| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1A7B5DCE-6239-40D8-AB3E-F0FB3A071F0D@linux.dev>
Date: Fri, 4 Oct 2024 12:39:03 +0200
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Nathan Chancellor <nathan@...nel.org>
Cc: Christian Brauner <brauner@...nel.org>,
Kees Cook <kees@...nel.org>,
kernel test robot <oliver.sang@...el.com>,
oe-lkp@...ts.linux.dev,
lkp@...el.com,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>,
Jan Kara <jack@...e.cz>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
linux-hardening@...r.kernel.org,
morbo@...gle.com
Subject: Re: [PATCH] acl: Annotate struct posix_acl with __counted_by()
On 2. Oct 2024, at 05:42, Nathan Chancellor <nathan@...nel.org> wrote:
> On Thu, Sep 26, 2024 at 02:21:42PM +0200, Thorsten Blum wrote:
>> On 26. Sep 2024, at 03:46, kernel test robot <oliver.sang@...el.com> wrote:
>>>
>>> Hello,
>>>
>>> kernel test robot noticed "WARNING:at_lib/string_helpers.c:#__fortify_report" on:
>>>
>>> commit: 3d2d832826325210abb9849ee96634bf5a197517 ("[PATCH] acl: Annotate struct posix_acl with __counted_by()")
>>> url: https://github.com/intel-lab-lkp/linux/commits/Thorsten-Blum/acl-Annotate-struct-posix_acl-with-__counted_by/20240924-054002
>>> base: https://git.kernel.org/cgit/linux/kernel/git/vfs/vfs.git vfs.all
>>> patch link: https://lore.kernel.org/all/20240923213809.235128-2-thorsten.blum@linux.dev/
>>> patch subject: [PATCH] acl: Annotate struct posix_acl with __counted_by()
>>>
>>> in testcase: boot
>>>
>>> compiler: clang-18
>>> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>>>
>>> (please refer to attached dmesg/kmsg for entire log/backtrace)
>>>
>>>
>>> +---------------------------------------------------+------------+------------+
>>> | | c72f8f06a2 | 3d2d832826 |
>>> +---------------------------------------------------+------------+------------+
>>> | boot_successes | 18 | 0 |
>>> | boot_failures | 0 | 18 |
>>> | WARNING:at_lib/string_helpers.c:#__fortify_report | 0 | 18 |
>>> | RIP:__fortify_report | 0 | 18 |
>>> | kernel_BUG_at_lib/string_helpers.c | 0 | 18 |
>>> | Oops:invalid_opcode:#[##]KASAN | 0 | 18 |
>>> | RIP:__fortify_panic | 0 | 18 |
>>> | Kernel_panic-not_syncing:Fatal_exception | 0 | 18 |
>>> +---------------------------------------------------+------------+------------+
>>>
>>>
>>> If you fix the issue in a separate patch/commit (i.e. not just a new version of
>>> the same patch/commit), kindly add following tags
>>> | Reported-by: kernel test robot <oliver.sang@...el.com>
>>> | Closes: https://lore.kernel.org/oe-lkp/202409260949.a1254989-oliver.sang@intel.com
>>>
>>>
>>> [ 25.825642][ T121] ------------[ cut here ]------------
>>> [ 25.826209][ T121] kmemdup: detected buffer overflow: 72 byte read of buffer size 68
>>> [ 25.826866][ T121] WARNING: CPU: 0 PID: 121 at lib/string_helpers.c:1030 __fortify_report (lib/string_helpers.c:1029)
>>> [ 25.827588][ T121] Modules linked in:
>>> [ 25.827895][ T121] CPU: 0 UID: 0 PID: 121 Comm: systemd-tmpfile Not tainted 6.11.0-rc6-00294-g3d2d83282632 #1
>>> [ 25.828870][ T121] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
>>> [ 25.829661][ T121] RIP: 0010:__fortify_report (lib/string_helpers.c:1029)
>>> [ 25.830093][ T121] Code: f6 c5 01 49 8b 37 48 c7 c0 00 8a 56 86 48 c7 c1 20 8a 56 86 48 0f 44 c8 48 c7 c7 80 87 56 86 4c 89 f2 49 89 d8 e8 d1 37 dd fe <0f> 0b 5b 41 5e 41 5f 5d 31 c0 31 c9 31 ff 31 d2 31 f6 45 31 c0 c3
>>> All code
>>> ========
>>> 0: f6 c5 01 test $0x1,%ch
>>> 3: 49 8b 37 mov (%r15),%rsi
>>> 6: 48 c7 c0 00 8a 56 86 mov $0xffffffff86568a00,%rax
>>> d: 48 c7 c1 20 8a 56 86 mov $0xffffffff86568a20,%rcx
>>> 14: 48 0f 44 c8 cmove %rax,%rcx
>>> 18: 48 c7 c7 80 87 56 86 mov $0xffffffff86568780,%rdi
>>> 1f: 4c 89 f2 mov %r14,%rdx
>>> 22: 49 89 d8 mov %rbx,%r8
>>> 25: e8 d1 37 dd fe call 0xfffffffffedd37fb
>>> 2a:* 0f 0b ud2 <-- trapping instruction
>>> 2c: 5b pop %rbx
>>> 2d: 41 5e pop %r14
>>> 2f: 41 5f pop %r15
>>> 31: 5d pop %rbp
>>> 32: 31 c0 xor %eax,%eax
>>> 34: 31 c9 xor %ecx,%ecx
>>> 36: 31 ff xor %edi,%edi
>>> 38: 31 d2 xor %edx,%edx
>>> 3a: 31 f6 xor %esi,%esi
>>> 3c: 45 31 c0 xor %r8d,%r8d
>>> 3f: c3 ret
>>>
>>> Code starting with the faulting instruction
>>> ===========================================
>>> 0: 0f 0b ud2
>>> 2: 5b pop %rbx
>>> 3: 41 5e pop %r14
>>> 5: 41 5f pop %r15
>>> 7: 5d pop %rbp
>>> 8: 31 c0 xor %eax,%eax
>>> a: 31 c9 xor %ecx,%ecx
>>> c: 31 ff xor %edi,%edi
>>> e: 31 d2 xor %edx,%edx
>>> 10: 31 f6 xor %esi,%esi
>>> 12: 45 31 c0 xor %r8d,%r8d
>>> 15: c3 ret
>>> [ 25.831566][ T121] RSP: 0018:ffffc90001e6f8a0 EFLAGS: 00010246
>>> [ 25.832052][ T121] RAX: 0000000000000000 RBX: 0000000000000044 RCX: 0000000000000000
>>> [ 25.832705][ T121] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
>>> [ 25.833348][ T121] RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
>>> [ 25.833964][ T121] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff920003cdf27
>>> [ 25.834570][ T121] R13: dffffc0000000000 R14: 0000000000000048 R15: ffffffff86568730
>>> [ 25.835152][ T121] FS: 00007f994a290440(0000) GS:ffffffff87eba000(0000) knlGS:0000000000000000
>>> [ 25.835834][ T121] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [ 25.836385][ T121] CR2: 0000561875daa188 CR3: 0000000160dd0000 CR4: 00000000000406f0
>>> [ 25.837005][ T121] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> [ 25.837609][ T121] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> [ 25.838212][ T121] Call Trace:
>>> [ 25.838482][ T121] <TASK>
>>> [ 25.838717][ T121] ? __warn (kernel/panic.c:242)
>>> [ 25.839053][ T121] ? __fortify_report (lib/string_helpers.c:1029)
>>> [ 25.839436][ T121] ? __fortify_report (lib/string_helpers.c:1029)
>>> [ 25.839816][ T121] ? report_bug (lib/bug.c:?)
>>> [ 25.840206][ T121] ? handle_bug (arch/x86/kernel/traps.c:239)
>>> [ 25.840551][ T121] ? exc_invalid_op (arch/x86/kernel/traps.c:260)
>>> [ 25.840932][ T121] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
>>> [ 25.841336][ T121] ? __fortify_report (lib/string_helpers.c:1029)
>>> [ 25.841732][ T121] __fortify_panic (lib/string_helpers.c:1037)
>>> [ 25.842094][ T121] __posix_acl_chmod (include/linux/fortify-string.h:751)
>>> [ 25.842493][ T121] ? make_vfsgid (fs/mnt_idmapping.c:122)
>>> [ 25.842837][ T121] ? capable_wrt_inode_uidgid (include/linux/mnt_idmapping.h:193 kernel/capability.c:480 kernel/capability.c:499)
>>> [ 25.843285][ T121] posix_acl_chmod (fs/posix_acl.c:624)
>>> [ 25.843671][ T121] shmem_setattr (mm/shmem.c:1240)
>>> [ 25.844039][ T121] ? ns_to_timespec64 (include/linux/math64.h:29 kernel/time/time.c:529)
>>> [ 25.844456][ T121] ? inode_set_ctime_current (fs/inode.c:2331)
>>> [ 25.844894][ T121] ? shmem_xattr_handler_set (mm/shmem.c:1173)
>>> [ 25.845322][ T121] ? rcu_read_lock_any_held (kernel/rcu/update.c:388)
>>> [ 25.845736][ T121] ? security_inode_setattr (security/security.c:?)
>>> [ 25.846157][ T121] ? shmem_xattr_handler_set (mm/shmem.c:1173)
>>> [ 25.846582][ T121] notify_change (fs/attr.c:?)
>>> [ 25.846952][ T121] chmod_common (fs/open.c:653)
>>> [ 25.847315][ T121] ? __ia32_sys_chroot (fs/open.c:637)
>>> [ 25.847709][ T121] ? user_path_at (fs/namei.c:3019)
>>> [ 25.848068][ T121] ? kmem_cache_free (mm/slub.c:4474)
>>> [ 25.848489][ T121] do_fchmodat (fs/open.c:701)
>>> [ 25.848842][ T121] ? do_faccessat (fs/open.c:686)
>>> [ 25.849210][ T121] ? print_irqtrace_events (kernel/locking/lockdep.c:4311)
>>> [ 25.849640][ T121] __x64_sys_chmod (fs/open.c:725 fs/open.c:723 fs/open.c:723)
>>> [ 25.850010][ T121] do_syscall_64 (arch/x86/entry/common.c:?)
>>> [ 25.850371][ T121] ? tracer_hardirqs_on (kernel/trace/trace_irqsoff.c:?)
>>> [ 25.850790][ T121] ? tracer_hardirqs_off (kernel/trace/trace_irqsoff.c:?)
>>> [ 25.851208][ T121] ? tracer_hardirqs_on (kernel/trace/trace_irqsoff.c:?)
>>> [ 25.851621][ T121] ? tracer_hardirqs_on (kernel/trace/trace_irqsoff.c:619)
>>> [ 25.852040][ T121] ? print_irqtrace_events (kernel/locking/lockdep.c:4311)
>>> [ 25.852522][ T121] ? do_syscall_64 (arch/x86/entry/common.c:102)
>>> [ 25.852917][ T121] ? do_syscall_64 (arch/x86/entry/common.c:102)
>>> [ 25.853285][ T121] ? do_syscall_64 (arch/x86/entry/common.c:102)
>>> [ 25.853667][ T121] ? do_syscall_64 (arch/x86/entry/common.c:102)
>>> [ 25.854053][ T121] ? exc_page_fault (arch/x86/mm/fault.c:1543)
>>> [ 25.854445][ T121] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>>> [ 25.854921][ T121] RIP: 0033:0x7f994adcdc47
>>> [ 25.855282][ T121] Code: eb d9 e8 9c 04 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 5f 00 00 00 0f 05 c3 0f 1f 84 00 00 00 00 00 b8 5a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 a1 0d 00 f7 d8 64 89 01 48
>>> All code
>>> ========
>>> 0: eb d9 jmp 0xffffffffffffffdb
>>> 2: e8 9c 04 02 00 call 0x204a3
>>> 7: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
>>> e: 00 00 00
>>> 11: 66 90 xchg %ax,%ax
>>> 13: b8 5f 00 00 00 mov $0x5f,%eax
>>> 18: 0f 05 syscall
>>> 1a: c3 ret
>>> 1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
>>> 22: 00
>>> 23: b8 5a 00 00 00 mov $0x5a,%eax
>>> 28: 0f 05 syscall
>>> 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
>>> 30: 73 01 jae 0x33
>>> 32: c3 ret
>>> 33: 48 8b 0d 89 a1 0d 00 mov 0xda189(%rip),%rcx # 0xda1c3
>>> 3a: f7 d8 neg %eax
>>> 3c: 64 89 01 mov %eax,%fs:(%rcx)
>>> 3f: 48 rex.W
>>>
>>> Code starting with the faulting instruction
>>> ===========================================
>>> 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
>>> 6: 73 01 jae 0x9
>>> 8: c3 ret
>>> 9: 48 8b 0d 89 a1 0d 00 mov 0xda189(%rip),%rcx # 0xda199
>>> 10: f7 d8 neg %eax
>>> 12: 64 89 01 mov %eax,%fs:(%rcx)
>>> 15: 48 rex.W
>>>
>>>
>>> The kernel config and materials to reproduce are available at:
>>> https://download.01.org/0day-ci/archive/20240926/202409260949.a1254989-oliver.sang@intel.com
>>
>> This seems to be related to [1] and __builtin_dynamic_object_size().
>>
>> Compared to GCC, Clang's __bdos() is off by 4 bytes.
>>
>> I made a small PoC: https://godbolt.org/z/vvK9PE1Yq
>>
>> Thanks,
>> Thorsten
>>
>> [1] https://lore.kernel.org/all/20240913164630.GA4091534@thelio-3990X/
>> Cc: Bill Wendling
>
> This should probably be reverted or dropped like that change was because
> this breaks boot for me on when UBSAN_BOUNDS is enabled (like it is for
> Fedora's configuration now, which I use for some machines).
>
> It looks like Bill is working on a fix:
>
> https://github.com/llvm/llvm-project/pull/110487
>
> I see a bit of discussion going on there so I have not tried to verify
> if that fix addresses both reported issues. I wonder if we should stop
> trying to add __counted_by() annotations until this issue is fully
> addressed, backported, and accounted for in the kernel sources? It seems
> like this is relatively easy to trip up (at least from my perspective,
> since I have hit this twice in the past couple of months) and only
> released versions of clang have __counted_by(), so those users are more
> likely to get hit with this issue. I do not think too many people test
> with tip of tree GCC (or maybe they do but not with UBSAN_BOUNDS
> enabled).
>
> Cheers,
> Nathan
There appear to be two separate Clang __bdos() issues that the
__counted_by() annotations can run into. This one
https://github.com/llvm/llvm-project/pull/110487
has been fixed and merged into main. The other issue is here:
https://github.com/llvm/llvm-project/issues/111009
but the fix (https://github.com/llvm/llvm-project/pull/111015) is still
being discussed. This is the one that Nathan ran into with this
posix_acl patch and the __counted_by() annotation.
A simple workaround is to reorder the struct's members such that
Clang's __bdos() returns the same size as GCC's __bdos(). I just
submitted a patch here:
https://lore.kernel.org/lkml/20241004103401.38579-2-thorsten.blum@linux.dev/
Powered by blists - more mailing lists