lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 12 Jun 2023 14:16:28 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Richard Weinberger <richard@....at>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
	<linux-hardening@...r.kernel.org>, <netdev@...r.kernel.org>,
	<keescook@...omium.org>, Richard Weinberger <richard@....at>, Petr Mladek
	<pmladek@...e.com>, Steven Rostedt <rostedt@...dmis.org>, Sergey Senozhatsky
	<senozhatsky@...omium.org>, Andy Shevchenko
	<andriy.shevchenko@...ux.intel.com>, Rasmus Villemoes
	<linux@...musvillemoes.dk>, "David S. Miller" <davem@...emloft.net>, "Eric
 Dumazet" <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor
	<alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, "Boqun
 Feng" <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
	Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin
	<benno.lossin@...ton.me>, Alexei Starovoitov <ast@...nel.org>, "Daniel
 Borkmann" <daniel@...earbox.net>, Jesper Dangaard Brouer <hawk@...nel.org>,
	John Fastabend <john.fastabend@...il.com>, <oliver.sang@...el.com>
Subject: Re: [RFC PATCH 1/1] vsprintf: Warn on integer scanning overflows


hi Richard Weinberger,

we noticed the new warning added in this patch was hit.
we know this commit should not be the real root cause, just send out this
report FYI.

Hello,

kernel test robot noticed "WARNING:at_lib/vsprintf.c:#vsscanf" on:

commit: 5f4287fc4655b77bfb9012a7a0ed630d65d01695 ("[RFC PATCH 1/1] vsprintf: Warn on integer scanning overflows")
url: https://github.com/intel-lab-lkp/linux/commits/Richard-Weinberger/vsprintf-Warn-on-integer-scanning-overflows/20230608-064044
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/pstore
patch link: https://lore.kernel.org/all/20230607223755.1610-2-richard@nod.at/
patch subject: [RFC PATCH 1/1] vsprintf: Warn on integer scanning overflows

in testcase: kunit
version: 
with following parameters:

	group: group-01



compiler: gcc-12
test machine: 16 threads 1 sockets Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz (Broadwell-DE) with 48G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202306121011.2487b7a9-oliver.sang@intel.com


[  105.244690][  T819] ------------[ cut here ]------------
[ 105.253891][ T819] WARNING: CPU: 11 PID: 819 at lib/vsprintf.c:3701 vsscanf (lib/vsprintf.c:3701 (discriminator 1)) 
[  105.272240][  T819] Modules linked in: test_scanf(N+) intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 btrfs blake2b_generic xor raid6_pq libcrc32c crc32c_intel rapl sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc64 sg ipmi_ssif intel_cstate ast drm_shmem_helper ahci drm_kms_helper libahci acpi_ipmi intel_uncore mei_me syscopyarea libata ipmi_si ioatdma joydev sysfillrect gpio_ich intel_pch_thermal sysimgblt mei mxm_wmi ipmi_devintf dca ipmi_msghandler wmi acpi_pad drm fuse ip_tables [last unloaded: test_static_key_base]
[  105.380736][  T819] CPU: 11 PID: 819 Comm: modprobe Tainted: G S               N 6.4.0-rc1-00002-g5f4287fc4655 #1
[  105.392450][  T819] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016
[ 105.402710][ T819] RIP: 0010:vsscanf (lib/vsprintf.c:3701 (discriminator 1)) 
[ 105.409007][ T819] Code: 4c 89 ef e8 4c ef eb fd 48 0f ba b4 24 a0 00 00 00 00 44 8b 4c 24 10 e9 7e ef ff ff 0f 0b e9 dd fc ff ff 0f 0b e9 d6 fc ff ff <0f> 0b e9 5b f8 ff ff 0f 0b e9 1b f9 ff ff 0f 0b e9 14 f9 ff ff 0f
All code
========
   0:	4c 89 ef             	mov    %r13,%rdi
   3:	e8 4c ef eb fd       	callq  0xfffffffffdebef54
   8:	48 0f ba b4 24 a0 00 	btrq   $0x0,0xa0(%rsp)
   f:	00 00 00 
  12:	44 8b 4c 24 10       	mov    0x10(%rsp),%r9d
  17:	e9 7e ef ff ff       	jmpq   0xffffffffffffef9a
  1c:	0f 0b                	ud2    
  1e:	e9 dd fc ff ff       	jmpq   0xfffffffffffffd00
  23:	0f 0b                	ud2    
  25:	e9 d6 fc ff ff       	jmpq   0xfffffffffffffd00
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	e9 5b f8 ff ff       	jmpq   0xfffffffffffff88c
  31:	0f 0b                	ud2    
  33:	e9 1b f9 ff ff       	jmpq   0xfffffffffffff953
  38:	0f 0b                	ud2    
  3a:	e9 14 f9 ff ff       	jmpq   0xfffffffffffff953
  3f:	0f                   	.byte 0xf

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	e9 5b f8 ff ff       	jmpq   0xfffffffffffff862
   7:	0f 0b                	ud2    
   9:	e9 1b f9 ff ff       	jmpq   0xfffffffffffff929
   e:	0f 0b                	ud2    
  10:	e9 14 f9 ff ff       	jmpq   0xfffffffffffff929
  15:	0f                   	.byte 0xf
[  105.431369][  T819] RSP: 0018:ffffc9000120f730 EFLAGS: 00010206
[  105.438770][  T819] RAX: 00000000ffffffff RBX: 00000000ffffffff RCX: 000000000000000f
[  105.448085][  T819] RDX: 00000000ffffffff RSI: ffffc9000120f6c0 RDI: 00000000fffffff0
[  105.457422][  T819] RBP: 1ffff92000241eee R08: ffff8881f4af5fff R09: 00000000ffffffff
[  105.466692][  T819] R10: 00000000000000ff R11: 0000000000000010 R12: dffffc0000000000
[  105.475991][  T819] R13: 0000000000000000 R14: ffffc9000120f8d0 R15: ffffffffc0a2ca42
[  105.485326][  T819] FS:  00007f4bfafd0540(0000) GS:ffff888ab9b80000(0000) knlGS:0000000000000000
[  105.495578][  T819] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.503457][  T819] CR2: 00005645746ea122 CR3: 000000016b904002 CR4: 00000000003706e0
[  105.512757][  T819] DR0: ffffffff8635204c DR1: ffffffff8635204d DR2: ffffffff8635204e
[  105.522075][  T819] DR3: ffffffff8635204f DR6: 00000000fffe0ff0 DR7: 0000000000000600
[  105.531423][  T819] Call Trace:
[  105.536017][  T819]  <TASK>
[ 105.540310][ T819] ? simple_strtol (lib/vsprintf.c:3433) 
[ 105.546195][ T819] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:186 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 105.552848][ T819] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161) 
[ 105.559938][ T819] ? vsnprintf (lib/vsprintf.c:2768) 
[ 105.565718][ T819] ? check_ushort (lib/test_scanf.c:120) test_scanf
[ 105.572801][ T819] _test (lib/test_scanf.c:44) test_scanf
[ 105.579005][ T819] ? check_ull (lib/test_scanf.c:33) test_scanf
[ 105.585851][ T819] ? kasan_save_stack (mm/kasan/common.c:46) 
[ 105.591946][ T819] ? snprintf (lib/vsprintf.c:2948) 
[ 105.597318][ T819] numbers_simple (lib/test_scanf.c:242 (discriminator 8)) test_scanf
[ 105.604512][ T819] ? _test (lib/test_scanf.c:218) test_scanf
[ 105.610909][ T819] selftest (lib/test_scanf.c:771 lib/test_scanf.c:800) test_scanf
[ 105.617312][ T819] ? selftest (lib/test_scanf.c:811) test_scanf
[ 105.623967][ T819] test_scanf_init (lib/test_scanf.c:811) test_scanf
[ 105.630968][ T819] do_one_initcall (init/main.c:1246) 
[ 105.636828][ T819] ? trace_event_raw_event_initcall_level (init/main.c:1237) 
[ 105.644758][ T819] ? kasan_unpoison (mm/kasan/shadow.c:160 mm/kasan/shadow.c:194) 
[ 105.650593][ T819] do_init_module (kernel/module/main.c:2529) 
[ 105.656423][ T819] load_module (kernel/module/main.c:2980) 
[ 105.662145][ T819] ? post_relocation (kernel/module/main.c:2829) 
[ 105.668227][ T819] ? __x64_sys_fspick (fs/kernel_read_file.c:38) 
[ 105.674383][ T819] ? __do_sys_finit_module (kernel/module/main.c:3099) 
[ 105.680880][ T819] __do_sys_finit_module (kernel/module/main.c:3099) 
[ 105.687189][ T819] ? __ia32_sys_init_module (kernel/module/main.c:3061) 
[ 105.693654][ T819] ? randomize_page (mm/util.c:533) 
[ 105.699366][ T819] ? ksys_mmap_pgoff (mm/mmap.c:1445) 
[ 105.705319][ T819] ? __fdget_pos (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-long.h:29 include/linux/atomic/atomic-instrumented.h:1310 fs/file.c:1045) 
[ 105.710712][ T819] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 105.716060][ T819] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[  105.722870][  T819] RIP: 0033:0x7f4bfb0f19b9
[ 105.728156][ T819] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48
All code
========
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d a7 54 0c 00 	mov    0xc54a7(%rip),%rcx        # 0xc54e1
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d a7 54 0c 00 	mov    0xc54a7(%rip),%rcx        # 0xc54b7
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki



View attachment "config-6.4.0-rc1-00002-g5f4287fc4655" of type "text/plain" (189546 bytes)

View attachment "job-script" of type "text/plain" (7302 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (60004 bytes)

View attachment "kunit" of type "text/plain" (354127 bytes)

View attachment "job.yaml" of type "text/plain" (6062 bytes)

View attachment "reproduce" of type "text/plain" (1131 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ