lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwvOdm0+bB=UY91V=ai2TPg3XCbNUZQfBzxrSUA0AtW=zM=LA@mail.gmail.com>
Date:   Mon, 7 Feb 2022 16:23:06 -0800
From:   Nick Desaulniers <ndesaulniers@...gle.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Arvind Sankar <nivedita@...m.mit.edu>,
        Fangrui Song <maskray@...gle.com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com, kernel test robot <oliver.sang@...el.com>
Subject: Re: [x86] 1099ce55b0: BUG:kernel_NULL_pointer_dereference,address

On Fri, Feb 4, 2022 at 4:37 AM kernel test robot <oliver.sang@...el.com> wrote:
>
>
>
> Greeting,
>
> FYI, we noticed the following commit (built with clang-15):
>
> commit: 1099ce55b0530ff429312dc37362ad43aee8c5c0 ("x86: don't build CONFIG_X86_32 as -ffreestanding")
> https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/memcpy
>
> in testcase: boot
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> +---------------------------------------------+------------+------------+
> |                                             | 274d8f425a | 1099ce55b0 |
> +---------------------------------------------+------------+------------+
> | boot_successes                              | 9          | 0          |
> | boot_failures                               | 0          | 10         |
> | BUG:kernel_NULL_pointer_dereference,address | 0          | 10         |
> | Oops:#[##]                                  | 0          | 10         |
> | EIP:bcmp                                    | 0          | 10         |
> | Kernel_panic-not_syncing:Fatal_exception    | 0          | 10         |
> | Kernel_panic-not_syncing:Fatal_exception]   | 0          | 10         |
> +---------------------------------------------+------------+------------+
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <oliver.sang@...el.com>
>
>
> [    0.000000][    T0] BUG: kernel NULL pointer dereference, address: 0000004d
> [    0.000000][    T0] #PF: supervisor read access in kernel mode
> [    0.000000][    T0] #PF: error_code(0x0000) - not-present page
> [    0.000000][    T0] *pde = 00000000
> [    0.000000][    T0] Oops: 0000 [#1]
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper Not tainted 5.17.0-rc2-00011-g1099ce55b053 #1
> [    0.000000][    T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> [ 0.000000][ T0] EIP: bcmp (??:?)
> [ 0.000000][ T0] Code: 90 90 90 90 90 90 90 90 55 89 e5 53 57 56 50 83 f9 04 72 33 83 05 c8 e5 9c c2 01 8b 35 cc e5 9c c2 83 c6 01 90 90 90 90 8b 38 <3b> 3a 75 26 89 35 cc e5 9c c2 83 c0 04 83 c2 04 83 c1 fc 83 c6 01
> All code
> ========
>    0:   90                      nop
>    1:   90                      nop
>    2:   90                      nop
>    3:   90                      nop
>    4:   90                      nop
>    5:   90                      nop
>    6:   90                      nop
>    7:   90                      nop
>    8:   55                      push   %rbp
>    9:   89 e5                   mov    %esp,%ebp
>    b:   53                      push   %rbx
>    c:   57                      push   %rdi
>    d:   56                      push   %rsi
>    e:   50                      push   %rax
>    f:   83 f9 04                cmp    $0x4,%ecx
>   12:   72 33                   jb     0x47
>   14:   83 05 c8 e5 9c c2 01    addl   $0x1,-0x3d631a38(%rip)        # 0xffffffffc29ce5e3
>   1b:   8b 35 cc e5 9c c2       mov    -0x3d631a34(%rip),%esi        # 0xffffffffc29ce5ed
>   21:   83 c6 01                add    $0x1,%esi
>   24:   90                      nop
>   25:   90                      nop
>   26:   90                      nop
>   27:   90                      nop
>   28:   8b 38                   mov    (%rax),%edi
>   2a:*  3b 3a                   cmp    (%rdx),%edi              <-- trapping instruction

I've been having a hard time pinpointing via bisection when this
stopped working.  I suspect it's actually the change on llvm's side
that would replace memcmp with bcmp.  With this diff, we can boot
ARCH=i386 defconfig

```
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 7ef211865239..5e4570495206 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -88,6 +88,8 @@ ifeq ($(CONFIG_X86_32),y)
         include $(srctree)/arch/x86/Makefile_32.cpu
         KBUILD_CFLAGS += $(cflags-y)

+        KBUILD_CFLAGS += -fno-builtin-bcmp
+
        ifeq ($(CONFIG_STACKPROTECTOR),y)
                ifeq ($(CONFIG_SMP),y)
                        KBUILD_CFLAGS +=
-mstack-protector-guard-reg=fs
-mstack-protector-guard-symbol=__stack_chk_guard
```

It looks like the call argument setup in the _callers_ of memcmp is messed up.

Before:
pushl %ecx
pushl %ebx
pushl -24(%ebp)
calll bcmp

After:
movl  %ebx, %eax
movl  %esi, %edx
movl  %ecx, %ebx
calll memcmp

it looks like they're not obeying `-mregparm=3`.

https://godbolt.org/z/z3fjveP4h

Diffing the IR between `-mregparm=3` vs not, it looks like there's an
LLVM IR function argument attribute inreg.
https://llvm.org/docs/LangRef.html#parameter-attributes
>> This indicates that this parameter or return value should be treated in a
>> special target-dependent fashion while emitting code for a function call
>> or return (usually, by putting it in a register as opposed to memory,
>> though some targets use it to distinguish between two different kinds of
>> registers). Use of this attribute is target-specific.

As is tradition, instcombine is not checking+carrying over the
function argument attributes when replacing calls to memcmp w/ bcmp.

Before:
  %4 = call i32 @memcmp(i8* inreg noundef %3, i8* inreg noundef %0,
i32 inreg noundef %1) #4, !dbg !22

After:
  %bcmp = call i32 @bcmp(i8* %3, i8* %0, i32 %1), !dbg !22

Filed:
https://github.com/llvm/llvm-project/issues/53645

So I think the best course of action is to disable memcmp to bcmp
BEFORE the removal of -ffreestanding, and only for clang until we have
a fix in hand.


>   2c:   75 26                   jne    0x54
>   2e:   89 35 cc e5 9c c2       mov    %esi,-0x3d631a34(%rip)        # 0xffffffffc29ce600
>   34:   83 c0 04                add    $0x4,%eax
>   37:   83 c2 04                add    $0x4,%edx
>   3a:   83 c1 fc                add    $0xfffffffc,%ecx
>   3d:   83 c6 01                add    $0x1,%esi
>
> Code starting with the faulting instruction
> ===========================================
>    0:   3b 3a                   cmp    (%rdx),%edi
>    2:   75 26                   jne    0x2a
>    4:   89 35 cc e5 9c c2       mov    %esi,-0x3d631a34(%rip)        # 0xffffffffc29ce5d6
>    a:   83 c0 04                add    $0x4,%eax
>    d:   83 c2 04                add    $0x4,%edx
>   10:   83 c1 fc                add    $0xfffffffc,%ecx
>   13:   83 c6 01                add    $0x1,%esi
> [    0.000000][    T0] EAX: c23b5f10 EBX: 4b4d564b ECX: 564b4d56 EDX: 0000004d
> [    0.000000][    T0] ESI: 00000001 EDI: 4b4d564b EBP: c23b5efc ESP: c23b5eec
> [    0.000000][    T0] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00210002
> [    0.000000][    T0] CR0: 80050033 CR2: 0000004d CR3: 02b4d000 CR4: 00040600
> [    0.000000][    T0] Call Trace:
> [ 0.000000][ T0] vmware_platform (vmware.c:?)
> [ 0.000000][ T0] detect_hypervisor_vendor (hypervisor.c:?)
> [ 0.000000][ T0] init_hypervisor_platform (??:?)
> [ 0.000000][ T0] setup_arch (??:?)
> [ 0.000000][ T0] ? vprintk (??:?)
> [ 0.000000][ T0] ? _printk (??:?)
> [ 0.000000][ T0] start_kernel (??:?)
> [ 0.000000][ T0] i386_start_kernel (??:?)
> [ 0.000000][ T0] startup_32_smp (??:?)
> [    0.000000][    T0] Modules linked in:
> [    0.000000][    T0] CR2: 000000000000004d
> [    0.000000][    T0] ---[ end trace 0000000000000000 ]---
> [ 0.000000][ T0] EIP: bcmp (??:?)
> [ 0.000000][ T0] Code: 90 90 90 90 90 90 90 90 55 89 e5 53 57 56 50 83 f9 04 72 33 83 05 c8 e5 9c c2 01 8b 35 cc e5 9c c2 83 c6 01 90 90 90 90 8b 38 <3b> 3a 75 26 89 35 cc e5 9c c2 83 c0 04 83 c2 04 83 c1 fc 83 c6 01
> All code
> ========
>    0:   90                      nop
>    1:   90                      nop
>    2:   90                      nop
>    3:   90                      nop
>    4:   90                      nop
>    5:   90                      nop
>    6:   90                      nop
>    7:   90                      nop
>    8:   55                      push   %rbp
>    9:   89 e5                   mov    %esp,%ebp
>    b:   53                      push   %rbx
>    c:   57                      push   %rdi
>    d:   56                      push   %rsi
>    e:   50                      push   %rax
>    f:   83 f9 04                cmp    $0x4,%ecx
>   12:   72 33                   jb     0x47
>   14:   83 05 c8 e5 9c c2 01    addl   $0x1,-0x3d631a38(%rip)        # 0xffffffffc29ce5e3
>   1b:   8b 35 cc e5 9c c2       mov    -0x3d631a34(%rip),%esi        # 0xffffffffc29ce5ed
>   21:   83 c6 01                add    $0x1,%esi
>   24:   90                      nop
>   25:   90                      nop
>   26:   90                      nop
>   27:   90                      nop
>   28:   8b 38                   mov    (%rax),%edi
>   2a:*  3b 3a                   cmp    (%rdx),%edi              <-- trapping instruction
>   2c:   75 26                   jne    0x54
>   2e:   89 35 cc e5 9c c2       mov    %esi,-0x3d631a34(%rip)        # 0xffffffffc29ce600
>   34:   83 c0 04                add    $0x4,%eax
>   37:   83 c2 04                add    $0x4,%edx
>   3a:   83 c1 fc                add    $0xfffffffc,%ecx
>   3d:   83 c6 01                add    $0x1,%esi
>
> Code starting with the faulting instruction
> ===========================================
>    0:   3b 3a                   cmp    (%rdx),%edi
>    2:   75 26                   jne    0x2a
>    4:   89 35 cc e5 9c c2       mov    %esi,-0x3d631a34(%rip)        # 0xffffffffc29ce5d6
>    a:   83 c0 04                add    $0x4,%eax
>    d:   83 c2 04                add    $0x4,%edx
>   10:   83 c1 fc                add    $0xfffffffc,%ecx
>   13:   83 c6 01                add    $0x1,%esi
>
>
> To reproduce:
>
>         # build kernel
>         cd linux
>         cp config-5.17.0-rc2-00011-g1099ce55b053 .config
>         make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
>         make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
>         cd <mod-install-dir>
>         find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
>
>
>         git clone https://github.com/intel/lkp-tests.git
>         cd lkp-tests
>         bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
>
>         # if come across any failure that blocks the test,
>         # please remove ~/.lkp and /lkp dir to run from a clean state.
>
>
>
> ---
> 0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
> https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation
>
> Thanks,
> Oliver Sang
>


-- 
Thanks,
~Nick Desaulniers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ