[PATCH for-4.10 1/2] ubsan: add clang 5.0 support

[PATCH for-4.10 1/2] ubsan: add clang 5.0 support

[Roger Pau Monne]

clang 5.0 changed the layout of the type_mismatch_data structure and
introduced __ubsan_handle_type_mismatch_v1 and
__ubsan_handle_pointer_overflow.

This commit adds support for the new structure layout, adds the
missing handlers and the new types for type_check_kinds.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wei.liu2@citrix.com>
Cc: Julien Grall <julien.grall@arm.com>
---
ubsan is an optional feature, not enabled by default and not designed
to be used by production systems. Since this change only touches ubsan
code and it's a bugfix in order for clang to work, I argue it should
be merged into 4.10.
---
 xen/common/ubsan/ubsan.c | 42 ++++++++++++++++++++++++++++++++++++++++--
 xen/common/ubsan/ubsan.h | 11 +++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/xen/common/ubsan/ubsan.c b/xen/common/ubsan/ubsan.c
index fbe568562a..febf7e2afa 100644
--- a/xen/common/ubsan/ubsan.c
+++ b/xen/common/ubsan/ubsan.c
@@ -33,7 +33,10 @@ const char *type_check_kinds[] = {
 	"member call on",
 	"constructor call on",
 	"downcast of",
-	"downcast of"
+	"downcast of",
+	"upcast of",
+	"cast to virtual base of",
+	"_Nonnull binding to",
 };
 
 #define REPORTED_BIT 31
@@ -323,7 +326,6 @@ static void handle_object_size_mismatch(struct type_mismatch_data *data,
 void __ubsan_handle_type_mismatch(struct type_mismatch_data *data,
 				unsigned long ptr)
 {
-
 	if (!ptr)
 		handle_null_ptr_deref(data);
 	else if (data->alignment && !IS_ALIGNED(ptr, data->alignment))
@@ -333,6 +335,19 @@ void __ubsan_handle_type_mismatch(struct type_mismatch_data *data,
 }
 EXPORT_SYMBOL(__ubsan_handle_type_mismatch);
 
+void __ubsan_handle_type_mismatch_v1(struct type_mismatch_data_v1 *data,
+				unsigned long ptr)
+{
+	struct type_mismatch_data d = {
+		.location = data->location,
+		.type = data->type,
+		.alignment = 1ul << data->log_alignment,
+		.type_check_kind = data->type_check_kind,
+	};
+
+	__ubsan_handle_type_mismatch(&d, ptr);
+}
+
 void __ubsan_handle_nonnull_arg(struct nonnull_arg_data *data)
 {
 	unsigned long flags;
@@ -478,3 +493,26 @@ void __ubsan_handle_load_invalid_value(struct invalid_value_data *data,
 	ubsan_epilogue(&flags);
 }
 EXPORT_SYMBOL(__ubsan_handle_load_invalid_value);
+
+void __ubsan_handle_pointer_overflow(struct pointer_overflow_data *data,
+				unsigned long base, unsigned long result)
+{
+	unsigned long flags;
+
+	if (suppress_report(&data->location))
+		return;
+
+	ubsan_prologue(&data->location, &flags);
+
+	pr_err("pointer overflow:\n");
+
+	if (((long)base >= 0) == ((long)result >= 0))
+		pr_err("%s of unsigned offset to %p overflowed to %p\n",
+			base > result ? "addition" : "subtraction",
+			(void *)base, (void *)result);
+	else
+		pr_err("pointer index expression with base %p overflowed to %p\n",
+			(void *)base, (void *)result);
+
+	ubsan_epilogue(&flags);
+}
diff --git a/xen/common/ubsan/ubsan.h b/xen/common/ubsan/ubsan.h
index b2d18d4a53..2710cd423e 100644
--- a/xen/common/ubsan/ubsan.h
+++ b/xen/common/ubsan/ubsan.h
@@ -36,6 +36,13 @@ struct type_mismatch_data {
 	unsigned char type_check_kind;
 };
 
+struct type_mismatch_data_v1 {
+	struct source_location location;
+	struct type_descriptor *type;
+	unsigned char log_alignment;
+	unsigned char type_check_kind;
+};
+
 struct nonnull_arg_data {
 	struct source_location location;
 	struct source_location attr_location;
@@ -73,6 +80,10 @@ struct invalid_value_data {
 	struct type_descriptor *type;
 };
 
+struct pointer_overflow_data {
+	struct source_location location;
+};
+
 #if defined(CONFIG_ARCH_SUPPORTS_INT128) && defined(__SIZEOF_INT128__)
 typedef __int128 s_max;
 typedef unsigned __int128 u_max;
-- 
2.13.5 (Apple Git-94)


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Roger Pau Monne]

Currently there are many offenders of the unaligned access checks,
which makes booting with the unaligned check a PVH Dom0 impossible.

The main offenders seem to be the ACPI code, the VMX code and
specially the intremap code (set_ire_sid).

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wei.liu2@citrix.com>
Cc: Julien Grall <julien.grall@arm.com>
---
I'm not sure whether we prefer to fix the offenders, or just disable
the alignment wholesale. In any case if we decide to disable the
check, the patch should have vary low impact, and hence should be
committed to 4.10 on the base that it only affects ubsan, which is not
enabled by default and not to be used on production systems.
---
 xen/Rules.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/Rules.mk b/xen/Rules.mk
index 2659f8a4d1..1472adf1d6 100644
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -120,7 +120,7 @@ $(filter-out %.init.o $(nogcov-y),$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -
 endif
 
 ifeq ($(CONFIG_UBSAN),y)
-$(filter-out %.init.o $(noubsan-y),$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -fsanitize=undefined
+$(filter-out %.init.o $(noubsan-y),$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -fsanitize=undefined -fno-sanitize=alignment
 endif
 
 ifeq ($(CONFIG_LTO),y)
-- 
2.13.5 (Apple Git-94)


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Jan Beulich]

>>> On 17.10.17 at 13:36, <roger.pau@citrix.com> wrote:
> --- a/xen/Rules.mk
> +++ b/xen/Rules.mk
> @@ -120,7 +120,7 @@ $(filter-out %.init.o $(nogcov-y),$(obj-y) $(obj-bin-y) 
> $(extra-y)): CFLAGS += -
>  endif
>  
>  ifeq ($(CONFIG_UBSAN),y)
> -$(filter-out %.init.o $(noubsan-y),$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -fsanitize=undefined
> +$(filter-out %.init.o $(noubsan-y),$(obj-y) $(obj-bin-y) $(extra-y)): CFLAGS += -fsanitize=undefined -fno-sanitize=alignment
>  endif

As was said by I think Andrew on irc, this is fine for x86 but not
fine for ARM. Even if we enable UBSAN for x86 only right now,
I think such option additions should be done in an arch-specific
way.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Wei Liu]

On Tue, Oct 17, 2017 at 12:36:44PM +0100, Roger Pau Monne wrote:
> Currently there are many offenders of the unaligned access checks,
> which makes booting with the unaligned check a PVH Dom0 impossible.
> 
> The main offenders seem to be the ACPI code, the VMX code and
> specially the intremap code (set_ire_sid).
> 
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> Cc: Jan Beulich <jbeulich@suse.com>
> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Cc: Stefano Stabellini <sstabellini@kernel.org>
> Cc: Tim Deegan <tim@xen.org>
> Cc: Wei Liu <wei.liu2@citrix.com>
> Cc: Julien Grall <julien.grall@arm.com>
> ---
> I'm not sure whether we prefer to fix the offenders, or just disable
> the alignment wholesale. In any case if we decide to disable the
> check, the patch should have vary low impact, and hence should be
> committed to 4.10 on the base that it only affects ubsan, which is not
> enabled by default and not to be used on production systems.

I would very much like to fix the offenders but if the fixes turn out to
be cumbersome, so be it.

What is wrong to leave this enabled? Each location is reported once,
right?

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Roger Pau Monné]

On Tue, Oct 17, 2017 at 01:56:18PM +0100, Wei Liu wrote:
> On Tue, Oct 17, 2017 at 12:36:44PM +0100, Roger Pau Monne wrote:
> > Currently there are many offenders of the unaligned access checks,
> > which makes booting with the unaligned check a PVH Dom0 impossible.
> > 
> > The main offenders seem to be the ACPI code, the VMX code and
> > specially the intremap code (set_ire_sid).
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> > ---
> > Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> > Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> > Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> > Cc: Jan Beulich <jbeulich@suse.com>
> > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> > Cc: Stefano Stabellini <sstabellini@kernel.org>
> > Cc: Tim Deegan <tim@xen.org>
> > Cc: Wei Liu <wei.liu2@citrix.com>
> > Cc: Julien Grall <julien.grall@arm.com>
> > ---
> > I'm not sure whether we prefer to fix the offenders, or just disable
> > the alignment wholesale. In any case if we decide to disable the
> > check, the patch should have vary low impact, and hence should be
> > committed to 4.10 on the base that it only affects ubsan, which is not
> > enabled by default and not to be used on production systems.
> 
> I would very much like to fix the offenders but if the fixes turn out to
> be cumbersome, so be it.
> 
> What is wrong to leave this enabled? Each location is reported once,
> right?

With clang it's reported every time it's hit AFAICT (certainly more
than once).

Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Wei Liu]

On Tue, Oct 17, 2017 at 01:58:47PM +0100, Roger Pau Monné wrote:
> On Tue, Oct 17, 2017 at 01:56:18PM +0100, Wei Liu wrote:
> > On Tue, Oct 17, 2017 at 12:36:44PM +0100, Roger Pau Monne wrote:
> > > Currently there are many offenders of the unaligned access checks,
> > > which makes booting with the unaligned check a PVH Dom0 impossible.
> > > 
> > > The main offenders seem to be the ACPI code, the VMX code and
> > > specially the intremap code (set_ire_sid).
> > > 
> > > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> > > ---
> > > Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> > > Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> > > Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> > > Cc: Jan Beulich <jbeulich@suse.com>
> > > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> > > Cc: Stefano Stabellini <sstabellini@kernel.org>
> > > Cc: Tim Deegan <tim@xen.org>
> > > Cc: Wei Liu <wei.liu2@citrix.com>
> > > Cc: Julien Grall <julien.grall@arm.com>
> > > ---
> > > I'm not sure whether we prefer to fix the offenders, or just disable
> > > the alignment wholesale. In any case if we decide to disable the
> > > check, the patch should have vary low impact, and hence should be
> > > committed to 4.10 on the base that it only affects ubsan, which is not
> > > enabled by default and not to be used on production systems.
> > 
> > I would very much like to fix the offenders but if the fixes turn out to
> > be cumbersome, so be it.
> > 
> > What is wrong to leave this enabled? Each location is reported once,
> > right?
> 
> With clang it's reported every time it's hit AFAICT (certainly more
> than once).
> 

It could also be the case that some functions are inlined so they could
appear multiple times, i.e. they have different instances of struct
location? I've also seen something like that before.

The code in ubsan.c already deals with setting the reported bit so I
suspect after all the instances have been marked reported Xen should run
fine?

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 2/2] ubsan: disable unaligned access checks

[Andrew Cooper]

On 17/10/17 13:58, Roger Pau Monné wrote:
> On Tue, Oct 17, 2017 at 01:56:18PM +0100, Wei Liu wrote:
>> On Tue, Oct 17, 2017 at 12:36:44PM +0100, Roger Pau Monne wrote:
>>> Currently there are many offenders of the unaligned access checks,
>>> which makes booting with the unaligned check a PVH Dom0 impossible.
>>>
>>> The main offenders seem to be the ACPI code, the VMX code and
>>> specially the intremap code (set_ire_sid).
>>>
>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>> ---
>>> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
>>> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
>>> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
>>> Cc: Jan Beulich <jbeulich@suse.com>
>>> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
>>> Cc: Stefano Stabellini <sstabellini@kernel.org>
>>> Cc: Tim Deegan <tim@xen.org>
>>> Cc: Wei Liu <wei.liu2@citrix.com>
>>> Cc: Julien Grall <julien.grall@arm.com>
>>> ---
>>> I'm not sure whether we prefer to fix the offenders, or just disable
>>> the alignment wholesale. In any case if we decide to disable the
>>> check, the patch should have vary low impact, and hence should be
>>> committed to 4.10 on the base that it only affects ubsan, which is not
>>> enabled by default and not to be used on production systems.
>> I would very much like to fix the offenders but if the fixes turn out to
>> be cumbersome, so be it.
>>
>> What is wrong to leave this enabled? Each location is reported once,
>> right?
> With clang it's reported every time it's hit AFAICT (certainly more
> than once).

suppress_report() is supposed to take care of this.  Is Clang feeding in
different ->location information each time through?

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 1/2] ubsan: add clang 5.0 support

[Jan Beulich]

>>> On 17.10.17 at 13:36, <roger.pau@citrix.com> wrote:
> clang 5.0 changed the layout of the type_mismatch_data structure and
> introduced __ubsan_handle_type_mismatch_v1 and
> __ubsan_handle_pointer_overflow.
> 
> This commit adds support for the new structure layout, adds the
> missing handlers and the new types for type_check_kinds.
> 
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

Acked-by: Jan Beulich <jbeulich@suse.com>
with a remark:

> +void __ubsan_handle_pointer_overflow(struct pointer_overflow_data *data,
> +				unsigned long base, unsigned long result)
> +{
> +	unsigned long flags;
> +
> +	if (suppress_report(&data->location))
> +		return;
> +
> +	ubsan_prologue(&data->location, &flags);
> +
> +	pr_err("pointer overflow:\n");
> +
> +	if (((long)base >= 0) == ((long)result >= 0))
> +		pr_err("%s of unsigned offset to %p overflowed to %p\n",
> +			base > result ? "addition" : "subtraction",

Strictly speaking you also want to make "to" conditional upon this
being an add; for subtract it ought to be "from". Or perhaps just
say overflow and underflow?

And then - is "base > result" really a valid determination of
add/subtract (or overflow/underflow)? If the pointed to type is
wider than one byte, an addition may wrap one or more times
and still yield a value larger than the starting pointer.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 1/2] ubsan: add clang 5.0 support

[Roger Pau Monné]

On Tue, Oct 17, 2017 at 06:43:28AM -0600, Jan Beulich wrote:
> >>> On 17.10.17 at 13:36, <roger.pau@citrix.com> wrote:
> > clang 5.0 changed the layout of the type_mismatch_data structure and
> > introduced __ubsan_handle_type_mismatch_v1 and
> > __ubsan_handle_pointer_overflow.
> > 
> > This commit adds support for the new structure layout, adds the
> > missing handlers and the new types for type_check_kinds.
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> 
> Acked-by: Jan Beulich <jbeulich@suse.com>
> with a remark:
> 
> > +void __ubsan_handle_pointer_overflow(struct pointer_overflow_data *data,
> > +				unsigned long base, unsigned long result)
> > +{
> > +	unsigned long flags;
> > +
> > +	if (suppress_report(&data->location))
> > +		return;
> > +
> > +	ubsan_prologue(&data->location, &flags);
> > +
> > +	pr_err("pointer overflow:\n");
> > +
> > +	if (((long)base >= 0) == ((long)result >= 0))
> > +		pr_err("%s of unsigned offset to %p overflowed to %p\n",
> > +			base > result ? "addition" : "subtraction",
> 
> Strictly speaking you also want to make "to" conditional upon this
> being an add; for subtract it ought to be "from". Or perhaps just
> say overflow and underflow?
> 
> And then - is "base > result" really a valid determination of
> add/subtract (or overflow/underflow)? If the pointed to type is
> wider than one byte, an addition may wrap one or more times
> and still yield a value larger than the starting pointer.

That code is mostly adapted from upstream llvm:

https://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/ubsan/ubsan_handlers.cc?revision=313572&view=markup

But I see your point, if the types have different widths that check
won't work properly. In any case, I don't see a better way to deal
with this.

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH for-4.10 1/2] ubsan: add clang 5.0 support

[Jan Beulich]

>>> On 17.10.17 at 14:57, <roger.pau@citrix.com> wrote:
> On Tue, Oct 17, 2017 at 06:43:28AM -0600, Jan Beulich wrote:
>> >>> On 17.10.17 at 13:36, <roger.pau@citrix.com> wrote:
>> > clang 5.0 changed the layout of the type_mismatch_data structure and
>> > introduced __ubsan_handle_type_mismatch_v1 and
>> > __ubsan_handle_pointer_overflow.
>> > 
>> > This commit adds support for the new structure layout, adds the
>> > missing handlers and the new types for type_check_kinds.
>> > 
>> > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> 
>> Acked-by: Jan Beulich <jbeulich@suse.com>
>> with a remark:
>> 
>> > +void __ubsan_handle_pointer_overflow(struct pointer_overflow_data *data,
>> > +				unsigned long base, unsigned long result)
>> > +{
>> > +	unsigned long flags;
>> > +
>> > +	if (suppress_report(&data->location))
>> > +		return;
>> > +
>> > +	ubsan_prologue(&data->location, &flags);
>> > +
>> > +	pr_err("pointer overflow:\n");
>> > +
>> > +	if (((long)base >= 0) == ((long)result >= 0))
>> > +		pr_err("%s of unsigned offset to %p overflowed to %p\n",
>> > +			base > result ? "addition" : "subtraction",
>> 
>> Strictly speaking you also want to make "to" conditional upon this
>> being an add; for subtract it ought to be "from". Or perhaps just
>> say overflow and underflow?
>> 
>> And then - is "base > result" really a valid determination of
>> add/subtract (or overflow/underflow)? If the pointed to type is
>> wider than one byte, an addition may wrap one or more times
>> and still yield a value larger than the starting pointer.
> 
> That code is mostly adapted from upstream llvm:
> 
> https://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/ubsan/ubsan_handler 
> s.cc?revision=313572&view=markup
> 
> But I see your point, if the types have different widths that check
> won't work properly. In any case, I don't see a better way to deal
> with this.

Well, as said - perhaps simply use

	pr_err("pointer operation %s %p to %p\n",
	       base > result ? "underflowed" : "overflowed",

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel