| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z_4dXk0RlyXYuzYt@google.com>
Date: Tue, 15 Apr 2025 08:48:30 +0000
From: Mostafa Saleh <smostafa@...gle.com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com,
linux-hardening@...r.kernel.org, kees@...nel.org, elver@...gle.com,
andreyknvl@...il.com, ryabinin.a.a@...il.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@...gle.com> wrote:
>
> > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > kernel
> >
> > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > [ 31.648153] Hardware name: linux,dummy-virt (DT)
> > [ 31.648970] Call trace:
> > [ 31.649345] show_stack+0x18/0x24 (C)
> > [ 31.650960] dump_stack_lvl+0x40/0x84
> > [ 31.651559] dump_stack+0x18/0x24
> > [ 31.652264] panic+0x138/0x3b4
> > [ 31.652812] __ktime_get_real_seconds+0x0/0x10
> > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > [ 31.654388] init_module+0x24/0xff4 [test_ubsan]
> > [ 31.655077] do_one_initcall+0xd4/0x280
> > [ 31.655680] do_init_module+0x58/0x2b4
> >
> > That happens because the test corrupts other data in the stack:
> > 400: d5384108 mrs x8, sp_el0
> > 404: f9426d08 ldr x8, [x8, #1240]
> > 408: f85f83a9 ldur x9, [x29, #-8]
> > 40c: eb09011f cmp x8, x9
> > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
> >
> > As there is no guarantee the compiler will order the local variables
> > as declared in the module:
>
> argh.
>
> > volatile char above[4] = { }; /* Protect surrounding memory. */
> > volatile int arr[4];
> > volatile char below[4] = { }; /* Protect surrounding memory. */
> >
> > So, instead of writing out-of-bound, we can read out-of-bound which
> > still triggers UBSAN but doesn't corrupt the stack.
>
> Would it be better to put the above three items into a struct, so we
> specify the layout?
Yes, that also should work, but I ran into a panic because of another
problem, where the padding before and after the arr is 4 bytes, but
the index is "5", which is 8 bytes out of bound.
As we can only use 4/-1 as out of bounds.
That should also work:
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 8772e5edaa4f..4533e9cb52e6 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
static void test_ubsan_out_of_bounds(void)
{
- volatile int i = 4, j = 5, k = -1;
- volatile char above[4] = { }; /* Protect surrounding memory. */
- volatile int arr[4];
- volatile char below[4] = { }; /* Protect surrounding memory. */
-
- above[0] = below[0];
+ volatile int i = 4, j = 4, k = -1;
+ struct {
+ volatile char above[4]; /* Protect surrounding memory. */
+ volatile int arr[4];
+ volatile char below[4]; /* Protect surrounding memory. */
+ } data;
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
- arr[j] = i;
+ data.arr[j] = i;
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
- arr[k] = i;
+ data.arr[k] = i;
}
enum ubsan_test_enum {
---
I can send v2 with this approach if it's better.
Thanks,
Mostafa
>
> > --- a/lib/test_ubsan.c
> > +++ b/lib/test_ubsan.c
> > @@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void)
> >
> > static void test_ubsan_out_of_bounds(void)
> > {
> > - volatile int i = 4, j = 5, k = -1;
> > - volatile char above[4] = { }; /* Protect surrounding memory. */
> > + volatile int j = 5, k = -1;
> > + volatile int scratch[4] = { };
> > volatile int arr[4];
> > - volatile char below[4] = { }; /* Protect surrounding memory. */
> > -
> > - above[0] = below[0];
> >
> > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> > - arr[j] = i;
> > + scratch[1] = arr[j];
> >
> > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> > - arr[k] = i;
> > + scratch[2] = arr[k];
> > }
>
Powered by blists - more mailing lists