events);

        if (x86_pmu.cpu_events) {
                struct attribute **tmp;

--
Nilay

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ