From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Dennis Zhou <dennisszhou@gmail.com>,
Fengguang Wu <fengguang.wu@intel.com>,
Linux-MM <linux-mm@kvack.org>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Josef Bacik <jbacik@fb.com>, LKML <linux-kernel@vger.kernel.org>,
LKP <lkp@01.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 11:56:22 -0800 [thread overview]
Message-ID: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com> (raw)
In-Reply-To: <20171130192257.GB1529@localhost>
On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
> Hi Dmitry and Kees,
>
> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>> > Are we sure that structleak plugin is not at fault? If yes, then we
>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>> > on how to build/use the plugin.
>
> I believe this is an issue with the structleak plugin and not gcc. The
> bug does not show up if you compile without
> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>
> It seems to be caused by the initializer not respecting the ASAN_MARK
> calls. Therefore, if an inlined function gets called from a for loop,
> the initializer code gets invoked bugging in the second iteration. Below
> is the tree dump for the structleak plugin from the reproducer in the
> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
> unpoison call. This is inlined in bb 3 of main.
Ah-ha, okay. Thanks for the close examination. Ard, is this something
you have a few moment to take a look at?
-Kees
>
>>
>> I thought from earlier in this thread that the bug just changed
>> locations depending on the plugin. Does the issue still exist with the
>> plugin disabled?
>>
>
> The bug changing locations was me just verifying it was not an issue
> with percpu memory. I manually unrolled the for loop to show that the
> percpu bug disappears, but manifests later on. The issue does not exist
> with the BY_REF_ALL config.
>
> Thanks,
> Dennis
>
> ----
>
> ;; Function __write_once_size (__write_once_size, funcdef_no=2, decl_uid=3117, cgraph_uid=2, symbol_order=2)
>
> __attribute__((always_inline))
> __write_once_size (volatile void * p, void * res, int size)
> {
> unsigned char _1;
> short unsigned int _2;
> unsigned int _3;
> long unsigned int _4;
> long unsigned int _5;
>
> <bb 2> [0.00%]:
> switch (size_7(D)) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _1 = MEM[(__u8 *)res_9(D)];
> MEM[(volatile __u8 *)p_10(D)] ={v} _1;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _2 = MEM[(__u16 *)res_9(D)];
> MEM[(volatile __u16 *)p_10(D)] ={v} _2;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _3 = MEM[(__u32 *)res_9(D)];
> MEM[(volatile __u32 *)p_10(D)] ={v} _3;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _4 = MEM[(__u64 *)res_9(D)];
> MEM[(volatile __u64 *)p_10(D)] ={v} _4;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _5 = (long unsigned int) size_7(D);
> __builtin_memcpy (p_10(D), res_9(D), _5);
>
> <bb 8> [0.00%]:
> return;
>
> }
>
>
>
> ;; Function INIT_LIST_HEAD (INIT_LIST_HEAD, funcdef_no=3, decl_uid=3129, cgraph_uid=3, symbol_order=3)
>
>
> Symbols to be put in SSA form
> { D.3149 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 9
> Number of blocks to update: 8 ( 89%)
>
>
> __attribute__((always_inline))
> INIT_LIST_HEAD (struct list_head * list)
> {
> volatile void * p;
> void * res;
> int size;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> struct list_head * D.3135;
> struct list_head * * _1;
> struct list_head * _7;
> unsigned char _13;
> short unsigned int _14;
> unsigned int _15;
> long unsigned int _16;
> long unsigned int _17;
>
> <bb 2> [0.00%]:
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_4(D);
> _1 = &list_4(D)->next;
> p_10 = _1;
> res_11 = &__u.__c;
> size_12 = 8;
> switch (size_12) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _13 = MEM[(__u8 *)res_11];
> MEM[(volatile __u8 *)p_10] ={v} _13;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _14 = MEM[(__u16 *)res_11];
> MEM[(volatile __u16 *)p_10] ={v} _14;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _15 = MEM[(__u32 *)res_11];
> MEM[(volatile __u32 *)p_10] ={v} _15;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _16 = MEM[(__u64 *)res_11];
> MEM[(volatile __u64 *)p_10] ={v} _16;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _17 = (long unsigned int) size_12;
> __builtin_memcpy (p_10, res_11, _17);
>
> <bb 8> [0.00%]:
> _7 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_4(D)->prev = list_4(D);
> return;
>
> }
>
>
>
> ;; Function main (main, funcdef_no=4, decl_uid=3138, cgraph_uid=4, symbol_order=4)
>
>
> Symbols to be put in SSA form
> { D.3150 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 13
> Number of blocks to update: 12 ( 92%)
>
>
> main (int argc, char * * argv)
> {
> struct list_head * D.3165;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> int size;
> void * res;
> volatile void * p;
> struct list_head * list;
> int i;
> struct list_head * p;
> int D.3146;
> long unsigned int _1;
> long unsigned int _2;
> struct list_head * _3;
> int _11;
> struct list_head * * _15;
> unsigned char _19;
> short unsigned int _20;
> unsigned int _21;
> long unsigned int _22;
> long unsigned int _23;
> struct list_head * _24;
>
> <bb 2> [0.00%]:
> __u = {};
> p_8 = malloc (160);
> i_9 = 0;
> goto <bb 10>; [0.00%]
>
> <bb 3> [0.00%]:
> _1 = (long unsigned int) i_4;
> _2 = _1 * 16;
> _3 = p_8 + _2;
> list_14 = _3;
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_14;
> _15 = &list_14->next;
> p_16 = _15;
> res_17 = &__u.__c;
> size_18 = 8;
> switch (size_18) <default: <L8> [0.00%], case 1: <L4> [0.00%], case 2: <L5> [0.00%], case 4: <L6> [0.00%], case 8: <L7> [0.00%]>
>
> <L4> [0.00%]:
> _19 = MEM[(__u8 *)res_17];
> MEM[(volatile __u8 *)p_16] ={v} _19;
> goto <bb 9>; [0.00%]
>
> <L5> [0.00%]:
> _20 = MEM[(__u16 *)res_17];
> MEM[(volatile __u16 *)p_16] ={v} _20;
> goto <bb 9>; [0.00%]
>
> <L6> [0.00%]:
> _21 = MEM[(__u32 *)res_17];
> MEM[(volatile __u32 *)p_16] ={v} _21;
> goto <bb 9>; [0.00%]
>
> <L7> [0.00%]:
> _22 = MEM[(__u64 *)res_17];
> MEM[(volatile __u64 *)p_16] ={v} _22;
> goto <bb 9>; [0.00%]
>
> <L8> [0.00%]:
> _23 = (long unsigned int) size_18;
> __builtin_memcpy (p_16, res_17, _23);
>
> <bb 9> [0.00%]:
> _24 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_14->prev = list_14;
> i_13 = i_4 + 1;
>
> <bb 10> [0.00%]:
> # i_4 = PHI <i_9(2), i_13(9)>
> if (i_4 <= 9)
> goto <bb 3>; [0.00%]
> else
> goto <bb 11>; [0.00%]
>
> <bb 11> [0.00%]:
> free (p_8);
> _11 = 0;
>
> <L3> [0.00%]:
> return _11;
>
> }
>
>
>
> ;; Function _GLOBAL__sub_I_00099_0_main (_GLOBAL__sub_I_00099_0_main, funcdef_no=5, decl_uid=3178, cgraph_uid=3, symbol_order=8)
>
> _GLOBAL__sub_I_00099_0_main ()
> {
> <bb 2> [0.00%]:
> __builtin___asan_init ();
> __builtin___asan_version_mismatch_check_v8 ();
> return;
>
> }
>
>
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Dennis Zhou <dennisszhou@gmail.com>,
Fengguang Wu <fengguang.wu@intel.com>,
Linux-MM <linux-mm@kvack.org>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Josef Bacik <jbacik@fb.com>, LKML <linux-kernel@vger.kernel.org>,
LKP <lkp@01.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 11:56:22 -0800 [thread overview]
Message-ID: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com> (raw)
In-Reply-To: <20171130192257.GB1529@localhost>
On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
> Hi Dmitry and Kees,
>
> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>> > Are we sure that structleak plugin is not at fault? If yes, then we
>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>> > on how to build/use the plugin.
>
> I believe this is an issue with the structleak plugin and not gcc. The
> bug does not show up if you compile without
> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>
> It seems to be caused by the initializer not respecting the ASAN_MARK
> calls. Therefore, if an inlined function gets called from a for loop,
> the initializer code gets invoked bugging in the second iteration. Below
> is the tree dump for the structleak plugin from the reproducer in the
> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
> unpoison call. This is inlined in bb 3 of main.
Ah-ha, okay. Thanks for the close examination. Ard, is this something
you have a few moment to take a look at?
-Kees
>
>>
>> I thought from earlier in this thread that the bug just changed
>> locations depending on the plugin. Does the issue still exist with the
>> plugin disabled?
>>
>
> The bug changing locations was me just verifying it was not an issue
> with percpu memory. I manually unrolled the for loop to show that the
> percpu bug disappears, but manifests later on. The issue does not exist
> with the BY_REF_ALL config.
>
> Thanks,
> Dennis
>
> ----
>
> ;; Function __write_once_size (__write_once_size, funcdef_no=2, decl_uid=3117, cgraph_uid=2, symbol_order=2)
>
> __attribute__((always_inline))
> __write_once_size (volatile void * p, void * res, int size)
> {
> unsigned char _1;
> short unsigned int _2;
> unsigned int _3;
> long unsigned int _4;
> long unsigned int _5;
>
> <bb 2> [0.00%]:
> switch (size_7(D)) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _1 = MEM[(__u8 *)res_9(D)];
> MEM[(volatile __u8 *)p_10(D)] ={v} _1;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _2 = MEM[(__u16 *)res_9(D)];
> MEM[(volatile __u16 *)p_10(D)] ={v} _2;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _3 = MEM[(__u32 *)res_9(D)];
> MEM[(volatile __u32 *)p_10(D)] ={v} _3;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _4 = MEM[(__u64 *)res_9(D)];
> MEM[(volatile __u64 *)p_10(D)] ={v} _4;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _5 = (long unsigned int) size_7(D);
> __builtin_memcpy (p_10(D), res_9(D), _5);
>
> <bb 8> [0.00%]:
> return;
>
> }
>
>
>
> ;; Function INIT_LIST_HEAD (INIT_LIST_HEAD, funcdef_no=3, decl_uid=3129, cgraph_uid=3, symbol_order=3)
>
>
> Symbols to be put in SSA form
> { D.3149 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 9
> Number of blocks to update: 8 ( 89%)
>
>
> __attribute__((always_inline))
> INIT_LIST_HEAD (struct list_head * list)
> {
> volatile void * p;
> void * res;
> int size;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> struct list_head * D.3135;
> struct list_head * * _1;
> struct list_head * _7;
> unsigned char _13;
> short unsigned int _14;
> unsigned int _15;
> long unsigned int _16;
> long unsigned int _17;
>
> <bb 2> [0.00%]:
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_4(D);
> _1 = &list_4(D)->next;
> p_10 = _1;
> res_11 = &__u.__c;
> size_12 = 8;
> switch (size_12) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _13 = MEM[(__u8 *)res_11];
> MEM[(volatile __u8 *)p_10] ={v} _13;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _14 = MEM[(__u16 *)res_11];
> MEM[(volatile __u16 *)p_10] ={v} _14;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _15 = MEM[(__u32 *)res_11];
> MEM[(volatile __u32 *)p_10] ={v} _15;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _16 = MEM[(__u64 *)res_11];
> MEM[(volatile __u64 *)p_10] ={v} _16;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _17 = (long unsigned int) size_12;
> __builtin_memcpy (p_10, res_11, _17);
>
> <bb 8> [0.00%]:
> _7 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_4(D)->prev = list_4(D);
> return;
>
> }
>
>
>
> ;; Function main (main, funcdef_no=4, decl_uid=3138, cgraph_uid=4, symbol_order=4)
>
>
> Symbols to be put in SSA form
> { D.3150 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 13
> Number of blocks to update: 12 ( 92%)
>
>
> main (int argc, char * * argv)
> {
> struct list_head * D.3165;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> int size;
> void * res;
> volatile void * p;
> struct list_head * list;
> int i;
> struct list_head * p;
> int D.3146;
> long unsigned int _1;
> long unsigned int _2;
> struct list_head * _3;
> int _11;
> struct list_head * * _15;
> unsigned char _19;
> short unsigned int _20;
> unsigned int _21;
> long unsigned int _22;
> long unsigned int _23;
> struct list_head * _24;
>
> <bb 2> [0.00%]:
> __u = {};
> p_8 = malloc (160);
> i_9 = 0;
> goto <bb 10>; [0.00%]
>
> <bb 3> [0.00%]:
> _1 = (long unsigned int) i_4;
> _2 = _1 * 16;
> _3 = p_8 + _2;
> list_14 = _3;
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_14;
> _15 = &list_14->next;
> p_16 = _15;
> res_17 = &__u.__c;
> size_18 = 8;
> switch (size_18) <default: <L8> [0.00%], case 1: <L4> [0.00%], case 2: <L5> [0.00%], case 4: <L6> [0.00%], case 8: <L7> [0.00%]>
>
> <L4> [0.00%]:
> _19 = MEM[(__u8 *)res_17];
> MEM[(volatile __u8 *)p_16] ={v} _19;
> goto <bb 9>; [0.00%]
>
> <L5> [0.00%]:
> _20 = MEM[(__u16 *)res_17];
> MEM[(volatile __u16 *)p_16] ={v} _20;
> goto <bb 9>; [0.00%]
>
> <L6> [0.00%]:
> _21 = MEM[(__u32 *)res_17];
> MEM[(volatile __u32 *)p_16] ={v} _21;
> goto <bb 9>; [0.00%]
>
> <L7> [0.00%]:
> _22 = MEM[(__u64 *)res_17];
> MEM[(volatile __u64 *)p_16] ={v} _22;
> goto <bb 9>; [0.00%]
>
> <L8> [0.00%]:
> _23 = (long unsigned int) size_18;
> __builtin_memcpy (p_16, res_17, _23);
>
> <bb 9> [0.00%]:
> _24 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_14->prev = list_14;
> i_13 = i_4 + 1;
>
> <bb 10> [0.00%]:
> # i_4 = PHI <i_9(2), i_13(9)>
> if (i_4 <= 9)
> goto <bb 3>; [0.00%]
> else
> goto <bb 11>; [0.00%]
>
> <bb 11> [0.00%]:
> free (p_8);
> _11 = 0;
>
> <L3> [0.00%]:
> return _11;
>
> }
>
>
>
> ;; Function _GLOBAL__sub_I_00099_0_main (_GLOBAL__sub_I_00099_0_main, funcdef_no=5, decl_uid=3178, cgraph_uid=3, symbol_order=8)
>
> _GLOBAL__sub_I_00099_0_main ()
> {
> <bb 2> [0.00%]:
> __builtin___asan_init ();
> __builtin___asan_version_mismatch_check_v8 ();
> return;
>
> }
>
>
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: lkp@lists.01.org
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 11:56:22 -0800 [thread overview]
Message-ID: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com> (raw)
In-Reply-To: <20171130192257.GB1529@localhost>
[-- Attachment #1: Type: text/plain, Size: 7159 bytes --]
On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
> Hi Dmitry and Kees,
>
> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>> > Are we sure that structleak plugin is not at fault? If yes, then we
>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>> > on how to build/use the plugin.
>
> I believe this is an issue with the structleak plugin and not gcc. The
> bug does not show up if you compile without
> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>
> It seems to be caused by the initializer not respecting the ASAN_MARK
> calls. Therefore, if an inlined function gets called from a for loop,
> the initializer code gets invoked bugging in the second iteration. Below
> is the tree dump for the structleak plugin from the reproducer in the
> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
> unpoison call. This is inlined in bb 3 of main.
Ah-ha, okay. Thanks for the close examination. Ard, is this something
you have a few moment to take a look at?
-Kees
>
>>
>> I thought from earlier in this thread that the bug just changed
>> locations depending on the plugin. Does the issue still exist with the
>> plugin disabled?
>>
>
> The bug changing locations was me just verifying it was not an issue
> with percpu memory. I manually unrolled the for loop to show that the
> percpu bug disappears, but manifests later on. The issue does not exist
> with the BY_REF_ALL config.
>
> Thanks,
> Dennis
>
> ----
>
> ;; Function __write_once_size (__write_once_size, funcdef_no=2, decl_uid=3117, cgraph_uid=2, symbol_order=2)
>
> __attribute__((always_inline))
> __write_once_size (volatile void * p, void * res, int size)
> {
> unsigned char _1;
> short unsigned int _2;
> unsigned int _3;
> long unsigned int _4;
> long unsigned int _5;
>
> <bb 2> [0.00%]:
> switch (size_7(D)) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _1 = MEM[(__u8 *)res_9(D)];
> MEM[(volatile __u8 *)p_10(D)] ={v} _1;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _2 = MEM[(__u16 *)res_9(D)];
> MEM[(volatile __u16 *)p_10(D)] ={v} _2;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _3 = MEM[(__u32 *)res_9(D)];
> MEM[(volatile __u32 *)p_10(D)] ={v} _3;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _4 = MEM[(__u64 *)res_9(D)];
> MEM[(volatile __u64 *)p_10(D)] ={v} _4;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _5 = (long unsigned int) size_7(D);
> __builtin_memcpy (p_10(D), res_9(D), _5);
>
> <bb 8> [0.00%]:
> return;
>
> }
>
>
>
> ;; Function INIT_LIST_HEAD (INIT_LIST_HEAD, funcdef_no=3, decl_uid=3129, cgraph_uid=3, symbol_order=3)
>
>
> Symbols to be put in SSA form
> { D.3149 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 9
> Number of blocks to update: 8 ( 89%)
>
>
> __attribute__((always_inline))
> INIT_LIST_HEAD (struct list_head * list)
> {
> volatile void * p;
> void * res;
> int size;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> struct list_head * D.3135;
> struct list_head * * _1;
> struct list_head * _7;
> unsigned char _13;
> short unsigned int _14;
> unsigned int _15;
> long unsigned int _16;
> long unsigned int _17;
>
> <bb 2> [0.00%]:
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_4(D);
> _1 = &list_4(D)->next;
> p_10 = _1;
> res_11 = &__u.__c;
> size_12 = 8;
> switch (size_12) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>
>
> <L0> [0.00%]:
> _13 = MEM[(__u8 *)res_11];
> MEM[(volatile __u8 *)p_10] ={v} _13;
> goto <bb 8>; [0.00%]
>
> <L1> [0.00%]:
> _14 = MEM[(__u16 *)res_11];
> MEM[(volatile __u16 *)p_10] ={v} _14;
> goto <bb 8>; [0.00%]
>
> <L2> [0.00%]:
> _15 = MEM[(__u32 *)res_11];
> MEM[(volatile __u32 *)p_10] ={v} _15;
> goto <bb 8>; [0.00%]
>
> <L3> [0.00%]:
> _16 = MEM[(__u64 *)res_11];
> MEM[(volatile __u64 *)p_10] ={v} _16;
> goto <bb 8>; [0.00%]
>
> <L4> [0.00%]:
> _17 = (long unsigned int) size_12;
> __builtin_memcpy (p_10, res_11, _17);
>
> <bb 8> [0.00%]:
> _7 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_4(D)->prev = list_4(D);
> return;
>
> }
>
>
>
> ;; Function main (main, funcdef_no=4, decl_uid=3138, cgraph_uid=4, symbol_order=4)
>
>
> Symbols to be put in SSA form
> { D.3150 }
> Incremental SSA update started at block: 0
> Number of blocks in CFG: 13
> Number of blocks to update: 12 ( 92%)
>
>
> main (int argc, char * * argv)
> {
> struct list_head * D.3165;
> union
> {
> struct list_head * __val;
> char __c[1];
> } __u;
> int size;
> void * res;
> volatile void * p;
> struct list_head * list;
> int i;
> struct list_head * p;
> int D.3146;
> long unsigned int _1;
> long unsigned int _2;
> struct list_head * _3;
> int _11;
> struct list_head * * _15;
> unsigned char _19;
> short unsigned int _20;
> unsigned int _21;
> long unsigned int _22;
> long unsigned int _23;
> struct list_head * _24;
>
> <bb 2> [0.00%]:
> __u = {};
> p_8 = malloc (160);
> i_9 = 0;
> goto <bb 10>; [0.00%]
>
> <bb 3> [0.00%]:
> _1 = (long unsigned int) i_4;
> _2 = _1 * 16;
> _3 = p_8 + _2;
> list_14 = _3;
> __u = {};
> ASAN_MARK (UNPOISON, &__u, 8);
> __u.__val = list_14;
> _15 = &list_14->next;
> p_16 = _15;
> res_17 = &__u.__c;
> size_18 = 8;
> switch (size_18) <default: <L8> [0.00%], case 1: <L4> [0.00%], case 2: <L5> [0.00%], case 4: <L6> [0.00%], case 8: <L7> [0.00%]>
>
> <L4> [0.00%]:
> _19 = MEM[(__u8 *)res_17];
> MEM[(volatile __u8 *)p_16] ={v} _19;
> goto <bb 9>; [0.00%]
>
> <L5> [0.00%]:
> _20 = MEM[(__u16 *)res_17];
> MEM[(volatile __u16 *)p_16] ={v} _20;
> goto <bb 9>; [0.00%]
>
> <L6> [0.00%]:
> _21 = MEM[(__u32 *)res_17];
> MEM[(volatile __u32 *)p_16] ={v} _21;
> goto <bb 9>; [0.00%]
>
> <L7> [0.00%]:
> _22 = MEM[(__u64 *)res_17];
> MEM[(volatile __u64 *)p_16] ={v} _22;
> goto <bb 9>; [0.00%]
>
> <L8> [0.00%]:
> _23 = (long unsigned int) size_18;
> __builtin_memcpy (p_16, res_17, _23);
>
> <bb 9> [0.00%]:
> _24 = __u.__val;
> ASAN_MARK (POISON, &__u, 8);
> list_14->prev = list_14;
> i_13 = i_4 + 1;
>
> <bb 10> [0.00%]:
> # i_4 = PHI <i_9(2), i_13(9)>
> if (i_4 <= 9)
> goto <bb 3>; [0.00%]
> else
> goto <bb 11>; [0.00%]
>
> <bb 11> [0.00%]:
> free (p_8);
> _11 = 0;
>
> <L3> [0.00%]:
> return _11;
>
> }
>
>
>
> ;; Function _GLOBAL__sub_I_00099_0_main (_GLOBAL__sub_I_00099_0_main, funcdef_no=5, decl_uid=3178, cgraph_uid=3, symbol_order=8)
>
> _GLOBAL__sub_I_00099_0_main ()
> {
> <bb 2> [0.00%]:
> __builtin___asan_init ();
> __builtin___asan_version_mismatch_check_v8 ();
> return;
>
> }
>
>
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-11-30 19:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-26 6:31 [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2 Fengguang Wu
2017-11-26 6:31 ` Fengguang Wu
2017-11-27 21:03 ` Dennis Zhou
2017-11-27 21:03 ` Dennis Zhou
2017-11-28 12:45 ` Fengguang Wu
2017-11-28 12:45 ` Fengguang Wu
2017-11-28 12:45 ` Fengguang Wu
2017-11-29 17:54 ` Dennis Zhou
2017-11-29 17:54 ` Dennis Zhou
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 18:10 ` Kees Cook
2017-11-30 18:10 ` Kees Cook
2017-11-30 18:10 ` Kees Cook
2017-11-30 19:22 ` Dennis Zhou
2017-11-30 19:22 ` Dennis Zhou
2017-11-30 19:56 ` Kees Cook [this message]
2017-11-30 19:56 ` Kees Cook
2017-11-30 19:56 ` Kees Cook
2017-11-30 19:58 ` Ard Biesheuvel
2017-11-30 19:58 ` Ard Biesheuvel
2017-11-30 19:58 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com \
--to=keescook@chromium.org \
--cc=ard.biesheuvel@linaro.org \
--cc=aryabinin@virtuozzo.com \
--cc=cl@linux.com \
--cc=dennisszhou@gmail.com \
--cc=dvyukov@google.com \
--cc=fengguang.wu@intel.com \
--cc=jbacik@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@01.org \
--cc=mark.rutland@arm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.