From: Kees Cook <kees@kernel.org>
To: Mostafa Saleh <smostafa@google.com>
Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, akpm@linux-foundation.org,
elver@google.com, andreyknvl@gmail.com, ryabinin.a.a@gmail.com
Subject: Re: [PATCH v2] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
Date: Tue, 15 Apr 2025 13:43:36 -0700 [thread overview]
Message-ID: <202504151343.794CF53@keescook> (raw)
In-Reply-To: <20250415203354.4109415-1-smostafa@google.com>
On Tue, Apr 15, 2025 at 08:33:54PM +0000, Mostafa Saleh wrote:
> Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> kernel
>
> [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> [ 31.648153] Hardware name: linux,dummy-virt (DT)
> [ 31.648970] Call trace:
> [ 31.649345] show_stack+0x18/0x24 (C)
> [ 31.650960] dump_stack_lvl+0x40/0x84
> [ 31.651559] dump_stack+0x18/0x24
> [ 31.652264] panic+0x138/0x3b4
> [ 31.652812] __ktime_get_real_seconds+0x0/0x10
> [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> [ 31.654388] init_module+0x24/0xff4 [test_ubsan]
> [ 31.655077] do_one_initcall+0xd4/0x280
> [ 31.655680] do_init_module+0x58/0x2b4
>
> That happens because the test corrupts other data in the stack:
> 400: d5384108 mrs x8, sp_el0
> 404: f9426d08 ldr x8, [x8, #1240]
> 408: f85f83a9 ldur x9, [x29, #-8]
> 40c: eb09011f cmp x8, x9
> 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
>
> As there is no guarantee the compiler will order the local variables
> as declared in the module:
> volatile char above[4] = { }; /* Protect surrounding memory. */
> volatile int arr[4];
> volatile char below[4] = { }; /* Protect surrounding memory. */
>
> There is another problem where the out-of-bound index is 5 which is larger
> than the extra surrounding memory for protection.
>
> So, use a struct to enforce the ordering, and fix the index to be 4.
> Also, remove some of the volatiles and rely on OPTIMIZER_HIDE_VAR()
>
> Signed-off-by: Mostafa Saleh <smostafa@google.com>
Looks good; thanks!
Reviewed-by: Kees Cook <kees@kernel.org>
--
Kees Cook
next prev parent reply other threads:[~2025-04-15 20:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-15 20:33 [PATCH v2] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds Mostafa Saleh
2025-04-15 20:43 ` Kees Cook [this message]
2025-04-15 20:46 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202504151343.794CF53@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=elver@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=smostafa@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.