lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20220210072821.GD4074@xsang-OptiPlex-9020>
Date:   Thu, 10 Feb 2022 15:28:21 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Miguel Ojeda <ojeda@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Nathan Chancellor <nathan@...nel.org>,
        George Burgess IV <gbiv@...gle.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        lkp@...ts.01.org, lkp@...el.com
Subject: [fortify]  4cfbda15d6: kernel_BUG_at_lib/string_helpers.c



Greeting,

FYI, we noticed the following commit (built with clang-15):

commit: 4cfbda15d6578759c0157b18698e0c10ba598856 ("fortify: Add Clang support")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------+------------+------------+
|                                          | d3b2dc20b4 | 4cfbda15d6 |
+------------------------------------------+------------+------------+
| boot_successes                           | 22         | 0          |
| boot_failures                            | 0          | 22         |
| kernel_BUG_at_lib/string_helpers.c       | 0          | 22         |
| invalid_opcode:#[##]                     | 0          | 22         |
| RIP:fortify_panic                        | 0          | 22         |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 22         |
+------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   92.405851][    T1] kernel BUG at lib/string_helpers.c:980!
[   92.406535][    T1] invalid opcode: 0000 [#1] PTI
[   92.407149][    T1] CPU: 0 PID: 1 Comm: swapper Not tainted 5.17.0-rc2-00015-g4cfbda15d657 #1
[   92.408207][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?) 
[ 92.409752][ T1] Code: 24 10 02 5b 41 5e 41 5f 5d c3 c3 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc c3 48 89 fe 48 c7 c7 08 f2 a9 9f e8 f3 d3 66 ff <0f> 0b 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 8d 47 d0 3c 09 77
All code
========
   0:	24 10                	and    $0x10,%al
   2:	02 5b 41             	add    0x41(%rbx),%bl
   5:	5e                   	pop    %rsi
   6:	41 5f                	pop    %r15
   8:	5d                   	pop    %rbp
   9:	c3                   	retq   
   a:	c3                   	retq   
   b:	00 00                	add    %al,(%rax)
   d:	cc                   	int3   
   e:	cc                   	int3   
   f:	00 00                	add    %al,(%rax)
  11:	cc                   	int3   
  12:	cc                   	int3   
  13:	00 00                	add    %al,(%rax)
  15:	cc                   	int3   
  16:	cc                   	int3   
  17:	00 00                	add    %al,(%rax)
  19:	cc                   	int3   
  1a:	c3                   	retq   
  1b:	48 89 fe             	mov    %rdi,%rsi
  1e:	48 c7 c7 08 f2 a9 9f 	mov    $0xffffffff9fa9f208,%rdi
  25:	e8 f3 d3 66 ff       	callq  0xffffffffff66d41d
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	00 00                	add    %al,(%rax)
  2e:	cc                   	int3   
  2f:	cc                   	int3   
  30:	00 00                	add    %al,(%rax)
  32:	cc                   	int3   
  33:	cc                   	int3   
  34:	00 00                	add    %al,(%rax)
  36:	cc                   	int3   
  37:	cc                   	int3   
  38:	00 00                	add    %al,(%rax)
  3a:	8d 47 d0             	lea    -0x30(%rdi),%eax
  3d:	3c 09                	cmp    $0x9,%al
  3f:	77                   	.byte 0x77

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	00 00                	add    %al,(%rax)
   4:	cc                   	int3   
   5:	cc                   	int3   
   6:	00 00                	add    %al,(%rax)
   8:	cc                   	int3   
   9:	cc                   	int3   
   a:	00 00                	add    %al,(%rax)
   c:	cc                   	int3   
   d:	cc                   	int3   
   e:	00 00                	add    %al,(%rax)
  10:	8d 47 d0             	lea    -0x30(%rdi),%eax
  13:	3c 09                	cmp    $0x9,%al
  15:	77                   	.byte 0x77
[   92.410056][    T1] RSP: 0018:ffff888100213c90 EFLAGS: 00010286
[   92.410056][    T1] RAX: 0000000000000022 RBX: ffffffff9fbf5eec RCX: ffffffff9c1ce33f
[   92.410056][    T1] RDX: 0000000000000004 RSI: 0000000080000001 RDI: ffffffffa0831840
[   92.410056][    T1] RBP: ffff888100213ed0 R08: 0001ffffffffffff R09: 0000000000000000
[   92.410056][    T1] R10: 0001ffffa0831847 R11: 0001ffffffffffff R12: ffffffffa2a2f320
[   92.410056][    T1] R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff9fb5128b
[   92.410056][    T1] FS:  0000000000000000(0000) GS:ffffffffa0633000(0000) knlGS:0000000000000000
[   92.410056][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   92.410056][    T1] CR2: 00007f61b2f55114 CR3: 00000003d6026002 CR4: 00000000003706f0
[   92.410056][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   92.410056][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   92.410056][    T1] Call Trace:
[   92.410056][    T1]  <TASK>
[ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?) 
[ 92.410056][ T1] ? unittest_enter (fbdev.c:?) 
[ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?) 
[ 92.410056][ T1] ? unittest_enter (fbdev.c:?) 
[ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?) 
[ 92.410056][ T1] do_one_initcall (fbdev.c:?) 
[ 92.410056][ T1] ? do_initcall_level (main.c:?) 
[ 92.410056][ T1] do_initcall_level (main.c:?) 
[ 92.410056][ T1] do_initcalls (main.c:?) 
[ 92.410056][ T1] do_basic_setup (main.c:?) 
[ 92.410056][ T1] kernel_init_freeable (main.c:?) 
[ 92.410056][ T1] ? rest_init (main.c:?) 
[ 92.410056][ T1] kernel_init (main.c:?) 
[ 92.410056][ T1] ? rest_init (main.c:?) 
[ 92.410056][ T1] ret_from_fork (??:?) 
[   92.410056][    T1]  </TASK>
[   92.410056][    T1] Modules linked in:
[   92.432241][    T1] ---[ end trace 0000000000000000 ]---
[ 92.432880][ T1] RIP: 0010:fortify_panic (fbdev.c:?) 
[ 92.433440][ T1] Code: 24 10 02 5b 41 5e 41 5f 5d c3 c3 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 cc c3 48 89 fe 48 c7 c7 08 f2 a9 9f e8 f3 d3 66 ff <0f> 0b 00 00 cc cc 00 00 cc cc 00 00 cc cc 00 00 8d 47 d0 3c 09 77
All code
========
   0:	24 10                	and    $0x10,%al
   2:	02 5b 41             	add    0x41(%rbx),%bl
   5:	5e                   	pop    %rsi
   6:	41 5f                	pop    %r15
   8:	5d                   	pop    %rbp
   9:	c3                   	retq   
   a:	c3                   	retq   
   b:	00 00                	add    %al,(%rax)
   d:	cc                   	int3   
   e:	cc                   	int3   
   f:	00 00                	add    %al,(%rax)
  11:	cc                   	int3   
  12:	cc                   	int3   
  13:	00 00                	add    %al,(%rax)
  15:	cc                   	int3   
  16:	cc                   	int3   
  17:	00 00                	add    %al,(%rax)
  19:	cc                   	int3   
  1a:	c3                   	retq   
  1b:	48 89 fe             	mov    %rdi,%rsi
  1e:	48 c7 c7 08 f2 a9 9f 	mov    $0xffffffff9fa9f208,%rdi
  25:	e8 f3 d3 66 ff       	callq  0xffffffffff66d41d
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	00 00                	add    %al,(%rax)
  2e:	cc                   	int3   
  2f:	cc                   	int3   
  30:	00 00                	add    %al,(%rax)
  32:	cc                   	int3   
  33:	cc                   	int3   
  34:	00 00                	add    %al,(%rax)
  36:	cc                   	int3   
  37:	cc                   	int3   
  38:	00 00                	add    %al,(%rax)
  3a:	8d 47 d0             	lea    -0x30(%rdi),%eax
  3d:	3c 09                	cmp    $0x9,%al
  3f:	77                   	.byte 0x77

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	00 00                	add    %al,(%rax)
   4:	cc                   	int3   
   5:	cc                   	int3   
   6:	00 00                	add    %al,(%rax)
   8:	cc                   	int3   
   9:	cc                   	int3   
   a:	00 00                	add    %al,(%rax)
   c:	cc                   	int3   
   d:	cc                   	int3   
   e:	00 00                	add    %al,(%rax)
  10:	8d 47 d0             	lea    -0x30(%rdi),%eax
  13:	3c 09                	cmp    $0x9,%al
  15:	77                   	.byte 0x77


To reproduce:

        # build kernel
	cd linux
	cp config-5.17.0-rc2-00015-g4cfbda15d657 .config
	make HOSTCC=clang-15 CC=clang-15 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=clang-15 CC=clang-15 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.17.0-rc2-00015-g4cfbda15d657" of type "text/plain" (187006 bytes)

View attachment "job-script" of type "text/plain" (4921 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (16216 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ