| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Dec 2022 14:43:59 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Mika Westerberg <mika.westerberg@...ux.intel.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
Mark Brown <broonie@...nel.org>,
<linux-kernel@...r.kernel.org>, <linux-spi@...r.kernel.org>
Subject: [linus:master] [spi] ec4a04aa69:
UBSAN:shift-out-of-bounds_in_drivers/mtd/spi-nor/core.c
Greeting,
FYI, we noticed UBSAN:shift-out-of-bounds_in_drivers/mtd/spi-nor/core.c due to commit (built with gcc-11):
commit: ec4a04aa6962fff3cfa63d70536537844f7446d2 ("spi: intel: Add support for SFDP opcode")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linux-next/master e45fb347b630ee76482fe938ba76cf8eab811290]
in testcase: kvm-unit-tests-qemu
version: kvm-unit-tests-x86_64-7cefda5-1_20221216
with following parameters:
on test machine: 128 threads 2 sockets Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz (Ice Lake) with 128G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202212261304.c2377336-oliver.sang@intel.com
[ 76.766463][ T1460] UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:1999:24
[ 76.776077][ T1460] shift exponent 4294967295 is too large for 32-bit type 'int'
[ 76.783515][ T1460] CPU: 47 PID: 1460 Comm: systemd-udevd Not tainted 6.1.0-rc4-00063-gec4a04aa6962 #1
[ 76.792863][ T1460] Call Trace:
[ 76.796026][ T1460] <TASK>
[ 76.798848][ T1460] dump_stack_lvl (??:?)
[ 76.803235][ T1460] ubsan_epilogue (ubsan.c:?)
[ 76.807531][ T1460] __ubsan_handle_shift_out_of_bounds.cold (ubsan.c:?)
[ 76.814104][ T1460] spi_nor_set_erase_type.cold (core.c:?) spi_nor
[ 76.820496][ T1460] spi_nor_parse_4bait (sfdp.c:?) spi_nor
[ 76.826375][ T1460] ? spi_nor_read_sfdp (sfdp.c:?) spi_nor
[ 76.832162][ T1460] spi_nor_parse_sfdp (??:?) spi_nor
[ 76.837955][ T1460] ? mark_lock+0xcc/0x13c0
[ 76.842869][ T1460] ? spi_nor_parse_bfpt (??:?) spi_nor
[ 76.848997][ T1460] ? check_prev_add (lockdep.c:?)
[ 76.853901][ T1460] ? spi_nor_scan (??:?) spi_nor
[ 76.859337][ T1460] ? spi_nor_probe (core.c:?) spi_nor
[ 76.864858][ T1460] ? spi_probe (spi.c:?)
[ 76.869071][ T1460] ? really_probe (dd.c:?)
[ 76.873633][ T1460] ? __driver_probe_device (dd.c:?)
[ 76.878980][ T1460] spi_nor_sfdp_init_params_deprecated (core.c:?) spi_nor
[ 76.886158][ T1460] ? 0xffffffffb3783000
[ 76.890236][ T1460] ? spi_nor_region_next (??:?) spi_nor
[ 76.896101][ T1460] ? spi_nor_write_16bit_sr_and_check (??:?) spi_nor
[ 76.903277][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.908960][ T1460] ? trace_hardirqs_on (??:?)
[ 76.913866][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.919555][ T1460] ? devm_kmalloc (??:?)
[ 76.924113][ T1460] spi_nor_init_params (core.c:?) spi_nor
[ 76.929992][ T1460] spi_nor_scan (??:?) spi_nor
[ 76.935256][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.940945][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.946628][ T1460] ? devm_kmalloc (??:?)
[ 76.951199][ T1460] spi_nor_probe (core.c:?) spi_nor
[ 76.956554][ T1460] ? spi_nor_scan (core.c:?) spi_nor
[ 76.961993][ T1460] ? lockdep_hardirqs_on_prepare (lockdep.c:?)
[ 76.968461][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.974144][ T1460] ? trace_hardirqs_on (??:?)
[ 76.979047][ T1460] ? _raw_spin_unlock_irqrestore (??:?)
[ 76.984736][ T1460] ? devm_kmalloc (??:?)
[ 76.989298][ T1460] spi_probe (spi.c:?)
[ 76.993335][ T1460] really_probe (dd.c:?)
[ 76.997728][ T1460] __driver_probe_device (dd.c:?)
[ 77.000074][ T15] [drm] Initialized ast 0.1.0 20120228 for 0000:02:00.0 on minor 0
[ 77.002873][ T1460] ? lockdep_hardirqs_on_prepare (lockdep.c:?)
[ 77.002884][ T1460] driver_probe_device (dd.c:?)
[ 77.022131][ T1460] __driver_attach (dd.c:?)
[ 77.022139][ T1460] ? __device_attach_driver (dd.c:?)
[ 77.022148][ T1460] bus_for_each_dev (??:?)
[ 77.022153][ T1460] ? lockdep_init_map_type (??:?)
[ 77.022160][ T1460] ? subsys_dev_iter_exit (??:?)
[ 77.022172][ T1460] ? bus_add_driver (??:?)
[ 77.022197][ T1460] bus_add_driver (??:?)
[ 77.022201][ T15] fbcon: astdrmfb (fb0) is primary device
[ 77.022208][ T1460] driver_register (??:?)
[ 77.022219][ T1460] ? 0xffffffffa04f4000
[ 77.022225][ T1460] do_one_initcall (??:?)
LKP: ttyS0: 1563[ 77.022234][ T1460] ? trace_event_raw_event_initcall_level (??:?)
[ 77.022243][ T1460] ? __kmem_cache_alloc_node (??:?)
[ 77.022256][ T1460] ? kasan_unpoison (??:?)
: Kernel tests: [ 77.022267][ T1460] do_init_module (main.c:?)
Boot OK!
[ 77.022284][ T1460] load_module (main.c:?)
[ 77.022299][ T1460] ? post_relocation (main.c:?)
[ 77.022311][ T1460] ? __x64_sys_fspick (??:?)
[ 77.022317][ T1460] ? __lock_release (lockdep.c:?)
[ 77.022337][ T1460] ? __do_sys_finit_module (main.c:?)
[ 77.022342][ T1460] __do_sys_finit_module (main.c:?)
[ 77.022348][ T1460] ? __ia32_sys_init_module (main.c:?)
[ 77.022384][ T1460] do_syscall_64 (??:?)
[ 77.022390][ T1460] ? do_syscall_64 (??:?)
[ 77.022397][ T1460] ? syscall_exit_to_user_mode (??:?)
[ 77.022407][ T1460] ? lockdep_hardirqs_on_prepare (lockdep.c:?)
[ 77.022414][ T1460] ? do_syscall_64 (??:?)
LKP: ttyS0: 1563[ 77.022418][ T1460] ? do_syscall_64 (??:?)
: HOSTNAME lkp-i[ 77.022423][ T1460] ? lockdep_hardirqs_on_prepare (lockdep.c:?)
cl-2sp4, MAC b4:[ 77.022430][ T1460] entry_SYSCALL_64_after_hwframe (??:?)
96:91:a7:0e:44, [ 77.022434][ T1460] RIP: 0033:0x7f7efff4b9b9
kernel 6.1.0-rc4[ 77.022439][ T1460] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54e1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54b7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
View attachment "config-6.1.0-rc4-00063-gec4a04aa6962" of type "text/plain" (217517 bytes)
View attachment "job-script" of type "text/plain" (6239 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (104188 bytes)
View attachment "kvm-unit-tests-qemu" of type "text/plain" (233420 bytes)
View attachment "job.yaml" of type "text/plain" (5281 bytes)
View attachment "reproduce" of type "text/plain" (150 bytes)
Powered by blists - more mailing lists