From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Ivan Babrou <ivan@cloudflare.com>,
kernel-team <kernel-team@cloudflare.com>,
Ignat Korchagin <ignat@cloudflare.com>,
Hailong liu <liu.hailong6@zte.com.cn>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Miroslav Benes <mbenes@suse.cz>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Julien Thierry <jthierry@redhat.com>,
Jiri Slaby <jirislaby@kernel.org>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel <linux-kernel@vger.kernel.org>,
Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@redhat.com>,
dm-devel@redhat.com, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@chromium.org>, Robert Richter <rric@kernel.org>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
bpf@vger.kernel.org
Subject: Re: BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1df5/0x2650
Date: Wed, 3 Feb 2021 21:09:48 -0600 [thread overview]
Message-ID: <20210204030948.dmsmwyw6fu5kzgey@treble> (raw)
In-Reply-To: <20210203214448.2703930e@oasis.local.home>
On Wed, Feb 03, 2021 at 09:44:48PM -0500, Steven Rostedt wrote:
> > > [ 128.441287][ C0] RIP: 0010:skcipher_walk_next
> > > (crypto/skcipher.c:322 crypto/skcipher.c:384)
>
> Why do we have an RIP in skcipher_walk_next, if its the unwinder that
> had a bug? Or are they related?
>
> Or did skcipher_walk_next trigger something in KASAN which did a stack
> walk via the unwinder, and that caused another issue?
It was interrupted by an IRQ, which then called kfree(), which then
called kasan_save_stack(), which then called the unwinder, which then
read "out-of-bounds" between stack frames.
In this case it was because of some crypto code missing ORC annotations.
> Looking at the unwinder code in question, we have:
>
> static bool deref_stack_regs(struct unwind_state *state, unsigned long addr,
> unsigned long *ip, unsigned long *sp)
> {
> struct pt_regs *regs = (struct pt_regs *)addr;
>
> /* x86-32 support will be more complicated due to the ®s->sp hack */
> BUILD_BUG_ON(IS_ENABLED(CONFIG_X86_32));
>
> if (!stack_access_ok(state, addr, sizeof(struct pt_regs)))
> return false;
>
> *ip = regs->ip;
> *sp = regs->sp; <- pointer to here
> return true;
> }
>
> and the caller of the above static function:
>
> case UNWIND_HINT_TYPE_REGS:
> if (!deref_stack_regs(state, sp, &state->ip, &state->sp)) {
> orc_warn_current("can't access registers at %pB\n",
> (void *)orig_ip);
> goto err;
> }
>
>
> Could it possibly be that there's some magic canary on the stack that
> causes KASAN to trigger if you read it?
Right, the unwinder isn't allowed to read between stack frames.
In fact, you read my mind, I was looking at the other warning in network
code:
[160676.598929][ C4] asm_common_interrupt+0x1e/0x40
[160676.608966][ C4] RIP: 0010:0xffffffffc17d814c
[160676.618812][ C4] Code: 8b 4c 24 40 4c 8b 44 24 48 48 8b 7c 24 70 48 8b 74 24 68 48 8b 54 24 60 48 8b 4c 24 58 48 8b 44 24 50 48 81 c4 a8 00 00 00 9d <c3> 20 27 af 8f ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00
[160676.649371][ C4] RSP: 0018:ffff8893dfd4f620 EFLAGS: 00000282
[160676.661073][ C4] RAX: 0000000000000000 RBX: ffff8881be9c9c80 RCX: 0000000000000000
[160676.674788][ C4] RDX: dffffc0000000000 RSI: 000000000000000b RDI: ffff8881be9c9c80
[160676.688508][ C4] RBP: ffff8881be9c9ce0 R08: 0000000000000000 R09: ffff8881908c4c97
[160676.702249][ C4] R10: ffffed1032118992 R11: ffff88818a4ce68c R12: ffff8881be9c9eea
[160676.716000][ C4] R13: ffff8881be9c9c92 R14: ffff8880063ba5ac R15: ffff8880063ba5a8
[160676.729895][ C4] ? tcp_set_state+0x5/0x620
[160676.740426][ C4] ? tcp_fin+0xeb/0x5a0
[160676.750287][ C4] ? tcp_data_queue+0x1e78/0x4ce0
[160676.761089][ C4] ? tcp_urg+0x76/0xc50
This line gives a big clue:
[160676.608966][ C4] RIP: 0010:0xffffffffc17d814c
That address, without a function name, most likely means that it was
running in some generated code (mostly likely BPF) when it got
interrupted.
Right now, the ORC unwinder tries to fall back to frame pointers when it
encounters generated code:
orc = orc_find(state->signal ? state->ip : state->ip - 1);
if (!orc)
/*
* As a fallback, try to assume this code uses a frame pointer.
* This is useful for generated code, like BPF, which ORC
* doesn't know about. This is just a guess, so the rest of
* the unwind is no longer considered reliable.
*/
orc = &orc_fp_entry;
state->error = true;
}
Because the ORC unwinder is guessing from that point onward, it's
possible for it to read the KASAN stack redzone, if the generated code
hasn't set up frame pointers. So the best fix may be for the unwinder
to just always bypass KASAN when reading the stack.
The unwinder has a mechanism for detecting and warning about
out-of-bounds, and KASAN is short-circuiting that.
This should hopefully get rid of *all* the KASAN unwinder warnings, both
crypto and networking.
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index 040194d079b6..1f69a23a4715 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -376,8 +376,8 @@ static bool deref_stack_regs(struct unwind_state *state, unsigned long addr,
if (!stack_access_ok(state, addr, sizeof(struct pt_regs)))
return false;
- *ip = regs->ip;
- *sp = regs->sp;
+ *ip = READ_ONCE_NOCHECK(regs->ip);
+ *sp = READ_ONCE_NOCHECK(regs->sp);
return true;
}
@@ -389,8 +389,8 @@ static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr
if (!stack_access_ok(state, addr, IRET_FRAME_SIZE))
return false;
- *ip = regs->ip;
- *sp = regs->sp;
+ *ip = READ_ONCE_NOCHECK(regs->ip);
+ *sp = READ_ONCE_NOCHECK(regs->sp);
return true;
}
@@ -411,12 +411,12 @@ static bool get_reg(struct unwind_state *state, unsigned int reg_off,
return false;
if (state->full_regs) {
- *val = ((unsigned long *)state->regs)[reg];
+ *val = READ_ONCE_NOCHECK(((unsigned long *)state->regs)[reg]);
return true;
}
if (state->prev_regs) {
- *val = ((unsigned long *)state->prev_regs)[reg];
+ *val = READ_ONCE_NOCHECK(((unsigned long *)state->prev_regs)[reg]);
return true;
}
next prev parent reply other threads:[~2021-02-04 3:11 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABWYdi3HjduhY-nQXzy2ezGbiMB1Vk9cnhW2pMypUa+P1OjtzQ@mail.gmail.com>
2021-02-03 3:09 ` BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1df5/0x2650 Ivan Babrou
2021-02-03 16:46 ` Peter Zijlstra
2021-02-03 17:46 ` Ivan Babrou
2021-02-03 19:05 ` Josh Poimboeuf
2021-02-03 22:41 ` Ivan Babrou
2021-02-03 23:27 ` Josh Poimboeuf
2021-02-03 23:30 ` Ivan Babrou
2021-02-04 0:17 ` Josh Poimboeuf
2021-02-04 0:52 ` Ivan Babrou
2021-02-04 2:37 ` Josh Poimboeuf
2021-02-04 19:51 ` Ivan Babrou
2021-02-04 20:22 ` Josh Poimboeuf
2021-02-04 9:22 ` Peter Zijlstra
2021-02-04 2:44 ` Steven Rostedt
2021-02-04 3:09 ` Josh Poimboeuf [this message]
2021-02-04 18:41 ` Ivan Babrou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210204030948.dmsmwyw6fu5kzgey@treble \
--to=jpoimboe@redhat.com \
--cc=agk@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=andriin@fb.com \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dm-devel@redhat.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=ignat@cloudflare.com \
--cc=ivan@cloudflare.com \
--cc=jirislaby@kernel.org \
--cc=joel@joelfernandes.org \
--cc=john.fastabend@gmail.com \
--cc=jthierry@redhat.com \
--cc=kafai@fb.com \
--cc=kasan-dev@googlegroups.com \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=liu.hailong6@zte.com.cn \
--cc=mathieu.desnoyers@efficios.com \
--cc=mbenes@suse.cz \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rric@kernel.org \
--cc=snitzer@redhat.com \
--cc=songliubraving@fb.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).