lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20220127000212.GA4285@paulmck-ThinkPad-P17-Gen-1>
Date:   Wed, 26 Jan 2022 16:02:12 -0800
From:   "Paul E. McKenney" <paulmck@...nel.org>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     kbuild@...ts.01.org, lkp@...el.com, kbuild-all@...ts.01.org,
        GNU/Weeb Mailing List <gwml@...weeb.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [kbuild] [ammarfaizi2-block:paulmck/linux-rcu/dev 80/83]
 kernel/rcu/srcutree.c:1426 srcu_torture_stats_print() error: buffer overflow
 'srcu_size_state_name' 10 <= 10

On Wed, Jan 26, 2022 at 10:35:36AM +0300, Dan Carpenter wrote:
> tree:   https://github.com/ammarfaizi2/linux-block  paulmck/linux-rcu/dev
> head:   1063f4620dd3242633b35487e08e159b803f717b
> commit: 6d5d02daa5c0173da1c5430352dca9ab3f4fd8b5 [80/83] srcu: Make rcutorture dump the SRCU size state
> config: x86_64-randconfig-m001-20220124 (https://download.01.org/0day-ci/archive/20220126/202201261439.SqXHa4LN-lkp@intel.com/config )
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@...el.com>
> Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> smatch warnings:
> kernel/rcu/srcutree.c:1426 srcu_torture_stats_print() error: buffer overflow 'srcu_size_state_name' 10 <= 10
> 
> vim +/srcu_size_state_name +1426 kernel/rcu/srcutree.c
> 
> aacb5d91ab1bfb Paul E. McKenney 2018-10-28  1415  void srcu_torture_stats_print(struct srcu_struct *ssp, char *tt, char *tf)
> 115a1a5285664f Paul E. McKenney 2017-05-22  1416  {
> 115a1a5285664f Paul E. McKenney 2017-05-22  1417  	int cpu;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1418  	int idx;
> ac3748c6042660 Paul E. McKenney 2017-05-22  1419  	unsigned long s0 = 0, s1 = 0;
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1420  	int ss_state = READ_ONCE(ssp->srcu_size_state);
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1421  	int ss_state_idx = ss_state;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1422  
> aacb5d91ab1bfb Paul E. McKenney 2018-10-28  1423  	idx = ssp->srcu_idx & 0x1;
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1424  	if (ss_state < 0 || ss_state >= ARRAY_SIZE(srcu_size_state_name))
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1425  		ss_state_idx = ARRAY_SIZE(srcu_size_state_name);
> 
> This was supposed to be ss_state_idx = ARRAY_SIZE(srcu_size_state_name) - 1;

Good catch!  Fixed, and will merge into original commit with
attribution, thank you!

							Thanx, Paul

> 6d5d02daa5c017 Paul E. McKenney 2022-01-24 @1426  	pr_alert("%s%s Tree SRCU g%ld state %d (%s) per-CPU(idx=%d):",
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1427  		 tt, tf, rcu_seq_current(&ssp->srcu_gp_seq), ss_state,
> 6d5d02daa5c017 Paul E. McKenney 2022-01-24  1428  		 srcu_size_state_name[ss_state_idx], idx);
> 115a1a5285664f Paul E. McKenney 2017-05-22  1429  	for_each_possible_cpu(cpu) {
> 115a1a5285664f Paul E. McKenney 2017-05-22  1430  		unsigned long l0, l1;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1431  		unsigned long u0, u1;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1432  		long c0, c1;
> 5ab07a8df4d6c9 Paul E. McKenney 2018-05-22  1433  		struct srcu_data *sdp;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1434  
> aacb5d91ab1bfb Paul E. McKenney 2018-10-28  1435  		sdp = per_cpu_ptr(ssp->sda, cpu);
> b68c6146512d92 Paul E. McKenney 2020-01-03  1436  		u0 = data_race(sdp->srcu_unlock_count[!idx]);
> b68c6146512d92 Paul E. McKenney 2020-01-03  1437  		u1 = data_race(sdp->srcu_unlock_count[idx]);
> 115a1a5285664f Paul E. McKenney 2017-05-22  1438  
> 115a1a5285664f Paul E. McKenney 2017-05-22  1439  		/*
> 115a1a5285664f Paul E. McKenney 2017-05-22  1440  		 * Make sure that a lock is always counted if the corresponding
> 115a1a5285664f Paul E. McKenney 2017-05-22  1441  		 * unlock is counted.
> 115a1a5285664f Paul E. McKenney 2017-05-22  1442  		 */
> 115a1a5285664f Paul E. McKenney 2017-05-22  1443  		smp_rmb();
> 115a1a5285664f Paul E. McKenney 2017-05-22  1444  
> b68c6146512d92 Paul E. McKenney 2020-01-03  1445  		l0 = data_race(sdp->srcu_lock_count[!idx]);
> b68c6146512d92 Paul E. McKenney 2020-01-03  1446  		l1 = data_race(sdp->srcu_lock_count[idx]);
> 115a1a5285664f Paul E. McKenney 2017-05-22  1447  
> 115a1a5285664f Paul E. McKenney 2017-05-22  1448  		c0 = l0 - u0;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1449  		c1 = l1 - u1;
> 7e210a653ec944 Paul E. McKenney 2019-06-28  1450  		pr_cont(" %d(%ld,%ld %c)",
> 7e210a653ec944 Paul E. McKenney 2019-06-28  1451  			cpu, c0, c1,
> 7e210a653ec944 Paul E. McKenney 2019-06-28  1452  			"C."[rcu_segcblist_empty(&sdp->srcu_cblist)]);
> ac3748c6042660 Paul E. McKenney 2017-05-22  1453  		s0 += c0;
> ac3748c6042660 Paul E. McKenney 2017-05-22  1454  		s1 += c1;
> 115a1a5285664f Paul E. McKenney 2017-05-22  1455  	}
> ac3748c6042660 Paul E. McKenney 2017-05-22  1456  	pr_cont(" T(%ld,%ld)\n", s0, s1);
> e3ec4a4e8733d5 Paul E. McKenney 2022-01-24  1457  	smp_store_release(&ssp->srcu_size_state, SRCU_SIZE_ALLOC); // @@@
> 115a1a5285664f Paul E. McKenney 2017-05-22  1458  }
> 
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org 
> _______________________________________________
> kbuild mailing list -- kbuild@...ts.01.org
> To unsubscribe send an email to kbuild-leave@...ts.01.org
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ