[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y8F/1w1AZTvLglFX@x1-carbon>
Date: Fri, 13 Jan 2023 15:59:21 +0000
From: Niklas Cassel <Niklas.Cassel@....com>
To: Kees Cook <keescook@...omium.org>
CC: "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
Miguel Ojeda <ojeda@...nel.org>,
Siddhesh Poyarekar <siddhesh@...plt.org>,
Arnd Bergmann <arnd@...db.de>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Nathan Chancellor <nathan@...nel.org>,
Tom Rix <trix@...hat.com>,
"llvm@...ts.linux.dev" <llvm@...ts.linux.dev>,
Juergen Gross <jgross@...e.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
"linux-next@...r.kernel.org" <linux-next@...r.kernel.org>
Subject: linux-next - bxnt buffer overflow in strnlen
On Tue, Sep 20, 2022 at 12:22:02PM -0700, Kees Cook wrote:
> Since the commits starting with c37495d6254c ("slab: add __alloc_size
> attributes for better bounds checking"), the compilers have runtime
> allocation size hints available in some places. This was immediately
> available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
> updating to explicitly make use the hints via the associated
> __builtin_dynamic_object_size() helper. Detect and use the builtin when
> it is available, increasing the accuracy of the mitigation. When runtime
> sizes are not available, __builtin_dynamic_object_size() falls back to
> __builtin_object_size(), leaving the existing bounds checking unchanged.
>
> Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
> hint invisible, otherwise the architectural defense is not exercised
> (the buffer overflow is detected in the memset() rather than when it
> crosses the edge of the allocation).
>
> Cc: Miguel Ojeda <ojeda@...nel.org>
> Cc: Siddhesh Poyarekar <siddhesh@...plt.org>
> Cc: Arnd Bergmann <arnd@...db.de>
> Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> Cc: Nathan Chancellor <nathan@...nel.org>
> Cc: Tom Rix <trix@...hat.com>
> Cc: linux-hardening@...r.kernel.org
> Cc: llvm@...ts.linux.dev
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
Hello Kees,
Unfortunately, this commit introduces a crash in the bxnt
ethernet driver when booting linux-next.
I haven't looked at the code in the bxnt ethernet driver,
I simply know that machine boots fine on v6.2.0-rc3,
but fails to boot with linux-next.
So I started an automatic git bisect, which returned:
439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")
$ grep CC_VERSION .config
CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.1 20221121 (Red Hat 12.2.1-4)"
CONFIG_GCC_VERSION=120201
$ grep FORTIFY .config
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_FORTIFY_SOURCE=y
dmesg output:
<0>[ 10.805253] detected buffer overflow in strnlen
<4>[ 10.810683] ------------[ cut here ]------------
<2>[ 10.816035] kernel BUG at lib/string_helpers.c:1027!
<4>[ 10.821753] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 10.822737] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc3-next-20230112+ #4
<4>[ 10.834787] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.4 04/14/2022
<4>[ 10.839875] RIP: 0010:fortify_panic+0xf/0x11
<4>[ 10.844962] Code: e0 e8 da 83 0a ff e9 31 45 6d ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 fe 48 c7 c7 78 69 d6 9f e8 01 ea fc ff <0f> 0b 48 8b 4c 24 18 48 8b 54 24 10 4c 8d 44 24 25 48 c7 c7 b6 69
<4>[ 10.865321] RSP: 0018:ffffb547c005bb98 EFLAGS: 00010246
<4>[ 10.870406] RAX: 0000000000000023 RBX: ffff94f0582bc400 RCX: 0000000000000000
<4>[ 10.880584] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
<4>[ 10.885672] RBP: ffff94f0582bc424 R08: 0000000000000000 R09: ffffb547c005ba60
<4>[ 10.895849] R10: 0000000000000003 R11: ffffffffa0182448 R12: 696c66666f282074
<4>[ 10.900937] R13: 736574206b636162 R14: 0000000000000001 R15: ffff94f0545f8b40
<4>[ 10.911113] FS: 0000000000000000(0000) GS:ffff950f07380000(0000) knlGS:0000000000000000
<4>[ 10.916201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 10.926382] CR2: 0000000000000000 CR3: 000000204c05a000 CR4: 0000000000350ee0
<4>[ 10.931470] Call Trace:
<6>[ 10.936317] ata9: SATA link down (SStatus 0 SControl 300)
<4>[ 10.936745] <TASK>
<4>[ 10.936745] bnxt_ethtool_init.cold+0x18/0x18
<4>[ 10.936745] ? dma_pool_free+0x14d/0x160
<6>[ 10.942591] ata10: SATA link down (SStatus 0 SControl 300)
<4>[ 10.942663] bnxt_fw_init_one_p2+0x18d/0x5e0
<6>[ 10.949046] ata4: SATA link down (SStatus 0 SControl 300)
<4>[ 10.949841] bnxt_init_one+0x401/0xf10
<6>[ 10.958451] ata6: SATA link down (SStatus 0 SControl 300)
<4>[ 10.958854] local_pci_probe+0x41/0x80
<6>[ 10.968114] ata3: SATA link down (SStatus 0 SControl 300)
<4>[ 10.968892] pci_device_probe+0x1e2/0x210
<6>[ 10.977259] ata8: SATA link down (SStatus 0 SControl 300)
<4>[ 10.977657] really_probe+0xde/0x380
<6>[ 10.986406] ata5: SATA link down (SStatus 0 SControl 300)
<4>[ 10.986817] ? pm_runtime_barrier+0x50/0x90
<4>[ 10.986817] __driver_probe_device+0x78/0x170
<6>[ 10.996042] ata7: SATA link down (SStatus 0 SControl 300)
<4>[ 10.996978] driver_probe_device+0x1f/0x90
<4>[ 10.996978] __driver_attach+0xd2/0x1c0
<4>[ 10.996978] ? __pfx___driver_attach+0x10/0x10
<4>[ 10.996978] bus_for_each_dev+0x65/0x90
<4>[ 11.047368] bus_add_driver+0x1b1/0x200
<4>[ 11.052640] driver_register+0x89/0xe0
<4>[ 11.057487] ? __pfx_bnxt_init+0x10/0x10
<4>[ 11.061634] bnxt_init+0x20/0x33
<4>[ 11.065015] do_one_initcall+0x5b/0x340
<4>[ 11.070105] ? rcu_read_lock_sched_held+0x3f/0x80
<4>[ 11.075198] kernel_init_freeable+0x29e/0x2ee
<4>[ 11.080635] ? __pfx_kernel_init+0x10/0x10
<4>[ 11.085379] kernel_init+0x16/0x140
<6>[ 11.087743] ata16: SATA link down (SStatus 0 SControl 300)
<4>[ 11.086528] ret_from_fork+0x2c/0x50
<4>[ 11.086528] </TASK>
<6>[ 11.094437] ata17: SATA link down (SStatus 0 SControl 300)
<4>[ 11.094645] Modules linked in:
<4>[ 11.097999] ---[ end trace 0000000000000000 ]---
<6>[ 11.100194] ata18: SATA link down (SStatus 0 SControl 300)
Kind regards,
Niklas
Powered by blists - more mailing lists