Re: [PATCH] lib/test_ubsan.c: Fix panic from test_ubsan_out_of_bounds

[Mostafa Saleh <smostafa@google.com>]

On Mon, Apr 14, 2025 at 05:04:14PM -0700, Andrew Morton wrote:
> On Mon, 14 Apr 2025 21:36:48 +0000 Mostafa Saleh <smostafa@google.com> wrote:
> 
> > Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
> > kernel
> > 
> > [   31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
> > [   31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
> > [   31.648153] Hardware name: linux,dummy-virt (DT)
> > [   31.648970] Call trace:
> > [   31.649345]  show_stack+0x18/0x24 (C)
> > [   31.650960]  dump_stack_lvl+0x40/0x84
> > [   31.651559]  dump_stack+0x18/0x24
> > [   31.652264]  panic+0x138/0x3b4
> > [   31.652812]  __ktime_get_real_seconds+0x0/0x10
> > [   31.653540]  test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
> > [   31.654388]  init_module+0x24/0xff4 [test_ubsan]
> > [   31.655077]  do_one_initcall+0xd4/0x280
> > [   31.655680]  do_init_module+0x58/0x2b4
> > 
> > That happens because the test corrupts other data in the stack:
> > 400:   d5384108        mrs     x8, sp_el0
> > 404:   f9426d08        ldr     x8, [x8, #1240]
> > 408:   f85f83a9        ldur    x9, [x29, #-8]
> > 40c:   eb09011f        cmp     x8, x9
> > 410:   54000301        b.ne    470 <test_ubsan_out_of_bounds+0x154>  // b.any
> > 
> > As there is no guarantee the compiler will order the local variables
> > as declared in the module:
> 
> argh.
> 
> > 	volatile char above[4] = { }; /* Protect surrounding memory. */
> > 	volatile int arr[4];
> > 	volatile char below[4] = { }; /* Protect surrounding memory. */
> > 
> > So, instead of writing out-of-bound, we can read out-of-bound which
> > still triggers UBSAN but doesn't corrupt the stack.
> 
> Would it be better to put the above three items into a struct, so we
> specify the layout?

Yes, that also should work, but I ran into a panic because of another
problem, where the padding before and after the arr is 4 bytes, but
the index is "5", which is 8 bytes out of bound.
As we can only use 4/-1 as out of bounds.
That should also work:

diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
index 8772e5edaa4f..4533e9cb52e6 100644
--- a/lib/test_ubsan.c
+++ b/lib/test_ubsan.c
@@ -77,18 +77,18 @@ static void test_ubsan_shift_out_of_bounds(void)
 
 static void test_ubsan_out_of_bounds(void)
 {
-	volatile int i = 4, j = 5, k = -1;
-	volatile char above[4] = { }; /* Protect surrounding memory. */
-	volatile int arr[4];
-	volatile char below[4] = { }; /* Protect surrounding memory. */
-
-	above[0] = below[0];
+	volatile int i = 4, j = 4, k = -1;
+	struct {
+		volatile char above[4]; /* Protect surrounding memory. */
+		volatile int arr[4];
+		volatile char below[4]; /* Protect surrounding memory. */
+	} data;
 
 	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
-	arr[j] = i;
+	data.arr[j] = i;
 
 	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
-	arr[k] = i;
+	data.arr[k] = i;
 }
 
 enum ubsan_test_enum {

---

I can send v2 with this approach if it's better.

Thanks,
Mostafa

> 
> > --- a/lib/test_ubsan.c
> > +++ b/lib/test_ubsan.c
> > @@ -77,18 +77,15 @@ static void test_ubsan_shift_out_of_bounds(void)
> >  
> >  static void test_ubsan_out_of_bounds(void)
> >  {
> > -	volatile int i = 4, j = 5, k = -1;
> > -	volatile char above[4] = { }; /* Protect surrounding memory. */
> > +	volatile int j = 5, k = -1;
> > +	volatile int scratch[4] = { };
> >  	volatile int arr[4];
> > -	volatile char below[4] = { }; /* Protect surrounding memory. */
> > -
> > -	above[0] = below[0];
> >  
> >  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
> > -	arr[j] = i;
> > +	scratch[1] = arr[j];
> >  
> >  	UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
> > -	arr[k] = i;
> > +	scratch[2] = arr[k];
> >  }
>