| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFULd4Zrnn=1=1AP329Qw23b0Ume2A5Z-U2q-M62L1gcpJD4pg@mail.gmail.com>
Date: Sat, 14 Dec 2024 02:17:07 +0100
From: Uros Bizjak <ubizjak@...il.com>
To: Matt Fleming <matt@...dmodwrite.com>
Cc: Ingo Molnar <mingo@...nel.org>, Jakub Jelinek <jakub@...hat.com>, linux-kernel@...r.kernel.org,
kernel-team@...udflare.com
Subject: Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0
On Fri, Dec 13, 2024 at 8:01 PM Matt Fleming <matt@...dmodwrite.com> wrote:
>
> Hi everyone,
>
> I've run into following Oops when running with KASAN enabled:
>
> [ 22.938710][ T0] Oops: general protection fault, probably for non-canonical address 0xdffffc00000087c8: 0000 [#1] PREEMPT SMP KASAN NOPTI
> [ 22.939369][ T0] KASAN: probably user-memory-access in range [0x0000000000043e40-0x0000000000043e47]
> [ 22.939369][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.1-cloudflare-kasan-2024.11.20 #1
> [ 22.939369][ T0] Hardware name: MACHINE, BIOS VERSION 09/04/2024
> [ 22.939369][ T0] RIP: 0010:switch_mm_irqs_off+0x43/0xd70
> [ 22.939369][ T0] Code: 48 83 ec 20 48 c7 c0 40 3e 04 00 65 48 8b 1d 14 41 91 77 48 ba 00 00 00 00 00 fc ff df 65 44 0f b7 25 11 41 91 77 48 c1 e8 03 <0f> b6 04 10 84 c0 74 06 0f 8e be 09 00 00 65 44 0f b6 2d a6 41 91
> [ 22.939369][ T0] RSP: 0000:ffffffff8ce07e00 EFLAGS: 00010012
> [ 22.939369][ T0] RAX: 00000000000087c8 RBX: ffffffff8d20a740 RCX: 0000001850076000
> [ 22.939369][ T0] RDX: dffffc0000000000 RSI: ffffffff8d7a28c0 RDI: 0000000000000000
> [ 22.939369][ T0] RBP: ffffffff8d7a28c0 R08: 00000000aa299018 R09: e4977f26b7bc541a
> [ 22.939369][ T0] R10: ffffffff8ce07e00 R11: 8000000000000063 R12: 0000000000000000
> [ 22.939369][ T0] R13: 0000001850076000 R14: 0000000000000000 R15: ffff889850076000
> [ 22.939369][ T0] FS: 0000000000000000(0000) GS:ffff8887efa00000(0000) knlGS:0000000000000000
> [ 22.939369][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 22.939369][ T0] CR2: ffff88c04f1ff000 CR3: 00000037f4852001 CR4: 0000000000770ef0
> [ 22.939369][ T0] PKRU: 55555554
> [ 22.939369][ T0] Call Trace:
> [ 22.939369][ T0] <TASK>
> [ 22.939369][ T0] ? __die_body.cold+0x19/0x21
> [ 22.939369][ T0] ? die_addr+0x46/0x70
> [ 22.939369][ T0] ? exc_general_protection+0x119/0x210
> [ 22.939369][ T0] ? asm_exc_general_protection+0x26/0x30
> [ 22.939369][ T0] ? switch_mm_irqs_off+0x43/0xd70
> [ 22.939369][ T0] ? __pfx_efi_memmap_init_late+0x10/0x10
> [ 22.939369][ T0] switch_mm+0x14/0x20
> [ 22.939369][ T0] efi_set_virtual_address_map+0x75/0x180
> [ 22.939369][ T0] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 22.939369][ T0] efi_enter_virtual_mode+0x6fb/0x7c0
> [ 22.939369][ T0] ? alt_reloc_selftest+0x1f/0x50
> [ 22.939369][ T0] start_kernel+0x323/0x3a0
> [ 22.939369][ T0] x86_64_start_reservations+0x24/0x30
> [ 22.939369][ T0] x86_64_start_kernel+0x7f/0x80
> [ 22.939369][ T0] common_startup_64+0x13e/0x141
> [ 22.939369][ T0] </TASK>
>
> This was supposed to be fixed by the compiler version check in
> f61f02d1ff78 ("x86/percpu: Re-enable named address spaces with KASAN for
> GCC 13.3+"), but I'm still able to trigger this problem with both GCC
> 14.1.0 and GCC 13.3.0 which include fixes for PR sanitizer/111736.
> (Reverting f61f02d1ff78 obviously prevents the oops)
>
> Here's the assembly that shows the ASAN protection kicking in for the
> per-CPU addresses (cpu_tlbstate):
>
> ffffffff8112fc40 <switch_mm_irqs_off>:
> ffffffff8112fc40: f3 0f 1e fa endbr64
> ffffffff8112fc44: e8 e7 79 fd ff call ffffffff81107630 <__fentry__>
> ffffffff8112fc49: 41 57 push %r15
> ffffffff8112fc4b: 41 56 push %r14
> ffffffff8112fc4d: 49 89 d6 mov %rdx,%r14
> ffffffff8112fc50: 41 55 push %r13
> ffffffff8112fc52: 41 54 push %r12
> ffffffff8112fc54: 55 push %rbp
> ffffffff8112fc55: 48 89 f5 mov %rsi,%rbp
> ffffffff8112fc58: 53 push %rbx
> ffffffff8112fc59: 48 83 ec 20 sub $0x20,%rsp
> ffffffff8112fc5d: 48 c7 c0 40 3e 04 00 mov $0x43e40,%rax
> ffffffff8112fc64: 65 48 8b 1d 14 41 f1 mov %gs:0x7ef14114(%rip),%rbx # 43d80 <cpu_tlbstate>
> ffffffff8112fc6b: 7e
> ffffffff8112fc6c: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
> ffffffff8112fc73: fc ff df
> ffffffff8112fc76: 65 44 0f b7 25 11 41 movzwl %gs:0x7ef14111(%rip),%r12d # 43d90 <cpu_tlbstate+0x10>
> ffffffff8112fc7d: f1 7e
> ffffffff8112fc7f: 48 c1 e8 03 shr $0x3,%rax
> ffffffff8112fc83: 0f b6 04 10 movzbl (%rax,%rdx,1),%eax
>
> Fault occurs here due to ASAN -----------^
>
>
> Anyone got any ideas how to debug this further?
Does your config include CONFIG_UBSAN_BOOL=y ?
There is a rare interaction between CONFIG_KASAN and CONFIG_UBSAN_BOOL
(aka -fsanitize=bool), reported in [1] and fixed for gcc-14.2 in [2].
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111736#c42
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115172
Otherwise, please attach your .config, and I'll look into this issue.
Thanks,
Uros.
Powered by blists - more mailing lists