| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202410281544.bd98d329-lkp@intel.com>
Date: Tue, 29 Oct 2024 13:04:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kees Cook <keescook@...omium.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
Miguel Ojeda <ojeda@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
"Peter Zijlstra" <peterz@...radead.org>, Hao Luo <haoluo@...gle.com>, Marco
Elver <elver@...gle.com>, Justin Stitt <justinstitt@...gle.com>,
<kasan-dev@...glegroups.com>, <linux-hardening@...r.kernel.org>,
<linux-kbuild@...r.kernel.org>, <oliver.sang@...el.com>
Subject: [linus:master] [ubsan] 557f8c582a:
UBSAN:signed-integer-overflow_in_fs/sync.c
Hello,
for this "ubsan: Reintroduce signed overflow sanitizer" change, we really
noticed some UBSAN issues start to appear
918327e9b7ffb453 557f8c582a9ba8abe6aa0fd734b
---------------- ---------------------------
fail:runs %reproduction fail:runs
| | |
:20 50% 10:20 dmesg.UBSAN:signed-integer-overflow_in_arch/x86/include/asm/atomic.h
:20 10% 2:20 dmesg.UBSAN:signed-integer-overflow_in_fs/open.c
:20 5% 1:20 dmesg.UBSAN:signed-integer-overflow_in_fs/read_write.c
:20 50% 10:20 dmesg.UBSAN:signed-integer-overflow_in_fs/sync.c
:20 85% 17:20 dmesg.UBSAN:signed-integer-overflow_in_include/linux/atomic/atomic-arch-fallback.h
it's out of our scope to backport this change then to find out the real first
bad commits which introduce these issues.
just made out below report FYI what we observed in our tests.
kernel test robot noticed "UBSAN:signed-integer-overflow_in_fs/sync.c" on:
commit: 557f8c582a9ba8abe6aa0fd734b6f342af106b26 ("ubsan: Reintroduce signed overflow sanitizer")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linus/master 850925a8133c73c4a2453c360b2c3beb3bab67c9]
[test failed on linux-next/master a39230ecf6b3057f5897bc4744a790070cfbe7a8]
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 600s
config: i386-randconfig-141-20241024
compiler: clang-19
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410281544.bd98d329-lkp@intel.com
[ 215.770370][ T642] ------------[ cut here ]------------
[ 215.777621][ T642] UBSAN: signed-integer-overflow in fs/sync.c:240:19
[ 215.788285][ T642] 1880844493352075409 + 8608480566024911059 cannot be represented in type 'loff_t' (aka 'long long')
[ 215.801598][ T642] CPU: 0 PID: 642 Comm: trinity-c7 Tainted: G T 6.8.0-rc2-00013-g557f8c582a9b #1
[ 215.817967][ T642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 215.830638][ T642] Call Trace:
[ 215.834397][ T642] dump_stack_lvl (lib/dump_stack.c:107)
[ 215.839685][ T642] dump_stack (lib/dump_stack.c:113)
[ 215.844573][ T642] handle_overflow (lib/ubsan.c:218 lib/ubsan.c:248)
[ 215.850605][ T642] __ubsan_handle_add_overflow (lib/ubsan.c:255)
[ 215.857665][ T642] sync_file_range (fs/sync.c:?)
[ 215.863236][ T642] ? do_int80_syscall_32 (arch/x86/entry/common.c:278)
[ 215.869588][ T642] ksys_sync_file_range (fs/sync.c:364)
[ 215.875456][ T642] __ia32_sys_ia32_sync_file_range (arch/x86/kernel/sys_ia32.c:107)
[ 215.886149][ T642] do_int80_syscall_32 (arch/x86/entry/common.c:?)
[ 215.892113][ T642] ? syscall_exit_to_user_mode (kernel/entry/common.c:215)
[ 215.899078][ T642] ? do_int80_syscall_32 (arch/x86/entry/common.c:278)
[ 215.905299][ T642] ? irqentry_exit_to_user_mode (kernel/entry/common.c:228)
[ 215.912366][ T642] ? irqentry_exit (kernel/entry/common.c:361)
[ 215.917978][ T642] ? sysvec_call_function_single (arch/x86/kernel/apic/apic.c:1076)
[ 215.925139][ T642] entry_INT80_32 (arch/x86/entry/entry_32.S:947)
[ 215.931354][ T642] EIP: 0xb7fcc092
[ 215.936180][ T642] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
All code
========
0: 00 00 add %al,(%rax)
2: 00 e9 add %ch,%cl
4: 90 nop
5: ff (bad)
6: ff (bad)
7: ff (bad)
8: ff a3 24 00 00 00 jmp *0x24(%rbx)
e: 68 30 00 00 00 push $0x30
13: e9 80 ff ff ff jmp 0xffffffffffffff98
18: ff a3 f8 ff ff ff jmp *-0x8(%rbx)
1e: 66 90 xchg %ax,%ax
...
28: cd 80 int $0x80
2a:* c3 ret <-- trapping instruction
2b: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
32: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
38: 8b 1c 24 mov (%rsp),%ebx
3b: c3 ret
3c: 8d .byte 0x8d
3d: b4 26 mov $0x26,%ah
...
Code starting with the faulting instruction
===========================================
0: c3 ret
1: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
8: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
e: 8b 1c 24 mov (%rsp),%ebx
11: c3 ret
12: 8d .byte 0x8d
13: b4 26 mov $0x26,%ah
...
[ 215.959775][ T642] EAX: ffffffda EBX: 00000167 ECX: 00000091 EDX: 1a1a1a1a
[ 215.968070][ T642] ESI: 11c4b8d3 EDI: 77777777 EBP: 00000000 ESP: bfafd7a8
[ 215.976212][ T642] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[ 216.099174][ T1] sbc7240_wdt: timeout value must be 1<=x<=255
[ 216.190859][ T642] ---[ end trace ]---
[ 274.950074][ C0] ------------[ cut here ]------------
[ 274.956226][ C0] UBSAN: signed-integer-overflow in arch/x86/include/asm/atomic.h:85:11
[ 274.966763][ C0] -560020972 + -1641070746 cannot be represented in type 'int'
[ 275.004321][ C0] CPU: 0 PID: 1058 Comm: trinity-c4 Tainted: G T 6.8.0-rc2-00013-g557f8c582a9b #1
[ 275.014695][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 275.024834][ C0] Call Trace:
[ 275.028200][ C0] <SOFTIRQ>
[ 275.031444][ C0] dump_stack_lvl+0x77/0xb0
[ 275.035949][ C0] dump_stack+0xd/0x14
[ 275.039999][ C0] handle_overflow+0x279/0x2a0
[ 275.044833][ C0] __ubsan_handle_add_overflow+0x10/0x20
[ 275.050399][ C0] __ip_select_ident+0xe1/0x100
[ 275.055298][ C0] ip_select_ident_segs+0xb8/0x110
[ 275.060353][ C0] __ip_make_skb+0x257/0x390
[ 275.064951][ C0] ip_push_pending_frames+0x1b/0x40
[ 275.070103][ C0] icmp_push_reply+0xc8/0x100
[ 275.074775][ C0] __icmp_send+0x47e/0x4d0
[ 275.079534][ C0] __udp4_lib_rcv+0x609/0x6e0
[ 275.084394][ C0] udplite_rcv+0x17/0x20
[ 275.088608][ C0] ip_protocol_deliver_rcu+0xe4/0x390
[ 275.093960][ C0] ? ip_local_deliver+0x150/0x150
[ 275.099299][ C0] ip_local_deliver+0xe8/0x150
[ 275.104613][ C0] ip_rcv_finish+0x73/0x90
[ 275.109057][ C0] ip_rcv+0x1f/0x30
[ 275.112983][ C0] __netif_receive_skb+0x6e/0x120
[ 275.118031][ C0] process_backlog+0x1a7/0x250
[ 275.123224][ C0] __napi_poll+0x2a/0x1f0
[ 275.127626][ C0] net_rx_action+0x138/0x2a0
[ 275.132262][ C0] __do_softirq+0x11f/0x41f
[ 275.136794][ C0] ? do_softirq_own_stack+0x55/0x60
[ 275.141921][ C0] ? queued_write_lock_slowpath+0x13c/0x13c
[ 275.147853][ C0] do_softirq_own_stack+0x55/0x60
[ 275.152840][ C0] </SOFTIRQ>
[ 275.156181][ C0] do_softirq+0x46/0x90
[ 275.160351][ C0] __local_bh_enable_ip+0xe0/0x110
[ 275.165410][ C0] local_bh_enable+0x12/0x20
[ 275.170019][ C0] __dev_queue_xmit+0x5bd/0x950
[ 275.174874][ C0] ? read_seqbegin+0x78/0xc0
[ 275.179543][ C0] ? neigh_resolve_output+0xec/0x180
[ 275.184754][ C0] ? trace_hardirqs_on+0x56/0xa0
[ 275.189687][ C0] ? of_get_ethdev_address+0x50/0x50
[ 275.194928][ C0] neigh_resolve_output+0x133/0x180
[ 275.200083][ C0] ? eth_header_parse+0x30/0x30
[ 275.204881][ C0] ip_finish_output2+0x598/0x6c0
[ 275.209806][ C0] ? ip_finish_output+0x47/0x110
[ 275.214703][ C0] ? __local_bh_enable_ip+0xb0/0x110
[ 275.220076][ C0] ip_finish_output+0x47/0x110
[ 275.224815][ C0] ip_output+0x49/0x60
[ 275.228926][ C0] ip_local_out+0x74/0xa0
[ 275.233397][ C0] ip_send_skb+0x18/0x110
[ 275.237738][ C0] udp_send_skb+0x2d7/0x350
[ 275.242281][ C0] udp_sendmsg+0x9c2/0xa70
[ 275.246883][ C0] ? udp_sendmsg+0xa70/0xa70
[ 275.251648][ C0] ? udp_cmsg_send+0xd0/0xd0
[ 275.256670][ C0] inet_sendmsg+0xa6/0xb0
[ 275.261266][ C0] __sock_sendmsg+0x48/0x80
[ 275.265773][ C0] ____sys_sendmsg+0x13b/0x1e0
[ 275.270597][ C0] __sys_sendmsg+0x18b/0x1c0
[ 275.275597][ C0] __ia32_sys_sendmsg+0x1a/0x20
[ 275.280454][ C0] do_int80_syscall_32+0xe7/0x12c
[ 275.285440][ C0] ? syscall_exit_to_user_mode+0xf0/0x100
[ 275.291087][ C0] ? do_int80_syscall_32+0xf1/0x12c
[ 275.296333][ C0] ? rcu_lock_acquire+0x30/0x30
[ 275.301222][ C0] ? syscall_exit_to_user_mode+0xf0/0x100
[ 275.306894][ C0] ? do_int80_syscall_32+0xf1/0x12c
[ 275.312116][ C0] ? do_int80_syscall_32+0xf1/0x12c
[ 275.317262][ C0] ? syscall_exit_to_user_mode+0xf0/0x100
[ 275.322879][ C0] ? do_int80_syscall_32+0xf1/0x12c
[ 275.328094][ C0] ? do_int80_syscall_32+0xf1/0x12c
[ 275.333216][ C0] ? irqentry_exit_to_user_mode+0xe4/0xf4
[ 275.338851][ C0] ? irqentry_exit+0x56/0x88
[ 275.343455][ C0] ? sysvec_call_function_single+0x30/0x30
[ 275.349279][ C0] entry_INT80_32+0x125/0x125
[ 275.353945][ C0] EIP: 0xb7fcc092
[ 275.357581][ C0] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
[ 275.376574][ C0] EAX: ffffffda EBX: 00000134 ECX: 01f07b00 EDX: 00000000
[ 275.383603][ C0] ESI: fffffffc EDI: 85858585 EBP: fffffffe ESP: bfafd7a8
[ 275.390502][ C0] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[ 275.400392][ C0] ---[ end trace ]---
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241028/202410281544.bd98d329-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists