lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Mar 2024 13:40:57 +0100
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
 Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
 Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
 x86@...nel.org
Cc: LKML <linux-kernel@...r.kernel.org>, Marco Elver <elver@...gle.com>,
 kasan-dev@...glegroups.com
Subject: Unpatched return thunk in use. This should not happen!

Dear Linux folks,


On a Dell XPS 13 9360/0596KF, BIOS 2.21.0 06/02/2022, Linux 6.9-rc1+ 
built with

      CONFIG_KCSAN=y

and `KCSAN_EARLY_ENABLE` *not* selected shows the warning below.

     $ git log --no-decorate --oneline -1
     928a87efa423 Merge tag 'gfs2-v6.8-fix' of 
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2

### First try

(Sorry, I didn’t save the direct output of `dmesg` the first time.)

```
$ journalctl -o short-monotonic -b -1 _TRANSPORT=kernel
[…]
[    1.695447] abreu kernel: ------------[ cut here ]------------
[    1.695463] abreu kernel: Unpatched return thunk in use. This should 
not happen!
[    1.695472] abreu kernel: WARNING: CPU: 2 PID: 89 at 
arch/x86/kernel/cpu/bugs.c:2935 __warn_thunk+0x42/0x50
[    1.695489] abreu kernel: Modules linked in: cryptd(+)
[    1.695501] abreu kernel: CPU: 2 PID: 89 Comm: modprobe Not tainted 
6.9.0-rc1+ #77
[    1.695512] abreu kernel: Hardware name: Dell Inc. XPS 13 
9360/0596KF, BIOS 2.21.0 06/02/2022
[    1.695518] abreu kernel: RIP: 0010:__warn_thunk+0x42/0x50
[    1.695530] abreu kernel: Code: 05 da 01 00 74 05 c3 cc cc cc cc 48 
c7 c7 7d f4 60 9c e8 51 5b 37 00 48 c7 c7 a0 1b 2a 9c c6 05 60 05 da 01 
01 e8 5e 38 08 00 <0f> 0b c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90>
[    1.695539] abreu kernel: RSP: 0018:ffffabd5c0543a50 EFLAGS: 00010286
[    1.695549] abreu kernel: RAX: 0000000000000000 RBX: ffffffffc05222c0 
RCX: 0001ffffffffffff
[    1.695556] abreu kernel: RDX: ffff99f100e4b480 RSI: 0000000000000004 
RDI: ffffffff9c4ca398
[    1.695563] abreu kernel: RBP: ffffabd5c0543aa0 R08: ffffffff9d2ce8c8 
R09: 0000000000000000
[    1.695570] abreu kernel: R10: 0001ffff9c4ca398 R11: ffffffff9a9af821 
R12: ffff99f1038d7560
[    1.695577] abreu kernel: R13: ffffffffc0522770 R14: ffffffffc0522768 
R15: ffffffffc052c008
[    1.695584] abreu kernel: FS:  00007ff3d9264040(0000) 
GS:ffff99f46f100000(0000) knlGS:0000000000000000
[    1.695593] abreu kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
[    1.695601] abreu kernel: CR2: 00007ff3d9341170 CR3: 0000000101838004 
CR4: 00000000003706f0
[    1.695608] abreu kernel: Call Trace:
[    1.695613] abreu kernel:  <TASK>
[    1.695626] abreu kernel:  ? __warn+0xaf/0x1c0
[    1.695636] abreu kernel:  ? __warn_thunk+0x42/0x50
[    1.695648] abreu kernel:  ? report_bug+0x1d6/0x200
[    1.695662] abreu kernel:  ? handle_bug+0x3c/0x80
[    1.695672] abreu kernel:  ? exc_invalid_op+0x17/0x70
[    1.695682] abreu kernel:  ? asm_exc_invalid_op+0x1a/0x20
[    1.695696] abreu kernel:  ? __wake_up_klogd.part.0+0x21/0x80
[    1.695713] abreu kernel:  ? __warn_thunk+0x42/0x50
[    1.695724] abreu kernel:  warn_thunk_thunk+0x1a/0x30
[    1.695735] abreu kernel:  ? do_init_module+0xf2/0x360
[    1.695750] abreu kernel:  ? _sub_I_00099_0+0x20/0x20 [cryptd]
[    1.695801] abreu kernel:  do_init_module+0xf7/0x360
[    1.695817] abreu kernel:  load_module+0x35f2/0x37d0
[    1.695851] abreu kernel:  ? init_module_from_file+0xca/0x130
[    1.695866] abreu kernel:  init_module_from_file+0xca/0x130
[    1.695888] abreu kernel:  idempotent_init_module+0x1b0/0x3d0
[    1.695907] abreu kernel:  __x64_sys_finit_module+0x88/0xe0
[    1.695923] abreu kernel:  do_syscall_64+0x85/0x1a0
[    1.695936] abreu kernel:  ? do_syscall_64+0x94/0x1a0
[    1.695950] abreu kernel:  ? fpregs_assert_state_consistent+0x7e/0x90
[    1.695968] abreu kernel:  ? 
arch_exit_to_user_mode_prepare.isra.0+0x69/0xa0
[    1.695980] abreu kernel:  ? syscall_exit_to_user_mode+0x40/0xe0
[    1.695996] abreu kernel:  ? do_syscall_64+0x94/0x1a0
[    1.696009] abreu kernel:  ? irqentry_exit_to_user_mode+0x36/0xd0
[    1.696020] abreu kernel:  entry_SYSCALL_64_after_hwframe+0x6c/0x74
[    1.696032] abreu kernel: RIP: 0033:0x7ff3d9366059
[    1.696039] abreu kernel: Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 
00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 
8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00>
[    1.696048] abreu kernel: RSP: 002b:00007ffe37361958 EFLAGS: 00000246 
ORIG_RAX: 0000000000000139
[    1.696059] abreu kernel: RAX: ffffffffffffffda RBX: 0000555d44f65b40 
RCX: 00007ff3d9366059
[    1.696066] abreu kernel: RDX: 0000000000000000 RSI: 0000555d239659a6 
RDI: 0000000000000000
[    1.696073] abreu kernel: RBP: 0000000000000000 R08: 0000000000000060 
R09: 0000555d44f671f0
[    1.696080] abreu kernel: R10: 0000000000000038 R11: 0000000000000246 
R12: 0000555d239659a6
[    1.696087] abreu kernel: R13: 0000000000040000 R14: 0000555d44f65f30 
R15: 0000000000000000
[    1.696101] abreu kernel:  </TASK>
[    1.696106] abreu kernel: ---[ end trace 0000000000000000 ]---
```

```
$ ./scripts/decodecode < first_boot.txt
[ 1.696039] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 
<48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
All code
========
     0:   08 89 e8 5b 5d c3       or     %cl,-0x3ca2a418(%rcx)
     6:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
     d:   00 00 00
    10:   90                      nop
    11:   48 89 f8                mov    %rdi,%rax
    14:   48 89 f7                mov    %rsi,%rdi
    17:   48 89 d6                mov    %rdx,%rsi
    1a:   48 89 ca                mov    %rcx,%rdx
    1d:   4d 89 c2                mov    %r8,%r10
    20:   4d 89 c8                mov    %r9,%r8
    23:   4c 8b 4c 24 08          mov    0x8(%rsp),%r9
    28:   0f 05                   syscall
    2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax <-- 
trapping instruction
    30:   73 01                   jae    0x33
    32:   c3                      ret
    33:   48 8b 0d 8f 1d 0d 00    mov    0xd1d8f(%rip),%rcx        # 0xd1dc9
    3a:   f7 d8                   neg    %eax
    3c:   64 89 01                mov    %eax,%fs:(%rcx)
    3f:   48                      rex.W

Code starting with the faulting instruction
===========================================
     0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
     6:   73 01                   jae    0x9
     8:   c3                      ret
     9:   48 8b 0d 8f 1d 0d 00    mov    0xd1d8f(%rip),%rcx        # 0xd1d9f
    10:   f7 d8                   neg    %eax
    12:   64 89 01                mov    %eax,%fs:(%rcx)
    15:   48                      rex.W
```

### Second try

The Code line is a little different:

````
[    1.685474] ------------[ cut here ]------------
[    1.685482] Unpatched return thunk in use. This should not happen!
[    1.685498] WARNING: CPU: 1 PID: 88 at 
arch/x86/kernel/cpu/bugs.c:2935 __warn_thunk+0x42/0x50
[    1.685515] Modules linked in: cryptd(+)
[    1.685527] CPU: 1 PID: 88 Comm: modprobe Not tainted 6.9.0-rc1+ #77
[    1.685537] Hardware name: Dell Inc. XPS 13 9360/0596KF, BIOS 2.21.0 
06/02/2022
[    1.685544] RIP: 0010:__warn_thunk+0x42/0x50
[    1.685555] Code: 05 da 01 00 74 05 c3 cc cc cc cc 48 c7 c7 7d f4 20 
9b e8 51 5b 37 00 48 c7 c7 a0 1b ea 9a c6 05 60 05 da 01 01 e8 5e 38 08 
00 <0f> 0b c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90
[    1.685565] RSP: 0018:ffffb6a6c054bac0 EFLAGS: 00010282
[    1.685574] RAX: 0000000000000000 RBX: ffffffffc04692c0 RCX: 
0001ffffffffffff
[    1.685582] RDX: ffff996b43028000 RSI: 0000000000000004 RDI: 
ffffffff9b0ca398
[    1.685589] RBP: ffffb6a6c054bb10 R08: ffffffff9bece8c8 R09: 
0000000000000000
[    1.685596] R10: 0001ffff9b0ca398 R11: ffffffff995af821 R12: 
ffff996b4670d4a0
[    1.685603] R13: ffffffffc0469770 R14: ffffffffc0469768 R15: 
ffffffffc0473008
[    1.685610] FS:  00007f8cee712040(0000) GS:ffff996eaf080000(0000) 
knlGS:0000000000000000
[    1.685618] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.685626] CR2: 00007ffda89fcb28 CR3: 00000001013f2004 CR4: 
00000000003706f0
[    1.685633] Call Trace:
[    1.685638]  <TASK>
[    1.685644]  ? __warn+0xaf/0x1c0
[    1.685655]  ? __warn_thunk+0x42/0x50
[    1.685667]  ? report_bug+0x1d6/0x200
[    1.685680]  ? handle_bug+0x3c/0x80
[    1.685690]  ? exc_invalid_op+0x17/0x70
[    1.685700]  ? asm_exc_invalid_op+0x1a/0x20
[    1.685714]  ? __wake_up_klogd.part.0+0x21/0x80
[    1.685731]  ? __warn_thunk+0x42/0x50
[    1.685742]  warn_thunk_thunk+0x1a/0x30
[    1.685752]  ? do_init_module+0xf2/0x360
[    1.685767]  ? _sub_I_00099_0+0x20/0x20 [cryptd]
[    1.685818]  do_init_module+0xf7/0x360
[    1.685835]  load_module+0x35f2/0x37d0
[    1.685868]  ? init_module_from_file+0xca/0x130
[    1.685883]  init_module_from_file+0xca/0x130
[    1.685905]  idempotent_init_module+0x1b0/0x3d0
[    1.685924]  __x64_sys_finit_module+0x88/0xe0
[    1.685940]  do_syscall_64+0x85/0x1a0
[    1.685953]  ? do_syscall_64+0x94/0x1a0
[    1.685965]  ? do_syscall_64+0x94/0x1a0
[    1.685978]  ? arch_exit_to_user_mode_prepare.isra.0+0x69/0xa0
[    1.685990]  ? irqentry_exit_to_user_mode+0x36/0xd0
[    1.686006]  entry_SYSCALL_64_after_hwframe+0x6c/0x74
[    1.686017] RIP: 0033:0x7f8cee814059
[    1.686025] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
[    1.686034] RSP: 002b:00007ffda89ffae8 EFLAGS: 00000246 ORIG_RAX: 
0000000000000139
[    1.686045] RAX: ffffffffffffffda RBX: 000055ec481f3b40 RCX: 
00007f8cee814059
[    1.686052] RDX: 0000000000000000 RSI: 000055ec13d9d9a6 RDI: 
0000000000000000
[    1.686059] RBP: 0000000000000000 R08: 0000000000000060 R09: 
000055ec481f51f0
[    1.686066] R10: 0000000000000038 R11: 0000000000000246 R12: 
000055ec13d9d9a6
[    1.686073] R13: 0000000000040000 R14: 000055ec481f3f30 R15: 
0000000000000000
[    1.686087]  </TASK>
[    1.686091] ---[ end trace 0000000000000000 ]---
```

```
$ ./scripts/decodecode < second_try.txt
Code: 05 da 01 00 74 05 c3 cc cc cc cc 48 c7 c7 7d f4 20 9b e8 51 5b 37 
00 48 c7 c7 a0 1b ea 9a c6 05 60 05 da 01 01 e8 5e 38 08 00 <0f> 0b c3 
cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90
All code
========
    0:   05 da 01 00 74          add    $0x740001da,%eax
    5:   05 c3 cc cc cc          add    $0xccccccc3,%eax
    a:   cc                      int3
    b:   48 c7 c7 7d f4 20 9b    mov    $0xffffffff9b20f47d,%rdi
   12:   e8 51 5b 37 00          call   0x375b68
   17:   48 c7 c7 a0 1b ea 9a    mov    $0xffffffff9aea1ba0,%rdi
   1e:   c6 05 60 05 da 01 01    movb   $0x1,0x1da0560(%rip)        # 
0x1da0585
   25:   e8 5e 38 08 00          call   0x83888
   2a:*  0f 0b                   ud2             <-- trapping instruction
   2c:   c3                      ret
   2d:   cc                      int3
   2e:   cc                      int3
   2f:   cc                      int3
   30:   cc                      int3
   31:   0f 1f 80 00 00 00 00    nopl   0x0(%rax)
   38:   90                      nop
   39:   90                      nop
   3a:   90                      nop
   3b:   90                      nop
   3c:   90                      nop
   3d:   90                      nop
   3e:   90                      nop
   3f:   90                      nop

Code starting with the faulting instruction
===========================================
    0:   0f 0b                   ud2
    2:   c3                      ret
    3:   cc                      int3
    4:   cc                      int3
    5:   cc                      int3
    6:   cc                      int3
    7:   0f 1f 80 00 00 00 00    nopl   0x0(%rax)
    e:   90                      nop
    f:   90                      nop
   10:   90                      nop
   11:   90                      nop
   12:   90                      nop
   13:   90                      nop
   14:   90                      nop
   15:   90                      nop
```

Please find the full Linux messages of the second try attached.

The problem does not happen with QEMU emulator version 8.2.2 (Debian 
1:8.2.2+ds-2) with machine *q35*.


Kind regards,

Paul
View attachment "config-6.9.0-rc1+" of type "text/plain" (201540 bytes)

View attachment "20240326--dell-xps-13-9360--linux-6.9-rc1+--messages.txt" of type "text/plain" (91648 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ