From: Ivan Orlov <ivan.orlov0322@gmail.com>
To: Erhard Furtner <erhard_f@mailbox.org>, Kees Cook <kees@kernel.org>
Cc: linux-mm@kvack.org, linuxppc-dev@lists.ozlabs.org,
David Gow <davidgow@google.com>,
kunit-dev@googlegroups.com
Subject: Re: OVERFLOW_KUNIT_TEST fails with BUG: KASAN: stack-out-of-bounds in string_nocheck+0x168/0x1c8 (kernel 6.11-rc2, PowerMac G4 DP)
Date: Thu, 15 Aug 2024 00:58:45 +0100 [thread overview]
Message-ID: <e40749be-5f0c-458f-8baa-c32f76491605@gmail.com> (raw)
In-Reply-To: <81303aa9-40a4-42ec-8e48-4a460398d469@gmail.com>
On 8/15/24 00:26, Ivan Orlov wrote:
>
> As you can see, the device name is defined as a local variable, which
> means that it doesn't exist out of the 'overflow_allocation_test'
> function scope. This patch:
>
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f314a0c15a6d..fa7ca8c94eee 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -668,7 +668,7 @@ DEFINE_TEST_ALLOC(devm_kzalloc, devm_kfree, 1, 1, 0);
>
> static void overflow_allocation_test(struct kunit *test)
> {
> - const char device_name[] = "overflow-test";
> + static const char device_name[] = "overflow-test";
> struct device *dev;
> int count = 0;
>
>
> Seems to fix the problem and it is not reproducable anymore.
>
> I will send the proper patch tomorrow.
>
> Good night!
>
Forgot to mention that the problem is intermittently reproducible on
QEMU x86_64, and this is the only architecture I tested the solution on.
However, it looks like the initial report points us to
'module_remove_driver' function, which presumably calls the following
kasprintf as a part of 'make_driver_name' function which also operates
on driver name. If driver name points to invalid memory range (because
it is out of scope), it is going to cause a KASAN bug kernel panic.
--
Kind regards,
Ivan Orlov
next prev parent reply other threads:[~2024-08-14 23:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-09 21:15 OVERFLOW_KUNIT_TEST fails with BUG: KASAN: stack-out-of-bounds in string_nocheck+0x168/0x1c8 (kernel 6.11-rc2, PowerMac G4 DP) Erhard Furtner
2024-08-12 18:54 ` Kees Cook
2024-08-14 20:38 ` Erhard Furtner
2024-08-14 23:26 ` Ivan Orlov
2024-08-14 23:58 ` Ivan Orlov [this message]
2024-08-16 12:00 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e40749be-5f0c-458f-8baa-c32f76491605@gmail.com \
--to=ivan.orlov0322@gmail.com \
--cc=davidgow@google.com \
--cc=erhard_f@mailbox.org \
--cc=kees@kernel.org \
--cc=kunit-dev@googlegroups.com \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).