| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0851a207-7143-417e-be31-8bf2b3afb57d@molgen.mpg.de>
Date: Tue, 26 Mar 2024 13:40:57 +0100
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org
Cc: LKML <linux-kernel@...r.kernel.org>, Marco Elver <elver@...gle.com>,
kasan-dev@...glegroups.com
Subject: Unpatched return thunk in use. This should not happen!
Dear Linux folks,
On a Dell XPS 13 9360/0596KF, BIOS 2.21.0 06/02/2022, Linux 6.9-rc1+
built with
CONFIG_KCSAN=y
and `KCSAN_EARLY_ENABLE` *not* selected shows the warning below.
$ git log --no-decorate --oneline -1
928a87efa423 Merge tag 'gfs2-v6.8-fix' of
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2
### First try
(Sorry, I didn’t save the direct output of `dmesg` the first time.)
```
$ journalctl -o short-monotonic -b -1 _TRANSPORT=kernel
[…]
[ 1.695447] abreu kernel: ------------[ cut here ]------------
[ 1.695463] abreu kernel: Unpatched return thunk in use. This should
not happen!
[ 1.695472] abreu kernel: WARNING: CPU: 2 PID: 89 at
arch/x86/kernel/cpu/bugs.c:2935 __warn_thunk+0x42/0x50
[ 1.695489] abreu kernel: Modules linked in: cryptd(+)
[ 1.695501] abreu kernel: CPU: 2 PID: 89 Comm: modprobe Not tainted
6.9.0-rc1+ #77
[ 1.695512] abreu kernel: Hardware name: Dell Inc. XPS 13
9360/0596KF, BIOS 2.21.0 06/02/2022
[ 1.695518] abreu kernel: RIP: 0010:__warn_thunk+0x42/0x50
[ 1.695530] abreu kernel: Code: 05 da 01 00 74 05 c3 cc cc cc cc 48
c7 c7 7d f4 60 9c e8 51 5b 37 00 48 c7 c7 a0 1b 2a 9c c6 05 60 05 da 01
01 e8 5e 38 08 00 <0f> 0b c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90>
[ 1.695539] abreu kernel: RSP: 0018:ffffabd5c0543a50 EFLAGS: 00010286
[ 1.695549] abreu kernel: RAX: 0000000000000000 RBX: ffffffffc05222c0
RCX: 0001ffffffffffff
[ 1.695556] abreu kernel: RDX: ffff99f100e4b480 RSI: 0000000000000004
RDI: ffffffff9c4ca398
[ 1.695563] abreu kernel: RBP: ffffabd5c0543aa0 R08: ffffffff9d2ce8c8
R09: 0000000000000000
[ 1.695570] abreu kernel: R10: 0001ffff9c4ca398 R11: ffffffff9a9af821
R12: ffff99f1038d7560
[ 1.695577] abreu kernel: R13: ffffffffc0522770 R14: ffffffffc0522768
R15: ffffffffc052c008
[ 1.695584] abreu kernel: FS: 00007ff3d9264040(0000)
GS:ffff99f46f100000(0000) knlGS:0000000000000000
[ 1.695593] abreu kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 1.695601] abreu kernel: CR2: 00007ff3d9341170 CR3: 0000000101838004
CR4: 00000000003706f0
[ 1.695608] abreu kernel: Call Trace:
[ 1.695613] abreu kernel: <TASK>
[ 1.695626] abreu kernel: ? __warn+0xaf/0x1c0
[ 1.695636] abreu kernel: ? __warn_thunk+0x42/0x50
[ 1.695648] abreu kernel: ? report_bug+0x1d6/0x200
[ 1.695662] abreu kernel: ? handle_bug+0x3c/0x80
[ 1.695672] abreu kernel: ? exc_invalid_op+0x17/0x70
[ 1.695682] abreu kernel: ? asm_exc_invalid_op+0x1a/0x20
[ 1.695696] abreu kernel: ? __wake_up_klogd.part.0+0x21/0x80
[ 1.695713] abreu kernel: ? __warn_thunk+0x42/0x50
[ 1.695724] abreu kernel: warn_thunk_thunk+0x1a/0x30
[ 1.695735] abreu kernel: ? do_init_module+0xf2/0x360
[ 1.695750] abreu kernel: ? _sub_I_00099_0+0x20/0x20 [cryptd]
[ 1.695801] abreu kernel: do_init_module+0xf7/0x360
[ 1.695817] abreu kernel: load_module+0x35f2/0x37d0
[ 1.695851] abreu kernel: ? init_module_from_file+0xca/0x130
[ 1.695866] abreu kernel: init_module_from_file+0xca/0x130
[ 1.695888] abreu kernel: idempotent_init_module+0x1b0/0x3d0
[ 1.695907] abreu kernel: __x64_sys_finit_module+0x88/0xe0
[ 1.695923] abreu kernel: do_syscall_64+0x85/0x1a0
[ 1.695936] abreu kernel: ? do_syscall_64+0x94/0x1a0
[ 1.695950] abreu kernel: ? fpregs_assert_state_consistent+0x7e/0x90
[ 1.695968] abreu kernel: ?
arch_exit_to_user_mode_prepare.isra.0+0x69/0xa0
[ 1.695980] abreu kernel: ? syscall_exit_to_user_mode+0x40/0xe0
[ 1.695996] abreu kernel: ? do_syscall_64+0x94/0x1a0
[ 1.696009] abreu kernel: ? irqentry_exit_to_user_mode+0x36/0xd0
[ 1.696020] abreu kernel: entry_SYSCALL_64_after_hwframe+0x6c/0x74
[ 1.696032] abreu kernel: RIP: 0033:0x7ff3d9366059
[ 1.696039] abreu kernel: Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00
00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c
8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00>
[ 1.696048] abreu kernel: RSP: 002b:00007ffe37361958 EFLAGS: 00000246
ORIG_RAX: 0000000000000139
[ 1.696059] abreu kernel: RAX: ffffffffffffffda RBX: 0000555d44f65b40
RCX: 00007ff3d9366059
[ 1.696066] abreu kernel: RDX: 0000000000000000 RSI: 0000555d239659a6
RDI: 0000000000000000
[ 1.696073] abreu kernel: RBP: 0000000000000000 R08: 0000000000000060
R09: 0000555d44f671f0
[ 1.696080] abreu kernel: R10: 0000000000000038 R11: 0000000000000246
R12: 0000555d239659a6
[ 1.696087] abreu kernel: R13: 0000000000040000 R14: 0000555d44f65f30
R15: 0000000000000000
[ 1.696101] abreu kernel: </TASK>
[ 1.696106] abreu kernel: ---[ end trace 0000000000000000 ]---
```
```
$ ./scripts/decodecode < first_boot.txt
[ 1.696039] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
All code
========
0: 08 89 e8 5b 5d c3 or %cl,-0x3ca2a418(%rcx)
6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
d: 00 00 00
10: 90 nop
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <--
trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 8f 1d 0d 00 mov 0xd1d8f(%rip),%rcx # 0xd1dc9
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 8f 1d 0d 00 mov 0xd1d8f(%rip),%rcx # 0xd1d9f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
```
### Second try
The Code line is a little different:
````
[ 1.685474] ------------[ cut here ]------------
[ 1.685482] Unpatched return thunk in use. This should not happen!
[ 1.685498] WARNING: CPU: 1 PID: 88 at
arch/x86/kernel/cpu/bugs.c:2935 __warn_thunk+0x42/0x50
[ 1.685515] Modules linked in: cryptd(+)
[ 1.685527] CPU: 1 PID: 88 Comm: modprobe Not tainted 6.9.0-rc1+ #77
[ 1.685537] Hardware name: Dell Inc. XPS 13 9360/0596KF, BIOS 2.21.0
06/02/2022
[ 1.685544] RIP: 0010:__warn_thunk+0x42/0x50
[ 1.685555] Code: 05 da 01 00 74 05 c3 cc cc cc cc 48 c7 c7 7d f4 20
9b e8 51 5b 37 00 48 c7 c7 a0 1b ea 9a c6 05 60 05 da 01 01 e8 5e 38 08
00 <0f> 0b c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90
[ 1.685565] RSP: 0018:ffffb6a6c054bac0 EFLAGS: 00010282
[ 1.685574] RAX: 0000000000000000 RBX: ffffffffc04692c0 RCX:
0001ffffffffffff
[ 1.685582] RDX: ffff996b43028000 RSI: 0000000000000004 RDI:
ffffffff9b0ca398
[ 1.685589] RBP: ffffb6a6c054bb10 R08: ffffffff9bece8c8 R09:
0000000000000000
[ 1.685596] R10: 0001ffff9b0ca398 R11: ffffffff995af821 R12:
ffff996b4670d4a0
[ 1.685603] R13: ffffffffc0469770 R14: ffffffffc0469768 R15:
ffffffffc0473008
[ 1.685610] FS: 00007f8cee712040(0000) GS:ffff996eaf080000(0000)
knlGS:0000000000000000
[ 1.685618] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.685626] CR2: 00007ffda89fcb28 CR3: 00000001013f2004 CR4:
00000000003706f0
[ 1.685633] Call Trace:
[ 1.685638] <TASK>
[ 1.685644] ? __warn+0xaf/0x1c0
[ 1.685655] ? __warn_thunk+0x42/0x50
[ 1.685667] ? report_bug+0x1d6/0x200
[ 1.685680] ? handle_bug+0x3c/0x80
[ 1.685690] ? exc_invalid_op+0x17/0x70
[ 1.685700] ? asm_exc_invalid_op+0x1a/0x20
[ 1.685714] ? __wake_up_klogd.part.0+0x21/0x80
[ 1.685731] ? __warn_thunk+0x42/0x50
[ 1.685742] warn_thunk_thunk+0x1a/0x30
[ 1.685752] ? do_init_module+0xf2/0x360
[ 1.685767] ? _sub_I_00099_0+0x20/0x20 [cryptd]
[ 1.685818] do_init_module+0xf7/0x360
[ 1.685835] load_module+0x35f2/0x37d0
[ 1.685868] ? init_module_from_file+0xca/0x130
[ 1.685883] init_module_from_file+0xca/0x130
[ 1.685905] idempotent_init_module+0x1b0/0x3d0
[ 1.685924] __x64_sys_finit_module+0x88/0xe0
[ 1.685940] do_syscall_64+0x85/0x1a0
[ 1.685953] ? do_syscall_64+0x94/0x1a0
[ 1.685965] ? do_syscall_64+0x94/0x1a0
[ 1.685978] ? arch_exit_to_user_mode_prepare.isra.0+0x69/0xa0
[ 1.685990] ? irqentry_exit_to_user_mode+0x36/0xd0
[ 1.686006] entry_SYSCALL_64_after_hwframe+0x6c/0x74
[ 1.686017] RIP: 0033:0x7f8cee814059
[ 1.686025] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
[ 1.686034] RSP: 002b:00007ffda89ffae8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ 1.686045] RAX: ffffffffffffffda RBX: 000055ec481f3b40 RCX:
00007f8cee814059
[ 1.686052] RDX: 0000000000000000 RSI: 000055ec13d9d9a6 RDI:
0000000000000000
[ 1.686059] RBP: 0000000000000000 R08: 0000000000000060 R09:
000055ec481f51f0
[ 1.686066] R10: 0000000000000038 R11: 0000000000000246 R12:
000055ec13d9d9a6
[ 1.686073] R13: 0000000000040000 R14: 000055ec481f3f30 R15:
0000000000000000
[ 1.686087] </TASK>
[ 1.686091] ---[ end trace 0000000000000000 ]---
```
```
$ ./scripts/decodecode < second_try.txt
Code: 05 da 01 00 74 05 c3 cc cc cc cc 48 c7 c7 7d f4 20 9b e8 51 5b 37
00 48 c7 c7 a0 1b ea 9a c6 05 60 05 da 01 01 e8 5e 38 08 00 <0f> 0b c3
cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90
All code
========
0: 05 da 01 00 74 add $0x740001da,%eax
5: 05 c3 cc cc cc add $0xccccccc3,%eax
a: cc int3
b: 48 c7 c7 7d f4 20 9b mov $0xffffffff9b20f47d,%rdi
12: e8 51 5b 37 00 call 0x375b68
17: 48 c7 c7 a0 1b ea 9a mov $0xffffffff9aea1ba0,%rdi
1e: c6 05 60 05 da 01 01 movb $0x1,0x1da0560(%rip) #
0x1da0585
25: e8 5e 38 08 00 call 0x83888
2a:* 0f 0b ud2 <-- trapping instruction
2c: c3 ret
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: c3 ret
3: cc int3
4: cc int3
5: cc int3
6: cc int3
7: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
```
Please find the full Linux messages of the second try attached.
The problem does not happen with QEMU emulator version 8.2.2 (Debian
1:8.2.2+ds-2) with machine *q35*.
Kind regards,
Paul
View attachment "config-6.9.0-rc1+" of type "text/plain" (201540 bytes)
View attachment "20240326--dell-xps-13-9360--linux-6.9-rc1+--messages.txt" of type "text/plain" (91648 bytes)
Powered by blists - more mailing lists