Re: [PATCH] kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()

[Kees Cook <kees@kernel.org>]

On Mon, Mar 17, 2025 at 10:48:40AM -0700, Nathan Chancellor wrote:
> Hi Kees,
> 
> On Tue, Mar 11, 2025 at 05:04:40PM -0700, Kees Cook wrote:
> > It does seem that using "volatile" isn't going to be sane compared to
> > using OPTIMIZER_HIDE_VAR() going forward. Some strange interactions[1]
> > with the sanitizers have been observed in the self-test code, so replace
> > the logic.
> > 
> > Reported-by: Nathan Chancellor <nathan@kernel.org>
> > Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1]
> > Signed-off-by: Kees Cook <kees@kernel.org>
> ...
> > diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
> > index 18dcdedf777f..29ffc62a71e3 100644
> > --- a/lib/tests/fortify_kunit.c
> > +++ b/lib/tests/fortify_kunit.c
> ...
> > @@ -993,8 +1003,11 @@ static void fortify_test_memcmp(struct kunit *test)
> >  {
> >  	char one[] = "My mind is going ...";
> >  	char two[] = "My mind is going ... I can feel it.";
> > -	size_t one_len = sizeof(one) + unconst - 1;
> > -	size_t two_len = sizeof(two) + unconst - 1;
> > +	size_t one_len = sizeof(one) - 1;
> > +	size_t two_len = sizeof(two) - 1;
> > +
> > +	OPTIMIZER_HIDE_VAR(one_len);
> > +	OPTIMIZER_HIDE_VAR(two_len);
> >  
> >  	/* We match the first string (ignoring the %NUL). */
> >  	KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
> 
> I am sorry for bringing this up some time after you sent this change, as
> I have only now had a chance to actually sit down and understand the
> results of my bisect. I am still seeing a __read_overflow error when
> building lib/tests/fortify_kunit.o with Fedora's configuration + LTO in
> next-20250317, which contains this change. I do not think it is issue
> 2075, as I can reproduce it without UBSAN enabled altogether. This is
> with LLVM 20.1.0.

Hmpf. Well, I guess I'll continue to debug these. I think I'll keep the
patch that refactors volatile -- I prefer OPTIMIZER_HIDE_VAR() as it's a
more direct way to indicate what I want the compiler to ignore. I've
been trying to move to using it instead of my old style volatile uses.

> $ cat kernel/configs/repro.config
> CONFIG_FORTIFY_KUNIT_TEST=m
> CONFIG_FORTIFY_SOURCE=y
> CONFIG_KUNIT=y
> # CONFIG_LTO_NONE is not set
> CONFIG_LTO_CLANG_THIN=y

Thanks for the config that pokes it!

> 
> # or x86_64
> $ make -skj"$(nproc)" ARCH=arm64 LLVM=1 mrproper {def,repro.}config lib/tests/fortify_kunit.o
> ld.lld: error: call to __read_overflow marked "dontcall-error": detected read beyond size of object (1st parameter)
> make[6]: *** [scripts/Makefile.build:203: lib/tests/fortify_kunit.o] Error 1
> 
> Selectively reverting this avoids the problem, which is definitely
> odd... Maybe issue 2075 is related more to issue 2077 and this patch
> should not be entertained?

Yeah, I don't yet see what is going on with these. :|

-Kees

-- 
Kees Cook