| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202204201422.AzI0RBIZ-lkp@intel.com>
Date: Wed, 20 Apr 2022 14:17:19 +0800
From: kernel test robot <lkp@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
Dan Li <ashimida@...ux.alibaba.com>
Subject: [kees:for-next/lkdtm 6/6] drivers/misc/lkdtm/cfi.c:72:13: sparse:
sparse: non size-preserving pointer to integer cast
tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/lkdtm
head: 2e53b877dc1258d4ac3de98f496bb88ec3bf5e25
commit: 2e53b877dc1258d4ac3de98f496bb88ec3bf5e25 [6/6] lkdtm: Add CFI_BACKWARD to test ROP mitigations
config: nios2-randconfig-s032-20220420 (https://download.01.org/0day-ci/archive/20220420/202204201422.AzI0RBIZ-lkp@intel.com/config)
compiler: nios2-linux-gcc (GCC) 11.2.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.4-dirty
# https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=2e53b877dc1258d4ac3de98f496bb88ec3bf5e25
git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
git fetch --no-tags kees for-next/lkdtm
git checkout 2e53b877dc1258d4ac3de98f496bb88ec3bf5e25
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=nios2 SHELL=/bin/bash drivers/misc/lkdtm/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
sparse warnings: (new ones prefixed by >>)
drivers/misc/lkdtm/cfi.c:100:27: sparse: sparse: Using plain integer as NULL pointer
>> drivers/misc/lkdtm/cfi.c:72:13: sparse: sparse: non size-preserving pointer to integer cast
>> drivers/misc/lkdtm/cfi.c:72:13: sparse: sparse: non size-preserving integer to pointer cast
drivers/misc/lkdtm/cfi.c:87:13: sparse: sparse: non size-preserving pointer to integer cast
drivers/misc/lkdtm/cfi.c:87:13: sparse: sparse: non size-preserving integer to pointer cast
vim +72 drivers/misc/lkdtm/cfi.c
60
61 #define no_pac_addr(addr) \
62 ((__force __typeof__(addr))((__force u64)(addr) | PAGE_OFFSET))
63
64 /* The ultimate ROP gadget. */
65 static noinline __no_ret_protection
66 void set_return_addr_unchecked(unsigned long *expected, unsigned long *addr)
67 {
68 /* Use of volatile is to make sure final write isn't seen as a dead store. */
69 unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
70
71 /* Make sure we've found the right place on the stack before writing it. */
> 72 if (no_pac_addr(*ret_addr) == expected)
73 *ret_addr = (addr);
74 else
75 /* Check architecture, stack layout, or compiler behavior... */
76 pr_warn("Eek: return address mismatch! %px != %px\n",
77 *ret_addr, addr);
78 }
79
80 static noinline
81 void set_return_addr(unsigned long *expected, unsigned long *addr)
82 {
83 /* Use of volatile is to make sure final write isn't seen as a dead store. */
84 unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
85
86 /* Make sure we've found the right place on the stack before writing it. */
87 if (no_pac_addr(*ret_addr) == expected)
88 *ret_addr = (addr);
89 else
90 /* Check architecture, stack layout, or compiler behavior... */
91 pr_warn("Eek: return address mismatch! %px != %px\n",
92 *ret_addr, addr);
93 }
94
95 static volatile int force_check;
96
97 static void lkdtm_CFI_BACKWARD(void)
98 {
99 /* Use calculated gotos to keep labels addressable. */
> 100 void *labels[] = {0, &&normal, &&redirected, &&check_normal, &&check_redirected};
101
102 pr_info("Attempting unchecked stack return address redirection ...\n");
103
104 /* Always false */
105 if (force_check) {
106 /*
107 * Prepare to call with NULLs to avoid parameters being treated as
108 * constants in -02.
109 */
110 set_return_addr_unchecked(NULL, NULL);
111 set_return_addr(NULL, NULL);
112 if (force_check)
113 goto *labels[1];
114 if (force_check)
115 goto *labels[2];
116 if (force_check)
117 goto *labels[3];
118 if (force_check)
119 goto *labels[4];
120 return;
121 }
122
123 /*
124 * Use fallthrough switch case to keep basic block ordering between
125 * set_return_addr*() and the label after it.
126 */
127 switch (force_check) {
128 case 0:
129 set_return_addr_unchecked(&&normal, &&redirected);
130 fallthrough;
131 case 1:
132 normal:
133 /* Always true */
134 if (!force_check) {
135 pr_err("FAIL: stack return address manipulation failed!\n");
136 /* If we can't redirect "normally", we can't test mitigations. */
137 return;
138 }
139 break;
140 default:
141 redirected:
142 pr_info("ok: redirected stack return address.\n");
143 break;
144 }
145
146 pr_info("Attempting checked stack return address redirection ...\n");
147
148 switch (force_check) {
149 case 0:
150 set_return_addr(&&check_normal, &&check_redirected);
151 fallthrough;
152 case 1:
153 check_normal:
154 /* Always true */
155 if (!force_check) {
156 pr_info("ok: control flow unchanged.\n");
157 return;
158 }
159
160 check_redirected:
161 pr_err("FAIL: stack return address was redirected!\n");
162 break;
163 }
164
165 if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {
166 pr_expected_config(CONFIG_ARM64_PTR_AUTH_KERNEL);
167 return;
168 }
169 if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) {
170 pr_expected_config(CONFIG_SHADOW_CALL_STACK);
171 return;
172 }
173 pr_warn("This is probably expected, since this %s was built *without* %s=y nor %s=y\n",
174 lkdtm_kernel_info,
175 "CONFIG_ARM64_PTR_AUTH_KERNEL", "CONFIG_SHADOW_CALL_STACK");
176 }
177
--
0-DAY CI Kernel Test Service
https://01.org/lkp
Powered by blists - more mailing lists