lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202210110943.6f16f1ea-yujie.liu@intel.com>
Date:   Tue, 11 Oct 2022 11:46:21 +0800
From:   kernel test robot <yujie.liu@...el.com>
To:     Kees Cook <keescook@...omium.org>
CC:     <lkp@...ts.01.org>, <lkp@...el.com>,
        <linux-kernel@...r.kernel.org>, <linux-hardening@...r.kernel.org>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>
Subject: [fortify] 54d9469bc5:
 WARNING:at_net/wireless/wext-core.c:#wireless_send_event

Please be noted that we have reported similar cases:

[fortify] 728833277d: WARNING:at_net/netlink/af_netlink.c:#netlink_ack
https://lore.kernel.org/all/202209071317.245c5751-oliver.sang@intel.com/

[fortify] 54d9469bc5: WARNING:at_fs/nfs/namespace.c:#nfs_d_automount
https://lore.kernel.org/all/202210110948.26b43120-yujie.liu@intel.com

Not sure if this is a new case that triggers the warning, so we send
this report FYI. Thanks.


Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 54d9469bc515dc5fcbc20eecbe19cea868b70d68 ("fortify: Add run-time WARN for cross-field memcpy()")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

in testcase: hwsim
version: hwsim-x86_64-717e5d7-1_20220525
with following parameters:

	test: group-11

on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


[   95.908419][   T36] ------------[ cut here ]------------
[   95.913726][   T36] memcpy: detected field-spanning write (size 16) of single field "&compat_event->pointer" at net/wireless/wext-core.c:623 (size 4)
[ 95.927159][ T36] WARNING: CPU: 3 PID: 36 at net/wireless/wext-core.c:623 wireless_send_event (net/wireless/wext-core.c:623 (discriminator 3)) 
[   95.936987][   T36] Modules linked in: ccm mac80211_hwsim mac80211 cfg80211 rfkill libarc4 btrfs blake2b_generic xor raid6_pq zstd_compress libcrc32c intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp sd_mod t10_pi coretemp crc64_rocksoft_generic kvm_intel crc64_rocksoft crc64 sg ipmi_devintf kvm irqbypass ipmi_msghandler crct10dif_pclmul i915 mei_wdt wmi_bmof drm_buddy crc32_pclmul crc32c_intel intel_gtt ahci libahci drm_display_helper ghash_clmulni_intel ttm rapl intel_cstate mei_me intel_uncore drm_kms_helper i2c_i801 syscopyarea libata intel_pch_thermal mei i2c_smbus sysfillrect sysimgblt fb_sys_fops wmi video acpi_pad intel_pmc_core drm fuse ip_tables
[   95.996833][   T36] CPU: 3 PID: 36 Comm: kworker/u8:2 Tainted: G    B   W I        6.0.0-rc2-00009-g54d9469bc515 #1
[   96.007276][   T36] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[   96.015373][   T36] Workqueue: phy0 ieee80211_iface_work [mac80211]
[ 96.021742][ T36] RIP: 0010:wireless_send_event (net/wireless/wext-core.c:623 (discriminator 3)) 
[ 96.027512][ T36] Code: 04 00 00 00 4c 89 d6 4c 89 14 24 48 c7 c2 e0 ce e8 83 48 c7 c7 20 ce e8 83 4c 89 4c 24 18 c6 05 d7 d4 d7 01 01 e8 a6 32 06 00 <0f> 0b 4c 8b 4c 24 18 4c 8b 14 24 e9 6c fb ff ff e8 15 ce 4d fe e9
All code
========
   0:	04 00                	add    $0x0,%al
   2:	00 00                	add    %al,(%rax)
   4:	4c 89 d6             	mov    %r10,%rsi
   7:	4c 89 14 24          	mov    %r10,(%rsp)
   b:	48 c7 c2 e0 ce e8 83 	mov    $0xffffffff83e8cee0,%rdx
  12:	48 c7 c7 20 ce e8 83 	mov    $0xffffffff83e8ce20,%rdi
  19:	4c 89 4c 24 18       	mov    %r9,0x18(%rsp)
  1e:	c6 05 d7 d4 d7 01 01 	movb   $0x1,0x1d7d4d7(%rip)        # 0x1d7d4fc
  25:	e8 a6 32 06 00       	callq  0x632d0
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	4c 8b 4c 24 18       	mov    0x18(%rsp),%r9
  31:	4c 8b 14 24          	mov    (%rsp),%r10
  35:	e9 6c fb ff ff       	jmpq   0xfffffffffffffba6
  3a:	e8 15 ce 4d fe       	callq  0xfffffffffe4dce54
  3f:	e9                   	.byte 0xe9

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	4c 8b 4c 24 18       	mov    0x18(%rsp),%r9
   7:	4c 8b 14 24          	mov    (%rsp),%r10
   b:	e9 6c fb ff ff       	jmpq   0xfffffffffffffb7c
  10:	e8 15 ce 4d fe       	callq  0xfffffffffe4dce2a
  15:	e9                   	.byte 0xe9
[   96.046945][   T36] RSP: 0018:ffffc900002d74b0 EFLAGS: 00010286
[   96.052870][   T36] RAX: 0000000000000000 RBX: ffffffff83e8d2bc RCX: 0000000000000000
[   96.060685][   T36] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff5200005ae88
[   96.068519][   T36] RBP: ffff88820cd05040 R08: 0000000000000001 R09: ffff8887de9b2df7
[   96.076332][   T36] R10: ffffed10fbd365be R11: 0000000000000001 R12: 0000000000000014
[   96.084162][   T36] R13: ffff88810a778000 R14: ffff88820cd05e00 R15: ffff88810a77802c
[   96.091975][   T36] FS:  0000000000000000(0000) GS:ffff8887de980000(0000) knlGS:0000000000000000
[   96.100740][   T36] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   96.107182][   T36] CR2: 0000000000451c00 CR3: 000000014d94c005 CR4: 00000000003706e0
[   96.114994][   T36] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   96.122805][   T36] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   96.130619][   T36] Call Trace:
[   96.133772][   T36]  <TASK>
[ 96.136583][ T36] ? rtnetlink_ifinfo_prep (net/wireless/wext-core.c:455) 
[ 96.141905][ T36] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1)) 
[ 96.145773][ T36] __cfg80211_connect_result (net/wireless/sme.c:780) cfg80211
[ 96.152372][ T36] ? cfg80211_assoc_comeback (net/wireless/nl80211.c:17464) cfg80211
[ 96.158852][ T36] ? ieee80211_destroy_assoc_data (net/mac80211/mlme.c:3491) mac80211
[ 96.165731][ T36] ? ieee80211_rx_mgmt_assoc_resp.cold (net/mac80211/status.c:460) mac80211
[ 96.173142][ T36] ? ieee80211_sta_rx_queued_mgmt (net/mac80211/mlme.c:5694) mac80211
[ 96.180137][ T36] ? ieee80211_iface_work (net/mac80211/ieee80211_i.h:2292 net/mac80211/iface.c:1841) mac80211
[ 96.186409][ T36] ? process_one_work (kernel/workqueue.c:2289) 
[ 96.191381][ T36] ? ret_from_fork (arch/x86/entry/entry_64.S:306) 
[ 96.195832][ T36] ? cfg80211_sme_abandon_assoc (net/wireless/sme.c:724) cfg80211
[ 96.202609][ T36] ? nl80211_send_rx_assoc (net/wireless/nl80211.c:17528) cfg80211
[ 96.208870][ T36] ? cfg80211_rx_assoc_resp (net/wireless/mlme.c:26) cfg80211
[ 96.215298][ T36] cfg80211_rx_assoc_resp (net/wireless/mlme.c:26) cfg80211
[ 96.221577][ T36] ? cfg80211_cac_event (net/wireless/mlme.c:26) cfg80211
[ 96.227657][ T36] ieee80211_rx_mgmt_assoc_resp.cold (net/mac80211/status.c:463) mac80211
[ 96.234932][ T36] ? ieee80211_recalc_ps_vif (net/mac80211/mlme.c:4936) mac80211
[ 96.241309][ T36] ? load_balance (kernel/sched/fair.c:10125) 
[ 96.245924][ T36] ? update_load_avg (kernel/sched/fair.c:3686 kernel/sched/fair.c:4021) 
[ 96.250804][ T36] ? find_busiest_group (kernel/sched/fair.c:10095) 
[ 96.255865][ T36] ? mutex_lock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1781 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) 
[ 96.260143][ T36] ? __mutex_lock_slowpath (kernel/locking/mutex.c:282) 
[ 96.265275][ T36] ieee80211_sta_rx_queued_mgmt (net/mac80211/mlme.c:5694) mac80211
[ 96.272035][ T36] ? ieee80211_sta_rx_queued_ext (net/mac80211/mlme.c:5661) mac80211
[ 96.278906][ T36] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 96.284223][ T36] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161) 
[ 96.289889][ T36] ieee80211_iface_work (include/linux/skbuff.h:1206 net/mac80211/iface.c:1853) mac80211
[ 96.295989][ T36] process_one_work (kernel/workqueue.c:2289) 
[ 96.300786][ T36] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) 
[ 96.305241][ T36] ? process_one_work (kernel/workqueue.c:2379) 
[ 96.310298][ T36] kthread (kernel/kthread.c:376) 
[ 96.314216][ T36] ? kthread_complete_and_exit (kernel/kthread.c:331) 
[ 96.319707][ T36] ret_from_fork (arch/x86/entry/entry_64.S:306) 
[   96.323985][   T36]  </TASK>
[   96.326859][   T36] ---[ end trace 0000000000000000 ]---


If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <yujie.liu@...el.com>
| Link: https://lore.kernel.org/all/202210110943.6f16f1ea-yujie.liu@intel.com


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.


-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

View attachment "config-6.0.0-rc2-00009-g54d9469bc515" of type "text/plain" (168354 bytes)

View attachment "job-script" of type "text/plain" (5672 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (177028 bytes)

View attachment "hwsim" of type "text/plain" (67294 bytes)

View attachment "job.yaml" of type "text/plain" (4775 bytes)

View attachment "reproduce" of type "text/plain" (3938 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ