[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <202006081144.933995E4@keescook>
Date: Mon, 8 Jun 2020 12:00:11 -0700
From: Kees Cook <keescook@...omium.org>
To: kernel test robot <rong.a.chen@...el.com>
Cc: clang-built-linux@...glegroups.com, LKP <lkp@...ts.01.org>,
"Linus, Torvalds," <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux Memory Management List <linux-mm@...ck.org>,
linux-kernel@...r.kernel.org
Subject: Re: 0887a7ebc9 ("ubsan: add trap instrumentation option"): BUG:
kernel hang in early-boot stage, last printk: early console in setup code
On Mon, Jun 08, 2020 at 02:04:08PM +0800, kernel test robot wrote:
> The issue seems due to the lack of "-fsanitize-undefined-trap-on-error" in clang.
Hm? No, that's supported in Clang (at least as far back as Clang 9.)
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>
> commit 0887a7ebc97770c7870abf3075a2e8cd502a7f52
> Author: Kees Cook <keescook@...omium.org>
> AuthorDate: Mon Apr 6 20:12:27 2020 -0700
> Commit: Linus Torvalds <torvalds@...ux-foundation.org>
> CommitDate: Tue Apr 7 10:43:44 2020 -0700
>
> ubsan: add trap instrumentation option
In the randconfig, I see CONFIG_UBSAN_TRAP is enabled with lots of other
UBSAN options. If you're not expecting the results, it's very likely the
false positives in UBSAN are going to do bad things. :) This is "working
as expected", as noted in the commit log quoted below.
>
> Patch series "ubsan: Split out bounds checker", v5.
>
> This splits out the bounds checker so it can be individually used. This
> is enabled in Android and hopefully for syzbot. Includes LKDTM tests for
> behavioral corner-cases (beyond just the bounds checker), and adjusts
> ubsan and kasan slightly for correct panic handling.
>
> This patch (of 6):
>
> The Undefined Behavior Sanitizer can operate in two modes: warning
> reporting mode via lib/ubsan.c handler calls, or trap mode, which uses
> __builtin_trap() as the handler. Using lib/ubsan.c means the kernel image
> is about 5% larger (due to all the debugging text and reporting structures
> to capture details about the warning conditions). Using the trap mode,
> the image size changes are much smaller, though at the loss of the
> "warning only" mode.
>
> In order to give greater flexibility to system builders that want minimal
> changes to image size and are prepared to deal with kernel code being
> aborted and potentially destabilizing the system, this introduces
> CONFIG_UBSAN_TRAP. The resulting image sizes comparison:
>
> text data bss dec hex filename
> 19533663 6183037 18554956 44271656 2a38828 vmlinux.stock
> 19991849 7618513 18874448 46484810 2c54d4a vmlinux.ubsan
> 19712181 6284181 18366540 44362902 2a4ec96 vmlinux.ubsan-trap
>
> CONFIG_UBSAN=y: image +4.8% (text +2.3%, data +18.9%)
> CONFIG_UBSAN_TRAP=y: image +0.2% (text +0.9%, data +1.6%)
>
> Additionally adjusts the CONFIG_UBSAN Kconfig help for clarity and removes
> the mention of non-existing boot param "ubsan_handle".
If you're trying to _boot_ a randconfig, I suspect there are going to be
a lot of surprises with UBSAN (in any mode) enabled. Right now, likely the
least noisy of them all is UBSAN_BOUNDS, which was split out for fuzzers.
FWIW, the dmesg appears to be catching a NULL pointer dereference
(enabled via CONFIG_UBSAN_MISC):
[ 0.047646] UBSAN: Undefined behaviour in drivers/acpi/acpica/tbfadt.c:459:37
[ 0.047650] member access within null pointer of type 'struct acpi_table_fadt'
[ 0.047655] CPU: 0 PID: 0 Comm: swapper Not tainted 5.6.0-11597-g7baf219982281 #1
[ 0.047659] Call Trace:
[ 0.047676] dump_stack+0x88/0xb9
[ 0.047684] ? ubsan_prologue+0x21/0x46
[ 0.047689] ? ubsan_type_mismatch_common+0x188/0x19e
[ 0.047695] ? __ubsan_handle_type_mismatch_v1+0x45/0x4a
[ 0.047701] ? acpi_tb_create_local_fadt+0xaa/0x435
[ 0.047706] ? acpi_tb_parse_fadt+0x54/0xd4
[ 0.047712] ? acpi_tb_parse_root_table+0x192/0x1bf
[ 0.047717] ? acpi_table_init+0x3b/0x56
[ 0.047721] ? acpi_boot_table_init+0xf/0x6e
[ 0.047726] ? setup_arch+0x459/0x520
[ 0.047732] ? start_kernel+0x5e/0x3ba
[ 0.047737] ? secondary_startup_64+0xa4/0xb0
I'm not sure how ACPI defines acpi_gbl_FADT though? There's no
dereference...
459: if (acpi_gbl_FADT.header.length <= ACPI_FADT_V2_SIZE) {
BTW, this report only contained 1 actual dmesg. There were two files with
dmesg file names, but one of them was the gzipped reproduction steps again.
-Kees
--
Kees Cook
Powered by blists - more mailing lists