[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y8GB9DMtcSP/8e/i@x1-carbon>
Date: Fri, 13 Jan 2023 16:08:21 +0000
From: Niklas Cassel <Niklas.Cassel@....com>
To: Kees Cook <keescook@...omium.org>
CC: "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
Miguel Ojeda <ojeda@...nel.org>,
Siddhesh Poyarekar <siddhesh@...plt.org>,
Arnd Bergmann <arnd@...db.de>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Nathan Chancellor <nathan@...nel.org>,
Tom Rix <trix@...hat.com>,
"llvm@...ts.linux.dev" <llvm@...ts.linux.dev>,
Juergen Gross <jgross@...e.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
"linux-next@...r.kernel.org" <linux-next@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Michael Chan <michael.chan@...adcom.com>
Subject: Re: linux-next - bnxt buffer overflow in strnlen
On Fri, Jan 13, 2023 at 04:59:19PM +0100, Niklas Cassel wrote:
> On Tue, Sep 20, 2022 at 12:22:02PM -0700, Kees Cook wrote:
> > Since the commits starting with c37495d6254c ("slab: add __alloc_size
> > attributes for better bounds checking"), the compilers have runtime
> > allocation size hints available in some places. This was immediately
> > available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
> > updating to explicitly make use the hints via the associated
> > __builtin_dynamic_object_size() helper. Detect and use the builtin when
> > it is available, increasing the accuracy of the mitigation. When runtime
> > sizes are not available, __builtin_dynamic_object_size() falls back to
> > __builtin_object_size(), leaving the existing bounds checking unchanged.
> >
> > Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
> > hint invisible, otherwise the architectural defense is not exercised
> > (the buffer overflow is detected in the memset() rather than when it
> > crosses the edge of the allocation).
> >
> > Cc: Miguel Ojeda <ojeda@...nel.org>
> > Cc: Siddhesh Poyarekar <siddhesh@...plt.org>
> > Cc: Arnd Bergmann <arnd@...db.de>
> > Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> > Cc: Nathan Chancellor <nathan@...nel.org>
> > Cc: Tom Rix <trix@...hat.com>
> > Cc: linux-hardening@...r.kernel.org
> > Cc: llvm@...ts.linux.dev
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
>
> Hello Kees,
>
> Unfortunately, this commit introduces a crash in the bnxt
> ethernet driver when booting linux-next.
>
> I haven't looked at the code in the bnxt ethernet driver,
> I simply know that machine boots fine on v6.2.0-rc3,
> but fails to boot with linux-next.
>
> So I started an automatic git bisect, which returned:
> 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")
>
> $ grep CC_VERSION .config
> CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.1 20221121 (Red Hat 12.2.1-4)"
> CONFIG_GCC_VERSION=120201
>
> $ grep FORTIFY .config
> CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
> CONFIG_FORTIFY_SOURCE=y
>
>
> dmesg output:
>
> <0>[ 10.805253] detected buffer overflow in strnlen
> <4>[ 10.810683] ------------[ cut here ]------------
> <2>[ 10.816035] kernel BUG at lib/string_helpers.c:1027!
> <4>[ 10.821753] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> <4>[ 10.822737] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc3-next-20230112+ #4
> <4>[ 10.834787] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.4 04/14/2022
> <4>[ 10.839875] RIP: 0010:fortify_panic+0xf/0x11
> <4>[ 10.844962] Code: e0 e8 da 83 0a ff e9 31 45 6d ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 fe 48 c7 c7 78 69 d6 9f e8 01 ea fc ff <0f> 0b 48 8b 4c 24 18 48 8b 54 24 10 4c 8d 44 24 25 48 c7 c7 b6 69
> <4>[ 10.865321] RSP: 0018:ffffb547c005bb98 EFLAGS: 00010246
> <4>[ 10.870406] RAX: 0000000000000023 RBX: ffff94f0582bc400 RCX: 0000000000000000
> <4>[ 10.880584] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
> <4>[ 10.885672] RBP: ffff94f0582bc424 R08: 0000000000000000 R09: ffffb547c005ba60
> <4>[ 10.895849] R10: 0000000000000003 R11: ffffffffa0182448 R12: 696c66666f282074
> <4>[ 10.900937] R13: 736574206b636162 R14: 0000000000000001 R15: ffff94f0545f8b40
> <4>[ 10.911113] FS: 0000000000000000(0000) GS:ffff950f07380000(0000) knlGS:0000000000000000
> <4>[ 10.916201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> <4>[ 10.926382] CR2: 0000000000000000 CR3: 000000204c05a000 CR4: 0000000000350ee0
> <4>[ 10.931470] Call Trace:
> <6>[ 10.936317] ata9: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.936745] <TASK>
> <4>[ 10.936745] bnxt_ethtool_init.cold+0x18/0x18
> <4>[ 10.936745] ? dma_pool_free+0x14d/0x160
> <6>[ 10.942591] ata10: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.942663] bnxt_fw_init_one_p2+0x18d/0x5e0
> <6>[ 10.949046] ata4: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.949841] bnxt_init_one+0x401/0xf10
> <6>[ 10.958451] ata6: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.958854] local_pci_probe+0x41/0x80
> <6>[ 10.968114] ata3: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.968892] pci_device_probe+0x1e2/0x210
> <6>[ 10.977259] ata8: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.977657] really_probe+0xde/0x380
> <6>[ 10.986406] ata5: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.986817] ? pm_runtime_barrier+0x50/0x90
> <4>[ 10.986817] __driver_probe_device+0x78/0x170
> <6>[ 10.996042] ata7: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.996978] driver_probe_device+0x1f/0x90
> <4>[ 10.996978] __driver_attach+0xd2/0x1c0
> <4>[ 10.996978] ? __pfx___driver_attach+0x10/0x10
> <4>[ 10.996978] bus_for_each_dev+0x65/0x90
> <4>[ 11.047368] bus_add_driver+0x1b1/0x200
> <4>[ 11.052640] driver_register+0x89/0xe0
> <4>[ 11.057487] ? __pfx_bnxt_init+0x10/0x10
> <4>[ 11.061634] bnxt_init+0x20/0x33
> <4>[ 11.065015] do_one_initcall+0x5b/0x340
> <4>[ 11.070105] ? rcu_read_lock_sched_held+0x3f/0x80
> <4>[ 11.075198] kernel_init_freeable+0x29e/0x2ee
> <4>[ 11.080635] ? __pfx_kernel_init+0x10/0x10
> <4>[ 11.085379] kernel_init+0x16/0x140
> <6>[ 11.087743] ata16: SATA link down (SStatus 0 SControl 300)
> <4>[ 11.086528] ret_from_fork+0x2c/0x50
> <4>[ 11.086528] </TASK>
> <6>[ 11.094437] ata17: SATA link down (SStatus 0 SControl 300)
> <4>[ 11.094645] Modules linked in:
> <4>[ 11.097999] ---[ end trace 0000000000000000 ]---
> <6>[ 11.100194] ata18: SATA link down (SStatus 0 SControl 300)
>
>
> Kind regards,
> Niklas
+netdev
+bnxt maintainers
Powered by blists - more mailing lists