* [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds
@ 2025-04-14 21:36 Mostafa Saleh
2025-04-15 0:04 ` Andrew Morton
0 siblings, 1 reply; 5+ messages in thread
From: Mostafa Saleh @ 2025-04-14 21:36 UTC (permalink / raw)
To: linux-kernel, kasan-dev, linux-hardening
Cc: akpm, kees, elver, andreyknvl, ryabinin.a.a, Mostafa Saleh
Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
kernel
[ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
[ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
[ 31.648153] Hardware name: linux,dummy-virt (DT)
[ 31.648970] Call trace:
[ 31.649345] show_stack+0x18/0x24 (C)
[ 31.650960] dump_stack_lvl+0x40/0x84
[ 31.651559] dump_stack+0x18/0x24
[ 31.652264] panic+0x138/0x3b4
[ 31.652812] __ktime_get_real_seconds+0x0/0x10
[ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
[ 31.654388] init_module+0x24/0xff4 [test_ubsan]
[ 31.655077] do_one_initcall+0xd4/0x280
[ 31.655680] do_init_module+0x58/0x2b4
That happens because the test corrupts other data in the stack:
400: d5384108 mrs x8, sp_el0
404: f9426d08 ldr x8, [x8, #1240]
408: f85f83a9 ldur x9, [x29, #-8]
40c: eb09011f cmp x8, x9
410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
As there is no guarantee the compiler will order the local variables
as declared in the module:
volatile char above[4] = { }; /* Protect surrounding memory. */
volatile int arr[4];
volatile char below[4] = { }; /* Protect surrounding memory. */
So, instead of writing out-of-bound, we can read out-of-bound which
still triggers UBSAN but doesn't corrupt the stack.
Signed-off-by: Mostafa Saleh <smostafa@google.com>
---
lib/test_ubsan.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 8772e5edaa4f..0e5c18b32b2d 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void)
static void test_ubsan_out_of_bounds(void)
{
- volatile int i = 4, j = 5, k = -1;
- volatile char above[4] = { }; /* Protect surrounding memory. */
+ volatile int j = 5, k = -1;
+ volatile int scratch[4] = { };
volatile int arr[4];
- volatile char below[4] = { }; /* Protect surrounding memory. */
-
- above[0] = below[0];
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
- arr[j] = i;
+ scratch[1] = arr[j];
UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
- arr[k] = i;
+ scratch[2] = arr[k];
}
enum ubsan_test_enum {
--
2.49.0.604.gff1f9ca942-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds 2025-04-14 21:36 [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds Mostafa Saleh @ 2025-04-15 0:04 ` Andrew Morton 2025-04-15 8:48 ` Mostafa Saleh 0 siblings, 1 reply; 5+ messages in thread From: Andrew Morton @ 2025-04-15 0:04 UTC (permalink / raw) To: Mostafa Saleh Cc: linux-kernel, kasan-dev, linux-hardening, kees, elver, andreyknvl, ryabinin.a.a On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote: > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the > kernel > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT > [ 31.648153] Hardware name: linux,dummy-virt (DT) > [ 31.648970] Call trace: > [ 31.649345] show_stack+0x18/0x24 (C) > [ 31.650960] dump_stack_lvl+0x40/0x84 > [ 31.651559] dump_stack+0x18/0x24 > [ 31.652264] panic+0x138/0x3b4 > [ 31.652812] __ktime_get_real_seconds+0x0/0x10 > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] > [ 31.654388] init_module+0x24/0xff4 [test_ubsan] > [ 31.655077] do_one_initcall+0xd4/0x280 > [ 31.655680] do_init_module+0x58/0x2b4 > > That happens because the test corrupts other data in the stack: > 400: d5384108 mrs x8, sp_el0 > 404: f9426d08 ldr x8, [x8, #1240] > 408: f85f83a9 ldur x9, [x29, #-8] > 40c: eb09011f cmp x8, x9 > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any > > As there is no guarantee the compiler will order the local variables > as declared in the module: argh. > volatile char above[4] = { }; /* Protect surrounding memory. */ > volatile int arr[4]; > volatile char below[4] = { }; /* Protect surrounding memory. */ > > So, instead of writing out-of-bound, we can read out-of-bound which > still triggers UBSAN but doesn't corrupt the stack. Would it be better to put the above three items into a struct, so we specify the layout? > --- a/lib/test_ubsan.c > +++ b/lib/test_ubsan.c > @@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void) > > static void test_ubsan_out_of_bounds(void) > { > - volatile int i = 4, j = 5, k = -1; > - volatile char above[4] = { }; /* Protect surrounding memory. */ > + volatile int j = 5, k = -1; > + volatile int scratch[4] = { }; > volatile int arr[4]; > - volatile char below[4] = { }; /* Protect surrounding memory. */ > - > - above[0] = below[0]; > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); > - arr[j] = i; > + scratch[1] = arr[j]; > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); > - arr[k] = i; > + scratch[2] = arr[k]; > } ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds 2025-04-15 0:04 ` Andrew Morton @ 2025-04-15 8:48 ` Mostafa Saleh 2025-04-15 17:09 ` Kees Cook 0 siblings, 1 reply; 5+ messages in thread From: Mostafa Saleh @ 2025-04-15 8:48 UTC (permalink / raw) To: Andrew Morton Cc: linux-kernel, kasan-dev, linux-hardening, kees, elver, andreyknvl, ryabinin.a.a On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote: > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote: > > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the > > kernel > > > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] > > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT > > [ 31.648153] Hardware name: linux,dummy-virt (DT) > > [ 31.648970] Call trace: > > [ 31.649345] show_stack+0x18/0x24 (C) > > [ 31.650960] dump_stack_lvl+0x40/0x84 > > [ 31.651559] dump_stack+0x18/0x24 > > [ 31.652264] panic+0x138/0x3b4 > > [ 31.652812] __ktime_get_real_seconds+0x0/0x10 > > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] > > [ 31.654388] init_module+0x24/0xff4 [test_ubsan] > > [ 31.655077] do_one_initcall+0xd4/0x280 > > [ 31.655680] do_init_module+0x58/0x2b4 > > > > That happens because the test corrupts other data in the stack: > > 400: d5384108 mrs x8, sp_el0 > > 404: f9426d08 ldr x8, [x8, #1240] > > 408: f85f83a9 ldur x9, [x29, #-8] > > 40c: eb09011f cmp x8, x9 > > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any > > > > As there is no guarantee the compiler will order the local variables > > as declared in the module: > > argh. > > > volatile char above[4] = { }; /* Protect surrounding memory. */ > > volatile int arr[4]; > > volatile char below[4] = { }; /* Protect surrounding memory. */ > > > > So, instead of writing out-of-bound, we can read out-of-bound which > > still triggers UBSAN but doesn't corrupt the stack. > > Would it be better to put the above three items into a struct, so we > specify the layout? Yes, that also should work, but I ran into a panic because of another problem, where the padding before and after the arr is 4 bytes, but the index is "5", which is 8 bytes out of bound. As we can only use 4/-1 as out of bounds. That should also work: diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c index 8772e5edaa4f..4533e9cb52e6 100644 --- a/lib/test_ubsan.c +++ b/lib/test_ubsan.c @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void) static void test_ubsan_out_of_bounds(void) { - volatile int i = 4, j = 5, k = -1; - volatile char above[4] = { }; /* Protect surrounding memory. */ - volatile int arr[4]; - volatile char below[4] = { }; /* Protect surrounding memory. */ - - above[0] = below[0]; + volatile int i = 4, j = 4, k = -1; + struct { + volatile char above[4]; /* Protect surrounding memory. */ + volatile int arr[4]; + volatile char below[4]; /* Protect surrounding memory. */ + } data; UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); - arr[j] = i; + data.arr[j] = i; UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); - arr[k] = i; + data.arr[k] = i; } enum ubsan_test_enum { --- I can send v2 with this approach if it's better. Thanks, Mostafa > > > --- a/lib/test_ubsan.c > > +++ b/lib/test_ubsan.c > > @@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void) > > > > static void test_ubsan_out_of_bounds(void) > > { > > - volatile int i = 4, j = 5, k = -1; > > - volatile char above[4] = { }; /* Protect surrounding memory. */ > > + volatile int j = 5, k = -1; > > + volatile int scratch[4] = { }; > > volatile int arr[4]; > > - volatile char below[4] = { }; /* Protect surrounding memory. */ > > - > > - above[0] = below[0]; > > > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); > > - arr[j] = i; > > + scratch[1] = arr[j]; > > > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); > > - arr[k] = i; > > + scratch[2] = arr[k]; > > } > ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds 2025-04-15 8:48 ` Mostafa Saleh @ 2025-04-15 17:09 ` Kees Cook 2025-04-15 17:26 ` Mostafa Saleh 0 siblings, 1 reply; 5+ messages in thread From: Kees Cook @ 2025-04-15 17:09 UTC (permalink / raw) To: Mostafa Saleh Cc: Andrew Morton, linux-kernel, kasan-dev, linux-hardening, elver, andreyknvl, ryabinin.a.a On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote: > On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote: > > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote: > > > > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the > > > kernel > > > > > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] > > > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT > > > [ 31.648153] Hardware name: linux,dummy-virt (DT) > > > [ 31.648970] Call trace: > > > [ 31.649345] show_stack+0x18/0x24 (C) > > > [ 31.650960] dump_stack_lvl+0x40/0x84 > > > [ 31.651559] dump_stack+0x18/0x24 > > > [ 31.652264] panic+0x138/0x3b4 > > > [ 31.652812] __ktime_get_real_seconds+0x0/0x10 > > > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] > > > [ 31.654388] init_module+0x24/0xff4 [test_ubsan] > > > [ 31.655077] do_one_initcall+0xd4/0x280 > > > [ 31.655680] do_init_module+0x58/0x2b4 > > > > > > That happens because the test corrupts other data in the stack: > > > 400: d5384108 mrs x8, sp_el0 > > > 404: f9426d08 ldr x8, [x8, #1240] > > > 408: f85f83a9 ldur x9, [x29, #-8] > > > 40c: eb09011f cmp x8, x9 > > > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any > > > > > > As there is no guarantee the compiler will order the local variables > > > as declared in the module: > > > > argh. > > > > > volatile char above[4] = { }; /* Protect surrounding memory. */ > > > volatile int arr[4]; > > > volatile char below[4] = { }; /* Protect surrounding memory. */ > > > > > > So, instead of writing out-of-bound, we can read out-of-bound which > > > still triggers UBSAN but doesn't corrupt the stack. > > > > Would it be better to put the above three items into a struct, so we > > specify the layout? > > Yes, that also should work, but I ran into a panic because of another > problem, where the padding before and after the arr is 4 bytes, but > the index is "5", which is 8 bytes out of bound. > As we can only use 4/-1 as out of bounds. > That should also work: > > diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c > index 8772e5edaa4f..4533e9cb52e6 100644 > --- a/lib/test_ubsan.c > +++ b/lib/test_ubsan.c > @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void) > > static void test_ubsan_out_of_bounds(void) > { > - volatile int i = 4, j = 5, k = -1; > - volatile char above[4] = { }; /* Protect surrounding memory. */ > - volatile int arr[4]; > - volatile char below[4] = { }; /* Protect surrounding memory. */ > - > - above[0] = below[0]; > + volatile int i = 4, j = 4, k = -1; > + struct { > + volatile char above[4]; /* Protect surrounding memory. */ > + volatile int arr[4]; > + volatile char below[4]; /* Protect surrounding memory. */ > + } data; Instead of all the volatiles, I recommend using: OPTIMIZER_HIDE_VAR(i); OPTIMIZER_HIDE_VAR(j); OPTIMIZER_HIDE_VAR(k); OPTIMIZER_HIDE_VAR(data); > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); > - arr[j] = i; > + data.arr[j] = i; > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); > - arr[k] = i; > + data.arr[k] = i; > } > > enum ubsan_test_enum { > > --- > > I can send v2 with this approach if it's better. Yes please, the struct is the right solution to keep the memory contiguous. -- Kees Cook ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds 2025-04-15 17:09 ` Kees Cook @ 2025-04-15 17:26 ` Mostafa Saleh 0 siblings, 0 replies; 5+ messages in thread From: Mostafa Saleh @ 2025-04-15 17:26 UTC (permalink / raw) To: Kees Cook Cc: Andrew Morton, linux-kernel, kasan-dev, linux-hardening, elver, andreyknvl, ryabinin.a.a On Tue, Apr 15, 2025 at 10:09:00AM -0700, Kees Cook wrote: > On Tue, Apr 15, 2025 at 08:48:30AM +0000, Mostafa Saleh wrote: > > On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote: > > > On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote: > > > > > > > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the > > > > kernel > > > > > > > > [ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] > > > > [ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT > > > > [ 31.648153] Hardware name: linux,dummy-virt (DT) > > > > [ 31.648970] Call trace: > > > > [ 31.649345] show_stack+0x18/0x24 (C) > > > > [ 31.650960] dump_stack_lvl+0x40/0x84 > > > > [ 31.651559] dump_stack+0x18/0x24 > > > > [ 31.652264] panic+0x138/0x3b4 > > > > [ 31.652812] __ktime_get_real_seconds+0x0/0x10 > > > > [ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] > > > > [ 31.654388] init_module+0x24/0xff4 [test_ubsan] > > > > [ 31.655077] do_one_initcall+0xd4/0x280 > > > > [ 31.655680] do_init_module+0x58/0x2b4 > > > > > > > > That happens because the test corrupts other data in the stack: > > > > 400: d5384108 mrs x8, sp_el0 > > > > 404: f9426d08 ldr x8, [x8, #1240] > > > > 408: f85f83a9 ldur x9, [x29, #-8] > > > > 40c: eb09011f cmp x8, x9 > > > > 410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any > > > > > > > > As there is no guarantee the compiler will order the local variables > > > > as declared in the module: > > > > > > argh. > > > > > > > volatile char above[4] = { }; /* Protect surrounding memory. */ > > > > volatile int arr[4]; > > > > volatile char below[4] = { }; /* Protect surrounding memory. */ > > > > > > > > So, instead of writing out-of-bound, we can read out-of-bound which > > > > still triggers UBSAN but doesn't corrupt the stack. > > > > > > Would it be better to put the above three items into a struct, so we > > > specify the layout? > > > > Yes, that also should work, but I ran into a panic because of another > > problem, where the padding before and after the arr is 4 bytes, but > > the index is "5", which is 8 bytes out of bound. > > As we can only use 4/-1 as out of bounds. > > That should also work: > > > > diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c > > index 8772e5edaa4f..4533e9cb52e6 100644 > > --- a/lib/test_ubsan.c > > +++ b/lib/test_ubsan.c > > @@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void) > > > > static void test_ubsan_out_of_bounds(void) > > { > > - volatile int i = 4, j = 5, k = -1; > > - volatile char above[4] = { }; /* Protect surrounding memory. */ > > - volatile int arr[4]; > > - volatile char below[4] = { }; /* Protect surrounding memory. */ > > - > > - above[0] = below[0]; > > + volatile int i = 4, j = 4, k = -1; > > + struct { > > + volatile char above[4]; /* Protect surrounding memory. */ > > + volatile int arr[4]; > > + volatile char below[4]; /* Protect surrounding memory. */ > > + } data; > > Instead of all the volatiles, I recommend using: > > OPTIMIZER_HIDE_VAR(i); > OPTIMIZER_HIDE_VAR(j); > OPTIMIZER_HIDE_VAR(k); > OPTIMIZER_HIDE_VAR(data); > I can do that in v2, although the rest of the test still uses volatile, I can convert them in a separate patch if it's worth it. Also, OPTIMIZER_HIDE_VAR(), doesn't seem to work for structs or arrays. Instead of using it per elements, I guess READ/WRITE_ONCE might be more suitable for that. > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); > > - arr[j] = i; > > + data.arr[j] = i; > > > > UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); > > - arr[k] = i; > > + data.arr[k] = i; > > } > > > > enum ubsan_test_enum { > > > > --- > > > > I can send v2 with this approach if it's better. > > Yes please, the struct is the right solution to keep the memory > contiguous. Will do. Thanks, Mostafa > > -- > Kees Cook ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-04-15 17:26 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-04-14 21:36 [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds Mostafa Saleh 2025-04-15 0:04 ` Andrew Morton 2025-04-15 8:48 ` Mostafa Saleh 2025-04-15 17:09 ` Kees Cook 2025-04-15 17:26 ` Mostafa Saleh
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox