linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Niklas Cassel <Niklas.Cassel@wdc.com>
To: Kees Cook <keescook@chromium.org>
Cc: "linux-hardening@vger.kernel.org"
	<linux-hardening@vger.kernel.org>,
	Miguel Ojeda <ojeda@kernel.org>,
	Siddhesh Poyarekar <siddhesh@gotplt.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
	"llvm@lists.linux.dev" <llvm@lists.linux.dev>,
	Juergen Gross <jgross@suse.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Damien Le Moal <damien.lemoal@opensource.wdc.com>,
	"linux-next@vger.kernel.org" <linux-next@vger.kernel.org>
Subject: linux-next - bxnt buffer overflow in strnlen
Date: Fri, 13 Jan 2023 15:59:21 +0000	[thread overview]
Message-ID: <Y8F/1w1AZTvLglFX@x1-carbon> (raw)
In-Reply-To: <20220920192202.190793-5-keescook@chromium.org>

On Tue, Sep 20, 2022 at 12:22:02PM -0700, Kees Cook wrote:
> Since the commits starting with c37495d6254c ("slab: add __alloc_size
> attributes for better bounds checking"), the compilers have runtime
> allocation size hints available in some places. This was immediately
> available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
> updating to explicitly make use the hints via the associated
> __builtin_dynamic_object_size() helper. Detect and use the builtin when
> it is available, increasing the accuracy of the mitigation. When runtime
> sizes are not available, __builtin_dynamic_object_size() falls back to
> __builtin_object_size(), leaving the existing bounds checking unchanged.
> 
> Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
> hint invisible, otherwise the architectural defense is not exercised
> (the buffer overflow is detected in the memset() rather than when it
> crosses the edge of the allocation).
> 
> Cc: Miguel Ojeda <ojeda@kernel.org>
> Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Nathan Chancellor <nathan@kernel.org>
> Cc: Tom Rix <trix@redhat.com>
> Cc: linux-hardening@vger.kernel.org
> Cc: llvm@lists.linux.dev
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---

Hello Kees,

Unfortunately, this commit introduces a crash in the bxnt
ethernet driver when booting linux-next.

I haven't looked at the code in the bxnt ethernet driver,
I simply know that machine boots fine on v6.2.0-rc3,
but fails to boot with linux-next.

So I started an automatic git bisect, which returned:
439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")

$ grep CC_VERSION .config
CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.1 20221121 (Red Hat 12.2.1-4)"
CONFIG_GCC_VERSION=120201

$ grep FORTIFY .config
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_FORTIFY_SOURCE=y


dmesg output:

<0>[   10.805253] detected buffer overflow in strnlen
<4>[   10.810683] ------------[ cut here ]------------
<2>[   10.816035] kernel BUG at lib/string_helpers.c:1027!
<4>[   10.821753] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[   10.822737] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc3-next-20230112+ #4
<4>[   10.834787] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.4 04/14/2022
<4>[   10.839875] RIP: 0010:fortify_panic+0xf/0x11
<4>[   10.844962] Code: e0 e8 da 83 0a ff e9 31 45 6d ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 fe 48 c7 c7 78 69 d6 9f e8 01 ea fc ff <0f> 0b 48 8b 4c 24 18 48 8b 54 24 10 4c 8d 44 24 25 48 c7 c7 b6 69
<4>[   10.865321] RSP: 0018:ffffb547c005bb98 EFLAGS: 00010246
<4>[   10.870406] RAX: 0000000000000023 RBX: ffff94f0582bc400 RCX: 0000000000000000
<4>[   10.880584] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
<4>[   10.885672] RBP: ffff94f0582bc424 R08: 0000000000000000 R09: ffffb547c005ba60
<4>[   10.895849] R10: 0000000000000003 R11: ffffffffa0182448 R12: 696c66666f282074
<4>[   10.900937] R13: 736574206b636162 R14: 0000000000000001 R15: ffff94f0545f8b40
<4>[   10.911113] FS:  0000000000000000(0000) GS:ffff950f07380000(0000) knlGS:0000000000000000
<4>[   10.916201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[   10.926382] CR2: 0000000000000000 CR3: 000000204c05a000 CR4: 0000000000350ee0
<4>[   10.931470] Call Trace:
<6>[   10.936317] ata9: SATA link down (SStatus 0 SControl 300)
<4>[   10.936745]  <TASK>
<4>[   10.936745]  bnxt_ethtool_init.cold+0x18/0x18
<4>[   10.936745]  ? dma_pool_free+0x14d/0x160
<6>[   10.942591] ata10: SATA link down (SStatus 0 SControl 300)
<4>[   10.942663]  bnxt_fw_init_one_p2+0x18d/0x5e0
<6>[   10.949046] ata4: SATA link down (SStatus 0 SControl 300)
<4>[   10.949841]  bnxt_init_one+0x401/0xf10
<6>[   10.958451] ata6: SATA link down (SStatus 0 SControl 300)
<4>[   10.958854]  local_pci_probe+0x41/0x80
<6>[   10.968114] ata3: SATA link down (SStatus 0 SControl 300)
<4>[   10.968892]  pci_device_probe+0x1e2/0x210
<6>[   10.977259] ata8: SATA link down (SStatus 0 SControl 300)
<4>[   10.977657]  really_probe+0xde/0x380
<6>[   10.986406] ata5: SATA link down (SStatus 0 SControl 300)
<4>[   10.986817]  ? pm_runtime_barrier+0x50/0x90
<4>[   10.986817]  __driver_probe_device+0x78/0x170
<6>[   10.996042] ata7: SATA link down (SStatus 0 SControl 300)
<4>[   10.996978]  driver_probe_device+0x1f/0x90
<4>[   10.996978]  __driver_attach+0xd2/0x1c0
<4>[   10.996978]  ? __pfx___driver_attach+0x10/0x10
<4>[   10.996978]  bus_for_each_dev+0x65/0x90
<4>[   11.047368]  bus_add_driver+0x1b1/0x200
<4>[   11.052640]  driver_register+0x89/0xe0
<4>[   11.057487]  ? __pfx_bnxt_init+0x10/0x10
<4>[   11.061634]  bnxt_init+0x20/0x33
<4>[   11.065015]  do_one_initcall+0x5b/0x340
<4>[   11.070105]  ? rcu_read_lock_sched_held+0x3f/0x80
<4>[   11.075198]  kernel_init_freeable+0x29e/0x2ee
<4>[   11.080635]  ? __pfx_kernel_init+0x10/0x10
<4>[   11.085379]  kernel_init+0x16/0x140
<6>[   11.087743] ata16: SATA link down (SStatus 0 SControl 300)
<4>[   11.086528]  ret_from_fork+0x2c/0x50
<4>[   11.086528]  </TASK>
<6>[   11.094437] ata17: SATA link down (SStatus 0 SControl 300)
<4>[   11.094645] Modules linked in:
<4>[   11.097999] ---[ end trace 0000000000000000 ]---
<6>[   11.100194] ata18: SATA link down (SStatus 0 SControl 300)


Kind regards,
Niklas

  parent reply	other threads:[~2023-01-13 16:07 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-20 19:21 [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available Kees Cook
2022-09-20 19:21 ` [PATCH 1/4] x86/entry: Work around Clang __bdos() bug Kees Cook
2022-09-21  0:07   ` Boris Ostrovsky
2022-09-20 19:22 ` [PATCH 2/4] fortify: Explicitly check bounds are compile-time constants Kees Cook
2022-09-21 11:48   ` Siddhesh Poyarekar
2022-09-22  3:46     ` Kees Cook
2022-09-20 19:22 ` [PATCH 3/4] fortify: Convert to struct vs member helpers Kees Cook
2022-09-20 19:22 ` [PATCH 4/4] fortify: Use __builtin_dynamic_object_size() when available Kees Cook
2022-09-21 11:24   ` Miguel Ojeda
2022-09-21 11:43   ` Siddhesh Poyarekar
2022-09-22  3:33     ` Kees Cook
2022-09-22 14:45       ` Siddhesh Poyarekar
2022-11-22 10:20   ` Siddhesh Poyarekar
2022-11-23  5:15     ` Kees Cook
2022-11-23 15:29       ` Siddhesh Poyarekar
2023-01-13 15:59   ` Niklas Cassel [this message]
2023-01-13 16:08     ` linux-next - bnxt buffer overflow in strnlen Niklas Cassel
2023-01-13 22:44       ` Kees Cook
2023-01-16 10:56         ` Niklas Cassel
2022-09-22 20:26 ` [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available Siddhesh Poyarekar
2022-09-23  0:20   ` Kees Cook
2022-09-23  0:55     ` Siddhesh Poyarekar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y8F/1w1AZTvLglFX@x1-carbon \
    --to=niklas.cassel@wdc.com \
    --cc=arnd@arndb.de \
    --cc=boris.ostrovsky@oracle.com \
    --cc=damien.lemoal@opensource.wdc.com \
    --cc=jgross@suse.com \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=ojeda@kernel.org \
    --cc=siddhesh@gotplt.org \
    --cc=trix@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).