| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Oct 2016 07:46:36 -0500
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Arnd Bergmann <arnd@...db.de>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
linux-kernel@...r.kernel.org, Denys Vlasenko <dvlasenk@...hat.com>,
Emese Revfy <re.emese@...il.com>
Subject: Another gcc corruption bug (was Re: [PATCH] [RFC] x86: avoid
-mtune=atom for objtool warnings)
On Tue, Oct 11, 2016 at 10:38:42PM +0200, Arnd Bergmann wrote:
> On Tuesday, October 11, 2016 10:51:46 AM CEST Josh Poimboeuf wrote:
> > Notice how it just falls off the end of the function. We had a similar
> > bug before:
> >
> > https://lkml.kernel.org/r/20160413033649.7r3msnmo3trtq47z@treble
>
> I remember that nightmare :(
>
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70646
> >
> > I'm not sure yet if this is the same gcc bug or a different one. Maybe
> > it's related to the new GCC_PLUGIN_SANCOV?
>
> I've reduced one of the test cases to this now:
>
> /* gcc-6 -O2 -fno-strict-aliasing -fno-reorder-blocks -fno-omit-frame-pointer -Wno-pointer-sign -fsanitize-coverage=trace-pc -Wall -Werror -c snic_res.c -o snic_res.o */
> typedef int spinlock_t;
> extern unsigned int ioread32(void *);
> struct vnic_wq_ctrl {
> unsigned int error_status;
> };
> struct vnic_wq {
> struct vnic_wq_ctrl *ctrl;
> } mempool_t;
> struct snic {
> unsigned int wq_count;
> __attribute__ ((__aligned__)) struct vnic_wq wq[1];
> spinlock_t wq_lock[1];
> };
> unsigned int snic_log_q_error_err_status;
> void snic_log_q_error(struct snic *snic)
> {
> unsigned int i;
> for (i = 0; i < snic->wq_count; i++)
> snic_log_q_error_err_status =
> ioread32(&snic->wq[i].ctrl->error_status);
> }
>
> which gets compiled into
>
> 0000000000000000 <snic_log_q_error>:
> 0: 55 push %rbp
> 1: 48 89 e5 mov %rsp,%rbp
> 4: 53 push %rbx
> 5: 48 89 fb mov %rdi,%rbx
> 8: 48 83 ec 08 sub $0x8,%rsp
> c: e8 00 00 00 00 callq 11 <snic_log_q_error+0x11>
> d: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
> 11: 8b 03 mov (%rbx),%eax
> 13: 85 c0 test %eax,%eax
> 15: 75 11 jne 28 <snic_log_q_error+0x28>
> 17: 48 83 c4 08 add $0x8,%rsp
> 1b: 5b pop %rbx
> 1c: 5d pop %rbp
> 1d: e9 00 00 00 00 jmpq 22 <snic_log_q_error+0x22>
> 1e: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
> 22: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
> 28: e8 00 00 00 00 callq 2d <snic_log_q_error+0x2d>
> 29: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
> 2d: 48 8b 7b 10 mov 0x10(%rbx),%rdi
> 31: e8 00 00 00 00 callq 36 <snic_log_q_error+0x36>
> 32: R_X86_64_PC32 ioread32-0x4
> 36: 89 05 00 00 00 00 mov %eax,0x0(%rip) # 3c <snic_log_q_error+0x3c>
> 38: R_X86_64_PC32 snic_log_q_error_err_status-0x4
> 3c: 83 3b 01 cmpl $0x1,(%rbx)
> 3f: 76 d6 jbe 17 <snic_log_q_error+0x17>
> 41: e8 00 00 00 00 callq 46 <snic_log_q_error+0x46>
> 42: R_X86_64_PC32 __sanitizer_cov_trace_pc-0x4
I opened a bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77966
--
Josh
Powered by blists - more mailing lists