From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S941491AbcKQRQE (ORCPT ); Thu, 17 Nov 2016 12:16:04 -0500 Received: from mail-yb0-f196.google.com ([209.85.213.196]:34931 "EHLO mail-yb0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754595AbcKQRQA (ORCPT ); Thu, 17 Nov 2016 12:16:00 -0500 From: Vince Weaver X-Google-Original-From: Vince Weaver Date: Thu, 17 Nov 2016 12:15:54 -0500 (EST) X-X-Sender: vince@macbook-air To: Dmitry Vyukov cc: Josh Poimboeuf , Vince Weaver , Peter Zijlstra , "linux-kernel@vger.kernel.org" , Ingo Molnar , Arnaldo Carvalho de Melo , "davej@codemonkey.org.uk" , Stephane Eranian Subject: Re: perf: fuzzer KASAN unwind_get_return_address In-Reply-To: Message-ID: References: <20161116143746.zoxdxrfqvmx35wln@treble> <20161116144943.GB3117@twins.programming.kicks-ass.net> <20161116145849.GR3157@twins.programming.kicks-ass.net> <20161117044828.vedc3whqkuki624r@treble> <20161117090446.GC3142@twins.programming.kicks-ass.net> <20161117091341.GS3157@twins.programming.kicks-ass.net> <20161117093028.GT3157@twins.programming.kicks-ass.net> <20161117140150.o6vy7bsrbjkg2nzd@treble> <20161117143620.qi6ebud3xqwj6pvb@treble> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 17 Nov 2016, Dmitry Vyukov wrote: > On Thu, Nov 17, 2016 at 3:36 PM, Josh Poimboeuf wrote: > > On Thu, Nov 17, 2016 at 09:25:58AM -0500, Vince Weaver wrote: > >> On Thu, 17 Nov 2016, Josh Poimboeuf wrote: > >> > >> > On Thu, Nov 17, 2016 at 10:48:27AM +0100, Dmitry Vyukov wrote: > >> > > Just in case, there is currently a known KASAN false positive related > >> > > to longjmp's on GPFs. When a syscall hits GPF stack is unwound to > >> > > kernel entry point, this leaves a bunch of stray poisoned redzones on > >> > > the thread stack. They later cause false stack-out-of-bounds reports. > >> > > > >> > > But this does not seem to be the case here. Kernel is not tainted. And > >> > > shadow at the bottom of the reports looks sane. > >> > > > >> > > But if that's the case somehow, we will need to add > >> > > kasan_unpoison_remaining_stack() call before a longjmp like we did for > >> > > jprobe_return(): > >> > > https://groups.google.com/d/msg/kasan-dev/Hzox58yZ4MU/TOdFoWMuBQAJ > >> > > >> > I'm pretty sure this isn't a KASAN false positive. The unwinder does > >> > actually seem to be accessing a bad area of the stack, in the middle of > >> > a function's stack frame. > >> > >> I'm having trouble reproducing it on a few other machines I have fuzzing. > >> So there might be some kernel option contributing, I need to compare > >> .configs. > >> > >> Also the machine that easily triggers the problem I'm compiling with > >> gcc-5.4 where the machines I can't are using gcc-4.9. > > > > I believe KASAN only works with gcc 5 and later, so that would explain > > why you aren't seeing it with gcc 4.9. > > Right. 4.9 has limited support for KASAN. It supports general > instrumentation, but only with CONFIG_KASAN_OUTLINE, and it does not > support stack poisoning. Which is required to detect stack OOBs. I guess it's time to update the other machines to debian-unstable then. I didn't really need to be able to run dmesg as non-root anyway. I would actually be compiling the kernels with gcc-6.2 rather than gcc-5 but that seems to not work currently. Haven't had time to see if that's a known issue or not. Vince