| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202504151006.19150DFE@keescook>
Date: Tue, 15 Apr 2025 10:09:00 -0700
From: Kees Cook <kees@...nel.org>
To: Mostafa Saleh <smostafa@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org,
kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org,
elver@...gle.com, andreyknvl@...il.com, ryabinin.a.a@...il.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote:
> On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@...gle.com> wrote:
> >
> > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > > kernel
> > >
> > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > > [ 31.648153] Hardware name: linux,dummy-virt (DT)
> > > [ 31.648970] Call trace:
> > > [ 31.649345] show_stack+0x18/0x24 (C)
> > > [ 31.650960] dump_stack_lvl+0x40/0x84
> > > [ 31.651559] dump_stack+0x18/0x24
> > > [ 31.652264] panic+0x138/0x3b4
> > > [ 31.652812] __ktime_get_real_seconds+0x0/0x10
> > > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > > [ 31.654388] init_module+0x24/0xff4 [test_ubsan]
> > > [ 31.655077] do_one_initcall+0xd4/0x280
> > > [ 31.655680] do_init_module+0x58/0x2b4
> > >
> > > That happens because the test corrupts other data in the stack:
> > > 400: d5384108 mrs x8, sp_el0
> > > 404: f9426d08 ldr x8, [x8, #1240]
> > > 408: f85f83a9 ldur x9, [x29, #-8]
> > > 40c: eb09011f cmp x8, x9
> > > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
> > >
> > > As there is no guarantee the compiler will order the local variables
> > > as declared in the module:
> >
> > argh.
> >
> > > volatile char above[4] = { }; /* Protect surrounding memory. */
> > > volatile int arr[4];
> > > volatile char below[4] = { }; /* Protect surrounding memory. */
> > >
> > > So, instead of writing out-of-bound, we can read out-of-bound which
> > > still triggers UBSAN but doesn't corrupt the stack.
> >
> > Would it be better to put the above three items into a struct, so we
> > specify the layout?
>
> Yes, that also should work, but I ran into a panic because of another
> problem, where the padding before and after the arr is 4 bytes, but
> the index is "5", which is 8 bytes out of bound.
> As we can only use 4/-1 as out of bounds.
> That should also work:
>
> diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
> index 8772e5edaa4f..4533e9cb52e6 100644
> --- a/lib/test_ubsan.c
> +++ b/lib/test_ubsan.c
> @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
>
> static void test_ubsan_out_of_bounds(void)
> {
> - volatile int i = 4, j = 5, k = -1;
> - volatile char above[4] = { }; /* Protect surrounding memory. */
> - volatile int arr[4];
> - volatile char below[4] = { }; /* Protect surrounding memory. */
> -
> - above[0] = below[0];
> + volatile int i = 4, j = 4, k = -1;
> + struct {
> + volatile char above[4]; /* Protect surrounding memory. */
> + volatile int arr[4];
> + volatile char below[4]; /* Protect surrounding memory. */
> + } data;
Instead of all the volatiles, I recommend using:
OPTIMIZER_HIDE_VAR(i);
OPTIMIZER_HIDE_VAR(j);
OPTIMIZER_HIDE_VAR(k);
OPTIMIZER_HIDE_VAR(data);
> UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> - arr[j] = i;
> + data.arr[j] = i;
>
> UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> - arr[k] = i;
> + data.arr[k] = i;
> }
>
> enum ubsan_test_enum {
>
> ---
>
> I can send v2 with this approach if it's better.
Yes please, the struct is the right solution to keep the memory
contiguous.
--
Kees Cook
Powered by blists - more mailing lists