Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds

public inbox for linux-hardening@vger.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: Mostafa Saleh <smostafa@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
	linux-hardening@vger.kernel.org, elver@google.com,
	andreyknvl@gmail.com, ryabinin.a.a@gmail.com
Subject: Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
Date: Tue, 15 Apr 2025 10:09:00 -0700	[thread overview]
Message-ID: <202504151006.19150DFE@keescook> (raw)
In-Reply-To: <Z_4dXk0RlyXYuzYt@google.com>

On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote:
> On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote:
> > 
> > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > > kernel
> > > 
> > > [   31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > > [   31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > > [   31.648153] Hardware name: linux,dummy-virt (DT)
> > > [   31.648970] Call trace:
> > > [   31.649345]  show_stack+0x18/0x24 (C)
> > > [   31.650960]  dump_stack_lvl+0x40/0x84
> > > [   31.651559]  dump_stack+0x18/0x24
> > > [   31.652264]  panic+0x138/0x3b4
> > > [   31.652812]  __ktime_get_real_seconds+0x0/0x10
> > > [   31.653540]  test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > > [   31.654388]  init_module+0x24/0xff4 [test_ubsan]
> > > [   31.655077]  do_one_initcall+0xd4/0x280
> > > [   31.655680]  do_init_module+0x58/0x2b4
> > > 
> > > That happens because the test corrupts other data in the stack:
> > > 400:   d5384108        mrs     x8, sp_el0
> > > 404:   f9426d08        ldr     x8, [x8, #1240]
> > > 408:   f85f83a9        ldur    x9, [x29, #-8]
> > > 40c:   eb09011f        cmp     x8, x9
> > > 410:   54000301        b.ne    470 <test_ubsan_out_of_bounds+0x154>  // b.any
> > > 
> > > As there is no guarantee the compiler will order the local variables
> > > as declared in the module:
> > 
> > argh.
> > 
> > > 	volatile char above[4] = { }; /* Protect surrounding memory. */
> > > 	volatile int arr[4];
> > > 	volatile char below[4] = { }; /* Protect surrounding memory. */
> > > 
> > > So, instead of writing out-of-bound, we can read out-of-bound which
> > > still triggers UBSAN but doesn't corrupt the stack.
> > 
> > Would it be better to put the above three items into a struct, so we
> > specify the layout?
> 
> Yes, that also should work, but I ran into a panic because of another
> problem, where the padding before and after the arr is 4 bytes, but
> the index is "5", which is 8 bytes out of bound.
> As we can only use 4/-1 as out of bounds.
> That should also work:
> 
> diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
> index 8772e5edaa4f..4533e9cb52e6 100644
> --- a/lib/test_ubsan.c
> +++ b/lib/test_ubsan.c
> @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
>  
>  static void test_ubsan_out_of_bounds(void)
>  {
> -	volatile int i = 4, j = 5, k = -1;
> -	volatile char above[4] = { }; /* Protect surrounding memory. */
> -	volatile int arr[4];
> -	volatile char below[4] = { }; /* Protect surrounding memory. */
> -
> -	above[0] = below[0];
> +	volatile int i = 4, j = 4, k = -1;
> +	struct {
> +		volatile char above[4]; /* Protect surrounding memory. */
> +		volatile int arr[4];
> +		volatile char below[4]; /* Protect surrounding memory. */
> +	} data;

Instead of all the volatiles, I recommend using:

	OPTIMIZER_HIDE_VAR(i);
	OPTIMIZER_HIDE_VAR(j);
	OPTIMIZER_HIDE_VAR(k);
	OPTIMIZER_HIDE_VAR(data);

>  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> -	arr[j] = i;
> +	data.arr[j] = i;
>  
>  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> -	arr[k] = i;
> +	data.arr[k] = i;
>  }
>  
>  enum ubsan_test_enum {
> 
> ---
> 
> I can send v2 with this approach if it's better.

Yes please, the struct is the right solution to keep the memory
contiguous.

-- 
Kees Cook

next prev parent reply	other threads:[~2025-04-15 17:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-14 21:36 [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds Mostafa Saleh
2025-04-15  0:04 ` Andrew Morton
2025-04-15  8:48   ` Mostafa Saleh
2025-04-15 17:09     ` Kees Cook [this message]
2025-04-15 17:26       ` Mostafa Saleh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202504151006.19150DFE@keescook \
    --to=kees@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=elver@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ryabinin.a.a@gmail.com \
    --cc=smostafa@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox