From: Charlie Jenkins <charlie@rivosinc.com>
To: Alexandre Ghiti <alexghiti@rivosinc.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Andy Chiu <andy.chiu@sifive.com>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH -fixes] riscv: Fix out-of-bounds when accessing Andes per hart vendor extension array
Date: Tue, 13 Aug 2024 18:29:35 -0700 [thread overview]
Message-ID: <ZrwIf8nwte43+274@ghost> (raw)
In-Reply-To: <20240811150229.82321-1-alexghiti@rivosinc.com>
On Sun, Aug 11, 2024 at 05:02:29PM +0200, Alexandre Ghiti wrote:
> The out-of-bounds access is reported by UBSAN:
>
> [ 0.000000] UBSAN: array-index-out-of-bounds in ../arch/riscv/kernel/vendor_extensions.c:41:66
> [ 0.000000] index -1 is out of range for type 'riscv_isavendorinfo [32]'
> [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc2ubuntu-defconfig #2
> [ 0.000000] Hardware name: riscv-virtio,qemu (DT)
> [ 0.000000] Call Trace:
> [ 0.000000] [<ffffffff94e078ba>] dump_backtrace+0x32/0x40
> [ 0.000000] [<ffffffff95c83c1a>] show_stack+0x38/0x44
> [ 0.000000] [<ffffffff95c94614>] dump_stack_lvl+0x70/0x9c
> [ 0.000000] [<ffffffff95c94658>] dump_stack+0x18/0x20
> [ 0.000000] [<ffffffff95c8bbb2>] ubsan_epilogue+0x10/0x46
> [ 0.000000] [<ffffffff95485a82>] __ubsan_handle_out_of_bounds+0x94/0x9c
> [ 0.000000] [<ffffffff94e09442>] __riscv_isa_vendor_extension_available+0x90/0x92
> [ 0.000000] [<ffffffff94e043b6>] riscv_cpufeature_patch_func+0xc4/0x148
> [ 0.000000] [<ffffffff94e035f8>] _apply_alternatives+0x42/0x50
> [ 0.000000] [<ffffffff95e04196>] apply_boot_alternatives+0x3c/0x100
> [ 0.000000] [<ffffffff95e05b52>] setup_arch+0x85a/0x8bc
> [ 0.000000] [<ffffffff95e00ca0>] start_kernel+0xa4/0xfb6
>
> This happens because we unconditionally use the cpu parameter to access
> this array. But if -1 is passed, that means we should not and we don't
> need to access this array, so simply prevent accessing the array in that case.
>
> Fixes: 23c996fc2bc1 ("riscv: Extend cpufeature.c to detect vendor extensions")
> Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
> ---
> arch/riscv/kernel/vendor_extensions.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/riscv/kernel/vendor_extensions.c b/arch/riscv/kernel/vendor_extensions.c
> index b6c1e7b5d34b..01dc79b1d17b 100644
> --- a/arch/riscv/kernel/vendor_extensions.c
> +++ b/arch/riscv/kernel/vendor_extensions.c
> @@ -27,7 +27,7 @@ const size_t riscv_isa_vendor_ext_list_size = ARRAY_SIZE(riscv_isa_vendor_ext_li
> * @bit: bit position of the desired extension
> * Return: true or false
> *
> - * NOTE: When cpu is -1, will check if extension is available on all cpus
> + * NOTE: When cpu is VENDOR_EXT_ALL_CPUS, will check if extension is available on all cpus
> */
> bool __riscv_isa_vendor_extension_available(int cpu, unsigned long vendor, unsigned int bit)
> {
> @@ -38,14 +38,15 @@ bool __riscv_isa_vendor_extension_available(int cpu, unsigned long vendor, unsig
> #ifdef CONFIG_RISCV_ISA_VENDOR_EXT_ANDES
> case ANDES_VENDOR_ID:
> bmap = &riscv_isa_vendor_ext_list_andes.all_harts_isa_bitmap;
> - cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap[cpu];
> + if (cpu != VENDOR_EXT_ALL_CPUS)
> + cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap[cpu];
> break;
> #endif
> default:
> return false;
> }
>
> - if (cpu != -1)
> + if (cpu != VENDOR_EXT_ALL_CPUS)
> bmap = &cpu_bmap[cpu];
>
> if (bit >= RISCV_ISA_VENDOR_EXT_MAX)
> --
> 2.39.2
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
The line that is setting the cpu_bmap shouldn't be indexing into it at
all. It is supposed to be:
cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap;
The indexing is handled later on by the if-statement.
Thank you for looking into this.
- Charlie
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Charlie Jenkins <charlie@rivosinc.com>
To: Alexandre Ghiti <alexghiti@rivosinc.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Andy Chiu <andy.chiu@sifive.com>,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH -fixes] riscv: Fix out-of-bounds when accessing Andes per hart vendor extension array
Date: Tue, 13 Aug 2024 18:29:35 -0700 [thread overview]
Message-ID: <ZrwIf8nwte43+274@ghost> (raw)
In-Reply-To: <20240811150229.82321-1-alexghiti@rivosinc.com>
On Sun, Aug 11, 2024 at 05:02:29PM +0200, Alexandre Ghiti wrote:
> The out-of-bounds access is reported by UBSAN:
>
> [ 0.000000] UBSAN: array-index-out-of-bounds in ../arch/riscv/kernel/vendor_extensions.c:41:66
> [ 0.000000] index -1 is out of range for type 'riscv_isavendorinfo [32]'
> [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc2ubuntu-defconfig #2
> [ 0.000000] Hardware name: riscv-virtio,qemu (DT)
> [ 0.000000] Call Trace:
> [ 0.000000] [<ffffffff94e078ba>] dump_backtrace+0x32/0x40
> [ 0.000000] [<ffffffff95c83c1a>] show_stack+0x38/0x44
> [ 0.000000] [<ffffffff95c94614>] dump_stack_lvl+0x70/0x9c
> [ 0.000000] [<ffffffff95c94658>] dump_stack+0x18/0x20
> [ 0.000000] [<ffffffff95c8bbb2>] ubsan_epilogue+0x10/0x46
> [ 0.000000] [<ffffffff95485a82>] __ubsan_handle_out_of_bounds+0x94/0x9c
> [ 0.000000] [<ffffffff94e09442>] __riscv_isa_vendor_extension_available+0x90/0x92
> [ 0.000000] [<ffffffff94e043b6>] riscv_cpufeature_patch_func+0xc4/0x148
> [ 0.000000] [<ffffffff94e035f8>] _apply_alternatives+0x42/0x50
> [ 0.000000] [<ffffffff95e04196>] apply_boot_alternatives+0x3c/0x100
> [ 0.000000] [<ffffffff95e05b52>] setup_arch+0x85a/0x8bc
> [ 0.000000] [<ffffffff95e00ca0>] start_kernel+0xa4/0xfb6
>
> This happens because we unconditionally use the cpu parameter to access
> this array. But if -1 is passed, that means we should not and we don't
> need to access this array, so simply prevent accessing the array in that case.
>
> Fixes: 23c996fc2bc1 ("riscv: Extend cpufeature.c to detect vendor extensions")
> Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
> ---
> arch/riscv/kernel/vendor_extensions.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/riscv/kernel/vendor_extensions.c b/arch/riscv/kernel/vendor_extensions.c
> index b6c1e7b5d34b..01dc79b1d17b 100644
> --- a/arch/riscv/kernel/vendor_extensions.c
> +++ b/arch/riscv/kernel/vendor_extensions.c
> @@ -27,7 +27,7 @@ const size_t riscv_isa_vendor_ext_list_size = ARRAY_SIZE(riscv_isa_vendor_ext_li
> * @bit: bit position of the desired extension
> * Return: true or false
> *
> - * NOTE: When cpu is -1, will check if extension is available on all cpus
> + * NOTE: When cpu is VENDOR_EXT_ALL_CPUS, will check if extension is available on all cpus
> */
> bool __riscv_isa_vendor_extension_available(int cpu, unsigned long vendor, unsigned int bit)
> {
> @@ -38,14 +38,15 @@ bool __riscv_isa_vendor_extension_available(int cpu, unsigned long vendor, unsig
> #ifdef CONFIG_RISCV_ISA_VENDOR_EXT_ANDES
> case ANDES_VENDOR_ID:
> bmap = &riscv_isa_vendor_ext_list_andes.all_harts_isa_bitmap;
> - cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap[cpu];
> + if (cpu != VENDOR_EXT_ALL_CPUS)
> + cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap[cpu];
> break;
> #endif
> default:
> return false;
> }
>
> - if (cpu != -1)
> + if (cpu != VENDOR_EXT_ALL_CPUS)
> bmap = &cpu_bmap[cpu];
>
> if (bit >= RISCV_ISA_VENDOR_EXT_MAX)
> --
> 2.39.2
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
The line that is setting the cpu_bmap shouldn't be indexing into it at
all. It is supposed to be:
cpu_bmap = &riscv_isa_vendor_ext_list_andes.per_hart_isa_bitmap;
The indexing is handled later on by the if-statement.
Thank you for looking into this.
- Charlie
next prev parent reply other threads:[~2024-08-14 1:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-11 15:02 [PATCH -fixes] riscv: Fix out-of-bounds when accessing Andes per hart vendor extension array Alexandre Ghiti
2024-08-11 15:02 ` Alexandre Ghiti
2024-08-12 15:16 ` Conor Dooley
2024-08-12 15:16 ` Conor Dooley
2024-08-14 1:29 ` Charlie Jenkins [this message]
2024-08-14 1:29 ` Charlie Jenkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZrwIf8nwte43+274@ghost \
--to=charlie@rivosinc.com \
--cc=alexghiti@rivosinc.com \
--cc=andy.chiu@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.