lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250414170414.74f1c4e3542b1f10c8b24d90@linux-foundation.org>
Date: Mon, 14 Apr 2025 17:04:14 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Mostafa Saleh <smostafa@...gle.com>
Cc: linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com,
 linux-hardening@...r.kernel.org, kees@...nel.org, elver@...gle.com,
 andreyknvl@...il.com, ryabinin.a.a@...il.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from
 test_ubsan_out_of_bounds

On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@...gle.com> wrote:

> Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> kernel
> 
> [   31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> [   31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> [   31.648153] Hardware name: linux,dummy-virt (DT)
> [   31.648970] Call trace:
> [   31.649345]  show_stack+0x18/0x24 (C)
> [   31.650960]  dump_stack_lvl+0x40/0x84
> [   31.651559]  dump_stack+0x18/0x24
> [   31.652264]  panic+0x138/0x3b4
> [   31.652812]  __ktime_get_real_seconds+0x0/0x10
> [   31.653540]  test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> [   31.654388]  init_module+0x24/0xff4 [test_ubsan]
> [   31.655077]  do_one_initcall+0xd4/0x280
> [   31.655680]  do_init_module+0x58/0x2b4
> 
> That happens because the test corrupts other data in the stack:
> 400:   d5384108        mrs     x8, sp_el0
> 404:   f9426d08        ldr     x8, [x8, #1240]
> 408:   f85f83a9        ldur    x9, [x29, #-8]
> 40c:   eb09011f        cmp     x8, x9
> 410:   54000301        b.ne    470 <test_ubsan_out_of_bounds+0x154>  // b.any
> 
> As there is no guarantee the compiler will order the local variables
> as declared in the module:

argh.

> 	volatile char above[4] = { }; /* Protect surrounding memory. */
> 	volatile int arr[4];
> 	volatile char below[4] = { }; /* Protect surrounding memory. */
> 
> So, instead of writing out-of-bound, we can read out-of-bound which
> still triggers UBSAN but doesn't corrupt the stack.

Would it be better to put the above three items into a struct, so we
specify the layout?

> --- a/lib/test_ubsan.c
> +++ b/lib/test_ubsan.c
> @@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void)
>  
>  static void test_ubsan_out_of_bounds(void)
>  {
> -	volatile int i = 4, j = 5, k = -1;
> -	volatile char above[4] = { }; /* Protect surrounding memory. */
> +	volatile int j = 5, k = -1;
> +	volatile int scratch[4] = { };
>  	volatile int arr[4];
> -	volatile char below[4] = { }; /* Protect surrounding memory. */
> -
> -	above[0] = below[0];
>  
>  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> -	arr[j] = i;
> +	scratch[1] = arr[j];
>  
>  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> -	arr[k] = i;
> +	scratch[2] = arr[k];
>  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ