From: Mostafa Saleh <smostafa@google.com>
To: Kees Cook <kees@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, elver@google.com,
andreyknvl@gmail.com, ryabinin.a.a@gmail.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
Date: Tue, 15 Apr 2025 17:26:08 +0000 [thread overview]
Message-ID: <Z_6WsC9f0mby1nV7@google.com> (raw)
In-Reply-To: <202504151006.19150DFE@keescook>
On Tue, Apr 15, 2025 at 10:09:00AM -0700, Kees Cook wrote:
> On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote:
> > On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> > > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote:
> > >
> > > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > > > kernel
> > > >
> > > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > > > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > > > [ 31.648153] Hardware name: linux,dummy-virt (DT)
> > > > [ 31.648970] Call trace:
> > > > [ 31.649345] show_stack+0x18/0x24 (C)
> > > > [ 31.650960] dump_stack_lvl+0x40/0x84
> > > > [ 31.651559] dump_stack+0x18/0x24
> > > > [ 31.652264] panic+0x138/0x3b4
> > > > [ 31.652812] __ktime_get_real_seconds+0x0/0x10
> > > > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > > > [ 31.654388] init_module+0x24/0xff4 [test_ubsan]
> > > > [ 31.655077] do_one_initcall+0xd4/0x280
> > > > [ 31.655680] do_init_module+0x58/0x2b4
> > > >
> > > > That happens because the test corrupts other data in the stack:
> > > > 400: d5384108 mrs x8, sp_el0
> > > > 404: f9426d08 ldr x8, [x8, #1240]
> > > > 408: f85f83a9 ldur x9, [x29, #-8]
> > > > 40c: eb09011f cmp x8, x9
> > > > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
> > > >
> > > > As there is no guarantee the compiler will order the local variables
> > > > as declared in the module:
> > >
> > > argh.
> > >
> > > > volatile char above[4] = { }; /* Protect surrounding memory. */
> > > > volatile int arr[4];
> > > > volatile char below[4] = { }; /* Protect surrounding memory. */
> > > >
> > > > So, instead of writing out-of-bound, we can read out-of-bound which
> > > > still triggers UBSAN but doesn't corrupt the stack.
> > >
> > > Would it be better to put the above three items into a struct, so we
> > > specify the layout?
> >
> > Yes, that also should work, but I ran into a panic because of another
> > problem, where the padding before and after the arr is 4 bytes, but
> > the index is "5", which is 8 bytes out of bound.
> > As we can only use 4/-1 as out of bounds.
> > That should also work:
> >
> > diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
> > index 8772e5edaa4f..4533e9cb52e6 100644
> > --- a/lib/test_ubsan.c
> > +++ b/lib/test_ubsan.c
> > @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
> >
> > static void test_ubsan_out_of_bounds(void)
> > {
> > - volatile int i = 4, j = 5, k = -1;
> > - volatile char above[4] = { }; /* Protect surrounding memory. */
> > - volatile int arr[4];
> > - volatile char below[4] = { }; /* Protect surrounding memory. */
> > -
> > - above[0] = below[0];
> > + volatile int i = 4, j = 4, k = -1;
> > + struct {
> > + volatile char above[4]; /* Protect surrounding memory. */
> > + volatile int arr[4];
> > + volatile char below[4]; /* Protect surrounding memory. */
> > + } data;
>
> Instead of all the volatiles, I recommend using:
>
> OPTIMIZER_HIDE_VAR(i);
> OPTIMIZER_HIDE_VAR(j);
> OPTIMIZER_HIDE_VAR(k);
> OPTIMIZER_HIDE_VAR(data);
>
I can do that in v2, although the rest of the test still
uses volatile, I can convert them in a separate patch if
it's worth it.
Also, OPTIMIZER_HIDE_VAR(), doesn't seem to work for structs
or arrays. Instead of using it per elements, I guess READ/WRITE_ONCE
might be more suitable for that.
> > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> > - arr[j] = i;
> > + data.arr[j] = i;
> >
> > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> > - arr[k] = i;
> > + data.arr[k] = i;
> > }
> >
> > enum ubsan_test_enum {
> >
> > ---
> >
> > I can send v2 with this approach if it's better.
>
> Yes please, the struct is the right solution to keep the memory
> contiguous.
Will do.
Thanks,
Mostafa
>
> --
> Kees Cook
prev parent reply other threads:[~2025-04-15 17:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-14 21:36 [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds Mostafa Saleh
2025-04-15 0:04 ` Andrew Morton
2025-04-15 8:48 ` Mostafa Saleh
2025-04-15 17:09 ` Kees Cook
2025-04-15 17:26 ` Mostafa Saleh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_6WsC9f0mby1nV7@google.com \
--to=smostafa@google.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=elver@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.