[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20171127010516.ynak7b4kbqvg27tb@wfg-t540p.sh.intel.com>
Date: Mon, 27 Nov 2017 09:05:16 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: wfg@...ux.intel.com, Kees Cook <keescook@...omium.org>,
linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
linux-kbuild@...r.kernel.org, LKP <lkp@...org>
Subject: f7dd250789 ("gcc-plugins: structleak: add option to init all vars
used as byref args"): BUG: KASAN: use-after-scope in pcpu_setup_first_chunk
Hi Ard,
FYI this commit triggers one new KASAN bug.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit f7dd2507893cc3425d3ffc2369559619960befb0
Author: Ard Biesheuvel <ard.biesheuvel@...aro.org>
AuthorDate: Sun Aug 6 12:06:27 2017 +0100
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Mon Aug 7 11:20:57 2017 -0700
gcc-plugins: structleak: add option to init all vars used as byref args
In the Linux kernel, struct type variables are rarely passed by-value,
and so functions that initialize such variables typically take an input
reference to the variable rather than returning a value that can
subsequently be used in an assignment.
If the initalization function is not part of the same compilation unit,
the lack of an assignment operation defeats any analysis the compiler
can perform as to whether the variable may be used before having been
initialized. This means we may end up passing on such variables
uninitialized, resulting in potential information leaks.
So extend the existing structleak GCC plugin so it will [optionally]
apply to all struct type variables that have their address taken at any
point, rather than only to variables of struct types that have a __user
annotation.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Signed-off-by: Kees Cook <keescook@...omium.org>
520eccdfe1 Linux 4.13-rc2
f7dd250789 gcc-plugins: structleak: add option to init all vars used as byref args
844056fd74 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
6fc478f80f Add linux-next specific files for 20171124
+--------------------------------+-----------+------------+------------+---------------+
| | v4.13-rc2 | f7dd250789 | 844056fd74 | next-20171124 |
+--------------------------------+-----------+------------+------------+---------------+
| boot_successes | 0 | 0 | 0 | 0 |
| boot_failures | 33 | 11 | 19 | 13 |
| BUG:KASAN:use-after-scope_in_e | 33 | | | |
| BUG:KASAN:use-after-scope_in_p | 0 | 11 | 19 | 13 |
+--------------------------------+-----------+------------+------------+---------------+
[ 0.000000] Booting paravirtualized kernel on KVM
[ 0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] ==================================================================
[ 0.000000] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0xa5e/0x10bc
[ 0.000000] Write of size 8 at addr ffffffff83c07c80 by task swapper/0
[ 0.000000]
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.13.0-rc2-00001-gf7dd2507 #1
[ 0.000000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 0.000000] Call Trace:
[ 0.000000] dump_stack+0x27/0x35
[ 0.000000] print_address_description+0x24e/0x3e0
[ 0.000000] kasan_report+0x1bb/0x3e0
[ 0.000000] ? pcpu_setup_first_chunk+0xa5e/0x10bc
[ 0.000000] __asan_store8+0x72/0x100
[ 0.000000] pcpu_setup_first_chunk+0xa5e/0x10bc
[ 0.000000] ? pcpu_free_alloc_info+0x44/0x44
[ 0.000000] ? memblock_reserve+0xd2/0x111
[ 0.000000] ? memset+0x49/0x60
[ 0.000000] ? memblock_virt_alloc_internal+0x1f6/0x214
[ 0.000000] setup_per_cpu_areas+0x107/0x131
[ 0.000000] start_kernel+0x279/0x7fb
[ 0.000000] ? thread_stack_cache_init+0xd/0xd
[ 0.000000] ? early_idt_handler_array+0x120/0x120
[ 0.000000] x86_64_start_reservations+0x46/0x4f
[ 0.000000] x86_64_start_kernel+0x160/0x18a
[ 0.000000] secondary_startup_64+0x9f/0x9f
[ 0.000000]
[ 0.000000] Memory state around the buggy address:
[ 0.000000] ffffffff83c07b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.000000] ffffffff83c07c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 0.000000] >ffffffff83c07c80: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
The parent commit has this instead, much later on:
[ 682.374391] init: Failed to create pty - disabling logging for job
[ 682.382994] init: Temporary process spawn error: No such file or directory
[ 682.844553] ==================================================================
[ 682.846936] BUG: KASAN: use-after-scope in ep_poll+0x5df/0xe00
[ 682.848804] Write of size 16 at addr ffff88001192f978 by task udevadm/200
[ 682.850932]
[ 682.851476] CPU: 0 PID: 200 Comm: udevadm Not tainted 4.13.0-rc2 #1
[ 682.853215] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 682.854874] Call Trace:
[ 682.855441] dump_stack+0x27/0x3b
[ 682.856188] print_address_description+0x8b/0x3e0
[ 682.857157] kasan_report+0x1b5/0x3e0
[ 682.857911] ? ep_poll+0x5df/0xe00
[ 682.858610] __asan_store16+0x7f/0xe0
[ 682.859417] ep_poll+0x5df/0xe00
[ 682.860092] ? ep_scan_ready_list+0x9c0/0x9c0
[ 682.860968] ? do_fault+0x1e0/0xec0
[ 682.861699] ? reacquire_held_locks+0x230/0x230
[ 682.862652] ? finish_fault+0xd0/0xd0
[ 682.863422] ? do_raw_spin_unlock+0xa8/0x1c0
[ 682.864275] ? validate_chain+0xeb/0x1b30
[ 682.865220] ? _raw_spin_unlock+0x3a/0x60
[ 682.866113] ? do_task_dead+0x1d0/0x1d0
[ 682.866913] ? pvclock_clocksource_read+0x189/0x330
[ 682.867891] ? pvclock_read_flags+0x80/0x80
[ 682.868731] ? kvm_sched_clock_read+0x26/0x50
[ 682.869694] ? sched_clock+0x11/0x20
[ 682.870438] ? clear_sched_clock_stable+0x140/0x140
[ 682.871422] ? __fget_light+0x1f4/0x2a0
[ 682.872193] ? __fget+0x470/0x470
[ 682.872946] ? syscall_trace_enter+0x148/0x4f0
[ 682.873862] SyS_epoll_wait+0x145/0x190
[ 682.874650] ? SyS_epoll_ctl+0xfa0/0xfa0
[ 682.875451] do_syscall_64+0x353/0x8a0
[ 682.876262] ? syscall_return_slowpath+0x4c0/0x4c0
[ 682.877236] ? clear_sched_clock_stable+0x140/0x140
[ 682.878217] ? check_chain_key+0x171/0x250
[ 682.879042] ? reacquire_held_locks+0x230/0x230
[ 682.880019] ? vtime_user_enter+0xbd/0xd0
[ 682.880847] ? __context_tracking_enter+0xb7/0xc0
[ 682.881787] ? __context_tracking_enter+0xb7/0xc0
[ 682.882780] ? prepare_exit_to_usermode+0x225/0x240
[ 682.883762] ? mark_held_locks+0x2b/0x100
[ 682.884578] ? retint_user+0x18/0x20
[ 682.885307] ? trace_hardirqs_on_caller+0x20a/0x3c0
[ 682.886374] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 682.887307] entry_SYSCALL64_slow_path+0x25/0x25
[ 682.888232] RIP: 0033:0x7f8f7d7dfb33
[ 682.888954] RSP: 002b:00007fffbe1168f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
[ 682.890523] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f8f7d7dfb33
[ 682.891927] RDX: 0000000000000004 RSI: 00007fffbe116aa0 RDI: 0000000000000003
[ 682.893401] RBP: 0000004904f6e2d0 R08: 000000000000000a R09: 0000000000000000
[ 682.894800] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000004904f6e110
[ 682.896265] R13: 0000000000000001 R14: 00007fffbe116aac R15: 0000000000000004
[ 682.897664]
[ 682.897999] The buggy address belongs to the page:
[ 682.898958] page:ffffea0000464bc0 count:0 mapcount:0 mapping: (null) index:0x0
[ 682.900624] flags: 0x0()
[ 682.901161] raw: 0000000000000000 0000000000000000 0000000000000000 00000000ffffffff
[ 682.902735] raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000
[ 682.904245] page dumped because: kasan: bad access detected
[ 682.905339]
[ 682.905671] Memory state around the buggy address:
[ 682.906707] ffff88001192f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 682.908113] ffff88001192f880: 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00
[ 682.909597] >ffff88001192f900: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 f8
[ 682.911020] ^
[ 682.912415] ffff88001192f980: f8 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2
[ 682.913916] ffff88001192fa00: f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2
[ 682.915335] ==================================================================
[ 682.916814] Disabling lock debugging due to kernel taint
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start v4.14 v4.13 --
git bisect bad 74de8187ff46bfc24fcb1533791515e46b256116 # 18:07 B 0 11 24 0 Merge tag 'pm-4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
git bisect bad 89fd915c402113528750353ad6de9ea68a787e5c # 18:39 B 0 11 24 0 Merge tag 'libnvdimm-for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
git bisect good 57e88b43b81301d9b28f124a5576ac43a1cf9e8d # 19:16 G 11 0 11 11 Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 3aea311c1b4002bd730a09530f80f2f2ad3bf495 # 19:48 B 0 5 18 0 genksyms: fix gperf removal conversion
git bisect good 7d955656121f547ff9a708ed7ee4c86a08bf628a # 20:24 G 11 0 11 11 Merge tag 'drm-intel-next-fixes-2017-09-07' of git://anongit.freedesktop.org/git/drm-intel
git bisect bad 44ccba3f7b230af1bd7ebe173cbf5803df1df486 # 20:39 B 0 3 16 0 Merge tag 'gcc-plugins-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect good ae8ac6b7dbfd67f883050421fd195c153d02f5f3 # 21:20 G 11 0 11 11 Merge branch 'quota_scaling' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
git bisect good 8dc5b3a6cb2fc5d4f751bda56a378589202a118b # 21:51 G 10 0 10 10 Merge tag '4.14-smb3-xattr-enable' of git://git.samba.org/sfrench/cifs-2.6
git bisect good 21d236bf2bde518844b5675ec4980f4b2fd13e1a # 22:24 G 11 0 11 11 Merge tag 'pstore-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect good 9225331b310821760f39ba55b00b8973602adbb5 # 22:51 G 11 0 11 11 randstruct: Enable function pointer struct detection
git bisect bad ad05e6ca7b5fcf15ff178da662035ec7718f938c # 23:14 B 0 8 21 0 Merge branch 'for-next/gcc-plugin/structleak' into for-next/gcc-plugins
git bisect bad f7dd2507893cc3425d3ffc2369559619960befb0 # 23:53 B 0 11 24 0 gcc-plugins: structleak: add option to init all vars used as byref args
# first bad commit: [f7dd2507893cc3425d3ffc2369559619960befb0] gcc-plugins: structleak: add option to init all vars used as byref args
git bisect good 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9 # 00:28 G 33 0 33 33 Linux 4.13-rc2
# extra tests with debug options
git bisect bad f7dd2507893cc3425d3ffc2369559619960befb0 # 01:03 B 0 2 15 0 gcc-plugins: structleak: add option to init all vars used as byref args
# extra tests on HEAD of linux-devel/devel-hourly-2017112611
git bisect bad 596d5554a28b82b7c2d3b1904a466eb0cafce029 # 01:08 B 0 13 29 0 0day head guard for 'devel-hourly-2017112611'
# extra tests on tree/branch linus/master
git bisect bad 844056fd74ebdd826bd23a7d989597e15f478acb # 01:35 B 0 4 17 0 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
# extra tests with first bad commit reverted
git bisect good 2b7553bd68166948239d37d839a356237d06561f # 02:17 G 11 0 11 11 Revert "gcc-plugins: structleak: add option to init all vars used as byref args"
# extra tests on tree/branch linux-next/master
git bisect bad 6fc478f80f6809cc4b1a4230f47a62d3b7378dc0 # 02:41 B 0 11 26 2 Add linux-next specific files for 20171124
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-quantal-ivb41-109:20171126233844:x86_64-randconfig-b0-11261534:4.13.0-rc2-00001-gf7dd2507:1.gz" of type "application/gzip" (7773 bytes)
Download attachment "dmesg-quantal-ivb41-105:20171127002253:x86_64-randconfig-b0-11261534:4.13.0-rc2:1.gz" of type "application/gzip" (18506 bytes)
View attachment "reproduce-quantal-ivb41-109:20171126233844:x86_64-randconfig-b0-11261534:4.13.0-rc2-00001-gf7dd2507:1" of type "text/plain" (889 bytes)
View attachment "config-4.13.0-rc2-00001-gf7dd2507" of type "text/plain" (96073 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
