lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190612025227.lxumqqtqao6iqms3@treble>
Date:   Tue, 11 Jun 2019 21:52:27 -0500
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Randy Dunlap <rdunlap@...radead.org>
Cc:     "linux-next@...r.kernel.org" <linux-next@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Guenter Roeck <linux@...ck-us.net>,
        Jean Delvare <jdelvare@...e.com>
Subject: Re: linux-next 20190611: objtool warning

On Tue, Jun 11, 2019 at 06:59:22PM -0700, Randy Dunlap wrote:
> Hi,
> 
> New warning AFAIK:
> 
> drivers/hwmon/smsc47m1.o: warning: objtool: fan_div_store()+0x11f: sibling call from callable instruction with modified stack frame

I'm getting a different warning:

  drivers/hwmon/smsc47m1.o: warning: objtool: fan_div_store()+0xb6: can't find jump dest instruction at .text+0x93a

But I bet the root cause is the same.

This fixes it for me:

From: Josh Poimboeuf <jpoimboe@...hat.com>
Subject: [PATCH] hwmon/smsc47m1: Fix objtool warning caused by undefined behavior

Objtool is reporting the following warning:

  drivers/hwmon/smsc47m1.o: warning: objtool: fan_div_store()+0xb6: can't find jump dest instruction at .text+0x93a

It's apparently caused by

  2cf6745e69d1 ("hwmon: (smsc47m1) fix (suspicious) outside array bounds warnings")

which is somehow convincing GCC to add a jump past the end of the
function:

  793:   45 85 ed                test   %r13d,%r13d
  796:   0f 88 9e 01 00 00       js     93a <fan_div_store+0x25a>
  ...
  930:   e9 5e fe ff ff          jmpq   793 <fan_div_store+0xb3>
  935:   e8 00 00 00 00          callq  93a <fan_div_store+0x25a>
			936: R_X86_64_PLT32     __stack_chk_fail-0x4
  <function end>

I suppose this falls under the category of undefined behavior, so we
probably can't call it a GCC bug.  But if the value of "nr" were out of
range somehow then it would start executing random code.  Use a runtime
BUG() assertion to avoid undefined behavior.

Fixes: 2cf6745e69d1 ("hwmon: (smsc47m1) fix (suspicious) outside array bounds warnings")
Reported-by: Randy Dunlap <rdunlap@...radead.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
---
 drivers/hwmon/smsc47m1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c
index 6d366c9cb906..b637836b58a1 100644
--- a/drivers/hwmon/smsc47m1.c
+++ b/drivers/hwmon/smsc47m1.c
@@ -352,7 +352,7 @@ static ssize_t fan_div_store(struct device *dev,
 		smsc47m1_write_value(data, SMSC47M2_REG_FANDIV3, tmp);
 		break;
 	default:
-		unreachable();
+		BUG();
 	}
 
 	/* Preserve fan min */
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ