lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202204182333.OIUOotK8-lkp@intel.com>
Date:   Mon, 18 Apr 2022 23:30:28 +0800
From:   kernel test robot <lkp@...el.com>
To:     Niklas Cassel <niklas.cassel@....com>
Cc:     kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
        Kees Cook <keescook@...omium.org>,
        Damien Le Moal <damien.lemoal@...nsource.wdc.com>
Subject: [kees:for-next/execve 1/1] fs/binfmt_flat.c:816:39: sparse: sparse:
 incorrect type in argument 1 (different address spaces)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/execve
head:   a767e6fd68d2ca84578649acc072f21b81edfb3a
commit: a767e6fd68d2ca84578649acc072f21b81edfb3a [1/1] binfmt_flat: do not stop relocating GOT entries prematurely on riscv
config: m68k-randconfig-s032-20220417 (https://download.01.org/0day-ci/archive/20220418/202204182333.OIUOotK8-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 11.2.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # apt-get install sparse
        # sparse version: v0.6.4-dirty
        # https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=a767e6fd68d2ca84578649acc072f21b81edfb3a
        git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
        git fetch --no-tags kees for-next/execve
        git checkout a767e6fd68d2ca84578649acc072f21b81edfb3a
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=m68k SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


sparse warnings: (new ones prefixed by >>)
>> fs/binfmt_flat.c:816:39: sparse: sparse: incorrect type in argument 1 (different address spaces) @@     expected unsigned int [noderef] [usertype] __user *rp @@     got unsigned int [usertype] *[noderef] __user @@
   fs/binfmt_flat.c:816:39: sparse:     expected unsigned int [noderef] [usertype] __user *rp
   fs/binfmt_flat.c:816:39: sparse:     got unsigned int [usertype] *[noderef] __user
   fs/binfmt_flat.c:856:29: sparse: sparse: restricted __be32 degrades to integer
   fs/binfmt_flat.c:899:29: sparse: sparse: restricted __be32 degrades to integer

vim +816 fs/binfmt_flat.c

   563	
   564		/*
   565		 * Check initial limits. This avoids letting people circumvent
   566		 * size limits imposed on them by creating programs with large
   567		 * arrays in the data or bss.
   568		 */
   569		rlim = rlimit(RLIMIT_DATA);
   570		if (rlim >= RLIM_INFINITY)
   571			rlim = ~0;
   572		if (data_len + bss_len > rlim) {
   573			ret = -ENOMEM;
   574			goto err;
   575		}
   576	
   577		/* Flush all traces of the currently running executable */
   578		if (id == 0) {
   579			ret = begin_new_exec(bprm);
   580			if (ret)
   581				goto err;
   582	
   583			/* OK, This is the point of no return */
   584			set_personality(PER_LINUX_32BIT);
   585			setup_new_exec(bprm);
   586		}
   587	
   588		/*
   589		 * calculate the extra space we need to map in
   590		 */
   591		extra = max_t(unsigned long, bss_len + stack_len,
   592				relocs * sizeof(unsigned long));
   593	
   594		/*
   595		 * there are a couple of cases here,  the separate code/data
   596		 * case,  and then the fully copied to RAM case which lumps
   597		 * it all together.
   598		 */
   599		if (!IS_ENABLED(CONFIG_MMU) && !(flags & (FLAT_FLAG_RAM|FLAT_FLAG_GZIP))) {
   600			/*
   601			 * this should give us a ROM ptr,  but if it doesn't we don't
   602			 * really care
   603			 */
   604			pr_debug("ROM mapping of file (we hope)\n");
   605	
   606			textpos = vm_mmap(bprm->file, 0, text_len, PROT_READ|PROT_EXEC,
   607					  MAP_PRIVATE, 0);
   608			if (!textpos || IS_ERR_VALUE(textpos)) {
   609				ret = textpos;
   610				if (!textpos)
   611					ret = -ENOMEM;
   612				pr_err("Unable to mmap process text, errno %d\n", ret);
   613				goto err;
   614			}
   615	
   616			len = data_len + extra +
   617				DATA_START_OFFSET_WORDS * sizeof(unsigned long);
   618			len = PAGE_ALIGN(len);
   619			realdatastart = vm_mmap(NULL, 0, len,
   620				PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0);
   621	
   622			if (realdatastart == 0 || IS_ERR_VALUE(realdatastart)) {
   623				ret = realdatastart;
   624				if (!realdatastart)
   625					ret = -ENOMEM;
   626				pr_err("Unable to allocate RAM for process data, "
   627				       "errno %d\n", ret);
   628				vm_munmap(textpos, text_len);
   629				goto err;
   630			}
   631			datapos = ALIGN(realdatastart +
   632					DATA_START_OFFSET_WORDS * sizeof(unsigned long),
   633					FLAT_DATA_ALIGN);
   634	
   635			pr_debug("Allocated data+bss+stack (%u bytes): %lx\n",
   636				 data_len + bss_len + stack_len, datapos);
   637	
   638			fpos = ntohl(hdr->data_start);
   639	#ifdef CONFIG_BINFMT_ZFLAT
   640			if (flags & FLAT_FLAG_GZDATA) {
   641				result = decompress_exec(bprm, fpos, (char *)datapos,
   642							 full_data, 0);
   643			} else
   644	#endif
   645			{
   646				result = read_code(bprm->file, datapos, fpos,
   647						full_data);
   648			}
   649			if (IS_ERR_VALUE(result)) {
   650				ret = result;
   651				pr_err("Unable to read data+bss, errno %d\n", ret);
   652				vm_munmap(textpos, text_len);
   653				vm_munmap(realdatastart, len);
   654				goto err;
   655			}
   656	
   657			reloc = (__be32 __user *)
   658				(datapos + (ntohl(hdr->reloc_start) - text_len));
   659			memp = realdatastart;
   660			memp_size = len;
   661		} else {
   662	
   663			len = text_len + data_len + extra +
   664				DATA_START_OFFSET_WORDS * sizeof(u32);
   665			len = PAGE_ALIGN(len);
   666			textpos = vm_mmap(NULL, 0, len,
   667				PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0);
   668	
   669			if (!textpos || IS_ERR_VALUE(textpos)) {
   670				ret = textpos;
   671				if (!textpos)
   672					ret = -ENOMEM;
   673				pr_err("Unable to allocate RAM for process text/data, "
   674				       "errno %d\n", ret);
   675				goto err;
   676			}
   677	
   678			realdatastart = textpos + ntohl(hdr->data_start);
   679			datapos = ALIGN(realdatastart +
   680					DATA_START_OFFSET_WORDS * sizeof(u32),
   681					FLAT_DATA_ALIGN);
   682	
   683			reloc = (__be32 __user *)
   684				(datapos + (ntohl(hdr->reloc_start) - text_len));
   685			memp = textpos;
   686			memp_size = len;
   687	#ifdef CONFIG_BINFMT_ZFLAT
   688			/*
   689			 * load it all in and treat it like a RAM load from now on
   690			 */
   691			if (flags & FLAT_FLAG_GZIP) {
   692	#ifndef CONFIG_MMU
   693				result = decompress_exec(bprm, sizeof(struct flat_hdr),
   694						 (((char *)textpos) + sizeof(struct flat_hdr)),
   695						 (text_len + full_data
   696							  - sizeof(struct flat_hdr)),
   697						 0);
   698				memmove((void *) datapos, (void *) realdatastart,
   699						full_data);
   700	#else
   701				/*
   702				 * This is used on MMU systems mainly for testing.
   703				 * Let's use a kernel buffer to simplify things.
   704				 */
   705				long unz_text_len = text_len - sizeof(struct flat_hdr);
   706				long unz_len = unz_text_len + full_data;
   707				char *unz_data = vmalloc(unz_len);
   708				if (!unz_data) {
   709					result = -ENOMEM;
   710				} else {
   711					result = decompress_exec(bprm, sizeof(struct flat_hdr),
   712								 unz_data, unz_len, 0);
   713					if (result == 0 &&
   714					    (copy_to_user((void __user *)textpos + sizeof(struct flat_hdr),
   715							  unz_data, unz_text_len) ||
   716					     copy_to_user((void __user *)datapos,
   717							  unz_data + unz_text_len, full_data)))
   718						result = -EFAULT;
   719					vfree(unz_data);
   720				}
   721	#endif
   722			} else if (flags & FLAT_FLAG_GZDATA) {
   723				result = read_code(bprm->file, textpos, 0, text_len);
   724				if (!IS_ERR_VALUE(result)) {
   725	#ifndef CONFIG_MMU
   726					result = decompress_exec(bprm, text_len, (char *) datapos,
   727							 full_data, 0);
   728	#else
   729					char *unz_data = vmalloc(full_data);
   730					if (!unz_data) {
   731						result = -ENOMEM;
   732					} else {
   733						result = decompress_exec(bprm, text_len,
   734							       unz_data, full_data, 0);
   735						if (result == 0 &&
   736						    copy_to_user((void __user *)datapos,
   737								 unz_data, full_data))
   738							result = -EFAULT;
   739						vfree(unz_data);
   740					}
   741	#endif
   742				}
   743			} else
   744	#endif /* CONFIG_BINFMT_ZFLAT */
   745			{
   746				result = read_code(bprm->file, textpos, 0, text_len);
   747				if (!IS_ERR_VALUE(result))
   748					result = read_code(bprm->file, datapos,
   749							   ntohl(hdr->data_start),
   750							   full_data);
   751			}
   752			if (IS_ERR_VALUE(result)) {
   753				ret = result;
   754				pr_err("Unable to read code+data+bss, errno %d\n", ret);
   755				vm_munmap(textpos, text_len + data_len + extra +
   756					  DATA_START_OFFSET_WORDS * sizeof(u32));
   757				goto err;
   758			}
   759		}
   760	
   761		start_code = textpos + sizeof(struct flat_hdr);
   762		end_code = textpos + text_len;
   763		text_len -= sizeof(struct flat_hdr); /* the real code len */
   764	
   765		/* The main program needs a little extra setup in the task structure */
   766		if (id == 0) {
   767			current->mm->start_code = start_code;
   768			current->mm->end_code = end_code;
   769			current->mm->start_data = datapos;
   770			current->mm->end_data = datapos + data_len;
   771			/*
   772			 * set up the brk stuff, uses any slack left in data/bss/stack
   773			 * allocation.  We put the brk after the bss (between the bss
   774			 * and stack) like other platforms.
   775			 * Userspace code relies on the stack pointer starting out at
   776			 * an address right at the end of a page.
   777			 */
   778			current->mm->start_brk = datapos + data_len + bss_len;
   779			current->mm->brk = (current->mm->start_brk + 3) & ~3;
   780	#ifndef CONFIG_MMU
   781			current->mm->context.end_brk = memp + memp_size - stack_len;
   782	#endif
   783		}
   784	
   785		if (flags & FLAT_FLAG_KTRACE) {
   786			pr_info("Mapping is %lx, Entry point is %x, data_start is %x\n",
   787				textpos, 0x00ffffff&ntohl(hdr->entry), ntohl(hdr->data_start));
   788			pr_info("%s %s: TEXT=%lx-%lx DATA=%lx-%lx BSS=%lx-%lx\n",
   789				id ? "Lib" : "Load", bprm->filename,
   790				start_code, end_code, datapos, datapos + data_len,
   791				datapos + data_len, (datapos + data_len + bss_len + 3) & ~3);
   792		}
   793	
   794		/* Store the current module values into the global library structure */
   795		libinfo->lib_list[id].start_code = start_code;
   796		libinfo->lib_list[id].start_data = datapos;
   797		libinfo->lib_list[id].start_brk = datapos + data_len + bss_len;
   798		libinfo->lib_list[id].text_len = text_len;
   799		libinfo->lib_list[id].loaded = 1;
   800		libinfo->lib_list[id].entry = (0x00ffffff & ntohl(hdr->entry)) + textpos;
   801		libinfo->lib_list[id].build_date = ntohl(hdr->build_date);
   802	
   803		/*
   804		 * We just load the allocations into some temporary memory to
   805		 * help simplify all this mumbo jumbo
   806		 *
   807		 * We've got two different sections of relocation entries.
   808		 * The first is the GOT which resides at the beginning of the data segment
   809		 * and is terminated with a -1.  This one can be relocated in place.
   810		 * The second is the extra relocation entries tacked after the image's
   811		 * data segment. These require a little more processing as the entry is
   812		 * really an offset into the image which contains an offset into the
   813		 * image.
   814		 */
   815		if (flags & FLAT_FLAG_GOTPIC) {
 > 816			rp = skip_got_header((u32 * __user) datapos);
   817			for (; ; rp++) {
   818				u32 addr, rp_val;
   819				if (get_user(rp_val, rp))
   820					return -EFAULT;
   821				if (rp_val == 0xffffffff)
   822					break;
   823				if (rp_val) {
   824					addr = calc_reloc(rp_val, libinfo, id, 0);
   825					if (addr == RELOC_FAILED) {
   826						ret = -ENOEXEC;
   827						goto err;
   828					}
   829					if (put_user(addr, rp))
   830						return -EFAULT;
   831				}
   832			}
   833		}
   834	
   835		/*
   836		 * Now run through the relocation entries.
   837		 * We've got to be careful here as C++ produces relocatable zero
   838		 * entries in the constructor and destructor tables which are then
   839		 * tested for being not zero (which will always occur unless we're
   840		 * based from address zero).  This causes an endless loop as __start
   841		 * is at zero.  The solution used is to not relocate zero addresses.
   842		 * This has the negative side effect of not allowing a global data
   843		 * reference to be statically initialised to _stext (I've moved
   844		 * __start to address 4 so that is okay).
   845		 */
   846		if (rev > OLD_FLAT_VERSION) {
   847			for (i = 0; i < relocs; i++) {
   848				u32 addr, relval;
   849				__be32 tmp;
   850	
   851				/*
   852				 * Get the address of the pointer to be
   853				 * relocated (of course, the address has to be
   854				 * relocated first).
   855				 */
   856				if (get_user(tmp, reloc + i))
   857					return -EFAULT;
   858				relval = ntohl(tmp);
   859				addr = flat_get_relocate_addr(relval);
   860				rp = (u32 __user *)calc_reloc(addr, libinfo, id, 1);
   861				if (rp == (u32 __user *)RELOC_FAILED) {
   862					ret = -ENOEXEC;
   863					goto err;
   864				}
   865	
   866				/* Get the pointer's value.  */
   867				ret = flat_get_addr_from_rp(rp, relval, flags, &addr);
   868				if (unlikely(ret))
   869					goto err;
   870	
   871				if (addr != 0) {
   872					/*
   873					 * Do the relocation.  PIC relocs in the data section are
   874					 * already in target order
   875					 */
   876					if ((flags & FLAT_FLAG_GOTPIC) == 0) {
   877						/*
   878						 * Meh, the same value can have a different
   879						 * byte order based on a flag..
   880						 */
   881						addr = ntohl((__force __be32)addr);
   882					}
   883					addr = calc_reloc(addr, libinfo, id, 0);
   884					if (addr == RELOC_FAILED) {
   885						ret = -ENOEXEC;
   886						goto err;
   887					}
   888	
   889					/* Write back the relocated pointer.  */
   890					ret = flat_put_addr_at_rp(rp, addr, relval);
   891					if (unlikely(ret))
   892						goto err;
   893				}
   894			}
   895	#ifdef CONFIG_BINFMT_FLAT_OLD
   896		} else {
   897			for (i = 0; i < relocs; i++) {
   898				__be32 relval;
   899				if (get_user(relval, reloc + i))
   900					return -EFAULT;
   901				old_reloc(ntohl(relval));
   902			}
   903	#endif /* CONFIG_BINFMT_FLAT_OLD */
   904		}
   905	
   906		flush_icache_user_range(start_code, end_code);
   907	
   908		/* zero the BSS,  BRK and stack areas */
   909		if (clear_user((void __user *)(datapos + data_len), bss_len +
   910			       (memp + memp_size - stack_len -		/* end brk */
   911			       libinfo->lib_list[id].start_brk) +	/* start brk */
   912			       stack_len))
   913			return -EFAULT;
   914	
   915		return 0;
   916	err:
   917		return ret;
   918	}
   919	

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ