From: Leon Romanovsky <leon@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Peter Oberparleiter <oberpar@linux.ibm.com>
Cc: Leon Romanovsky <leonro@nvidia.com>,
linux-kernel@vger.kernel.org,
Colin Ian King <colin.king@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH rdma-next 1/4] gcov: Open-code kmemdup() to work correctly with kernel and user space pointers
Date: Wed, 2 Sep 2020 11:55:10 +0300 [thread overview]
Message-ID: <20200902085513.748149-2-leon@kernel.org> (raw)
In-Reply-To: <20200902085513.748149-1-leon@kernel.org>
From: Leon Romanovsky <leonro@nvidia.com>
The kernel with KASAN and GCOV enabled generates the following splat
due to the situation that gcov_info can be both user and kernel pointer.
It is triggered by the memcpy() inside kmemdup(), so as a possible solution
let's copy fields manually.
==================================================================
BUG: KASAN: global-out-of-bounds in kmemdup+0x43/0x70
Read of size 120 at addr ffffffffa0d2c780 by task modprobe/296
CPU: 0 PID: 296 Comm: modprobe Not tainted 5.9.0-rc1+ #1860
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04 /01/2014
Call Trace:
dump_stack+0x128/0x1af
print_address_description.constprop.0+0x2c/0x3f0
_raw_spin_lock_irqsave+0x34/0xa0
__kasan_check_read+0x1d/0x30
kmemdup+0x43/0x70
kmemdup+0x43/0x70
gcov_info_dup+0x2d/0x730
__kasan_check_write+0x20/0x30
__mutex_unlock_slowpath+0x10d/0x740
gcov_event+0x88d/0xd30
gcov_module_notifier+0xe9/0x100
notifier_call_chain+0xeb/0x170
blocking_notifier_call_chain+0x75/0xc0
__x64_sys_delete_module+0x326/0x5a0
do_init_module+0x810/0x810
syscall_enter_from_user_mode+0x40/0x420
trace_hardirqs_on+0x45/0xb0
syscall_enter_from_user_mode+0x40/0x420
do_syscall_64+0x45/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the variable:
__gcov_.uverbs_attr_get_obj+0x60/0xfffffffffff778e0 [mlx5_ib]
Memory state around the buggy address:
ffffffffa0d2c680: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
ffffffffa0d2c700: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
>ffffffffa0d2c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
^
ffffffffa0d2c800: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
ffffffffa0d2c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint
---[ end trace 065ea9cc2ba144a6 ]---
Cc: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
kernel/gcov/gcc_4_7.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/gcov/gcc_4_7.c b/kernel/gcov/gcc_4_7.c
index 908fdf5098c3..6d706c5eed5c 100644
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -275,13 +275,13 @@ struct gcov_info *gcov_info_dup(struct gcov_info *info)
size_t fi_size; /* function info size */
size_t cv_size; /* counter values size */
- dup = kmemdup(info, sizeof(*dup), GFP_KERNEL);
+ dup = kzalloc(sizeof(*dup), GFP_KERNEL);
if (!dup)
return NULL;
- dup->next = NULL;
- dup->filename = NULL;
- dup->functions = NULL;
+ for (fi_idx = 0; fi_idx < GCOV_COUNTERS; fi_idx++)
+ dup->merge[fi_idx] = info->merge[fi_idx];
+ dup->n_functions = info->n_functions;
dup->filename = kstrdup(info->filename, GFP_KERNEL);
if (!dup->filename)
--
2.26.2
next prev parent reply other threads:[~2020-09-02 8:55 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-02 8:55 [PATCH -rc 0/4] Protect from GCC garbage input in GCOV Leon Romanovsky
2020-09-02 8:55 ` Leon Romanovsky [this message]
2020-09-02 17:38 ` [PATCH rdma-next 1/4] gcov: Open-code kmemdup() to work correctly with kernel and user space pointers Linus Torvalds
2020-09-02 17:46 ` Leon Romanovsky
2020-09-02 18:27 ` Linus Torvalds
2020-09-02 18:44 ` Leon Romanovsky
2020-09-02 19:04 ` Linus Torvalds
2020-09-02 8:55 ` [PATCH rdma-next 2/4] gcov: Use proper duplication routine for const pointer Leon Romanovsky
2020-09-03 8:56 ` Rasmus Villemoes
2020-09-03 10:38 ` Leon Romanovsky
2020-09-02 8:55 ` [PATCH rdma-next 3/4] gcov: Protect from uninitialized number of functions provided by GCC 10.2 Leon Romanovsky
2020-09-02 17:41 ` Linus Torvalds
2020-09-02 8:55 ` [PATCH rdma-next 4/4] gcov: Don't print out-of-memory print for all failed files Leon Romanovsky
2020-09-02 17:42 ` [PATCH -rc 0/4] Protect from GCC garbage input in GCOV Linus Torvalds
2020-09-02 17:52 ` Leon Romanovsky
2020-09-02 18:24 ` Linus Torvalds
2020-09-02 18:28 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200902085513.748149-2-leon@kernel.org \
--to=leon@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=colin.king@canonical.com \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oberpar@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.