From: Niklas Cassel <Niklas.Cassel@wdc.com>
To: Kees Cook <keescook@chromium.org>
Cc: "linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
Miguel Ojeda <ojeda@kernel.org>,
Siddhesh Poyarekar <siddhesh@gotplt.org>,
Arnd Bergmann <arnd@arndb.de>,
Nick Desaulniers <ndesaulniers@google.com>,
Nathan Chancellor <nathan@kernel.org>, Tom Rix <trix@redhat.com>,
"llvm@lists.linux.dev" <llvm@lists.linux.dev>,
Juergen Gross <jgross@suse.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Damien Le Moal <damien.lemoal@opensource.wdc.com>,
"linux-next@vger.kernel.org" <linux-next@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Michael Chan <michael.chan@broadcom.com>
Subject: Re: linux-next - bnxt buffer overflow in strnlen
Date: Fri, 13 Jan 2023 16:08:21 +0000 [thread overview]
Message-ID: <Y8GB9DMtcSP/8e/i@x1-carbon> (raw)
In-Reply-To: <Y8F/1w1AZTvLglFX@x1-carbon>
On Fri, Jan 13, 2023 at 04:59:19PM +0100, Niklas Cassel wrote:
> On Tue, Sep 20, 2022 at 12:22:02PM -0700, Kees Cook wrote:
> > Since the commits starting with c37495d6254c ("slab: add __alloc_size
> > attributes for better bounds checking"), the compilers have runtime
> > allocation size hints available in some places. This was immediately
> > available to CONFIG_UBSAN_BOUNDS, but CONFIG_FORTIFY_SOURCE needed
> > updating to explicitly make use the hints via the associated
> > __builtin_dynamic_object_size() helper. Detect and use the builtin when
> > it is available, increasing the accuracy of the mitigation. When runtime
> > sizes are not available, __builtin_dynamic_object_size() falls back to
> > __builtin_object_size(), leaving the existing bounds checking unchanged.
> >
> > Additionally update the VMALLOC_LINEAR_OVERFLOW LKDTM test to make the
> > hint invisible, otherwise the architectural defense is not exercised
> > (the buffer overflow is detected in the memset() rather than when it
> > crosses the edge of the allocation).
> >
> > Cc: Miguel Ojeda <ojeda@kernel.org>
> > Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>
> > Cc: Arnd Bergmann <arnd@arndb.de>
> > Cc: Nick Desaulniers <ndesaulniers@google.com>
> > Cc: Nathan Chancellor <nathan@kernel.org>
> > Cc: Tom Rix <trix@redhat.com>
> > Cc: linux-hardening@vger.kernel.org
> > Cc: llvm@lists.linux.dev
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
>
> Hello Kees,
>
> Unfortunately, this commit introduces a crash in the bnxt
> ethernet driver when booting linux-next.
>
> I haven't looked at the code in the bnxt ethernet driver,
> I simply know that machine boots fine on v6.2.0-rc3,
> but fails to boot with linux-next.
>
> So I started an automatic git bisect, which returned:
> 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")
>
> $ grep CC_VERSION .config
> CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.2.1 20221121 (Red Hat 12.2.1-4)"
> CONFIG_GCC_VERSION=120201
>
> $ grep FORTIFY .config
> CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
> CONFIG_FORTIFY_SOURCE=y
>
>
> dmesg output:
>
> <0>[ 10.805253] detected buffer overflow in strnlen
> <4>[ 10.810683] ------------[ cut here ]------------
> <2>[ 10.816035] kernel BUG at lib/string_helpers.c:1027!
> <4>[ 10.821753] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> <4>[ 10.822737] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc3-next-20230112+ #4
> <4>[ 10.834787] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.4 04/14/2022
> <4>[ 10.839875] RIP: 0010:fortify_panic+0xf/0x11
> <4>[ 10.844962] Code: e0 e8 da 83 0a ff e9 31 45 6d ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 fe 48 c7 c7 78 69 d6 9f e8 01 ea fc ff <0f> 0b 48 8b 4c 24 18 48 8b 54 24 10 4c 8d 44 24 25 48 c7 c7 b6 69
> <4>[ 10.865321] RSP: 0018:ffffb547c005bb98 EFLAGS: 00010246
> <4>[ 10.870406] RAX: 0000000000000023 RBX: ffff94f0582bc400 RCX: 0000000000000000
> <4>[ 10.880584] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
> <4>[ 10.885672] RBP: ffff94f0582bc424 R08: 0000000000000000 R09: ffffb547c005ba60
> <4>[ 10.895849] R10: 0000000000000003 R11: ffffffffa0182448 R12: 696c66666f282074
> <4>[ 10.900937] R13: 736574206b636162 R14: 0000000000000001 R15: ffff94f0545f8b40
> <4>[ 10.911113] FS: 0000000000000000(0000) GS:ffff950f07380000(0000) knlGS:0000000000000000
> <4>[ 10.916201] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> <4>[ 10.926382] CR2: 0000000000000000 CR3: 000000204c05a000 CR4: 0000000000350ee0
> <4>[ 10.931470] Call Trace:
> <6>[ 10.936317] ata9: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.936745] <TASK>
> <4>[ 10.936745] bnxt_ethtool_init.cold+0x18/0x18
> <4>[ 10.936745] ? dma_pool_free+0x14d/0x160
> <6>[ 10.942591] ata10: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.942663] bnxt_fw_init_one_p2+0x18d/0x5e0
> <6>[ 10.949046] ata4: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.949841] bnxt_init_one+0x401/0xf10
> <6>[ 10.958451] ata6: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.958854] local_pci_probe+0x41/0x80
> <6>[ 10.968114] ata3: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.968892] pci_device_probe+0x1e2/0x210
> <6>[ 10.977259] ata8: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.977657] really_probe+0xde/0x380
> <6>[ 10.986406] ata5: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.986817] ? pm_runtime_barrier+0x50/0x90
> <4>[ 10.986817] __driver_probe_device+0x78/0x170
> <6>[ 10.996042] ata7: SATA link down (SStatus 0 SControl 300)
> <4>[ 10.996978] driver_probe_device+0x1f/0x90
> <4>[ 10.996978] __driver_attach+0xd2/0x1c0
> <4>[ 10.996978] ? __pfx___driver_attach+0x10/0x10
> <4>[ 10.996978] bus_for_each_dev+0x65/0x90
> <4>[ 11.047368] bus_add_driver+0x1b1/0x200
> <4>[ 11.052640] driver_register+0x89/0xe0
> <4>[ 11.057487] ? __pfx_bnxt_init+0x10/0x10
> <4>[ 11.061634] bnxt_init+0x20/0x33
> <4>[ 11.065015] do_one_initcall+0x5b/0x340
> <4>[ 11.070105] ? rcu_read_lock_sched_held+0x3f/0x80
> <4>[ 11.075198] kernel_init_freeable+0x29e/0x2ee
> <4>[ 11.080635] ? __pfx_kernel_init+0x10/0x10
> <4>[ 11.085379] kernel_init+0x16/0x140
> <6>[ 11.087743] ata16: SATA link down (SStatus 0 SControl 300)
> <4>[ 11.086528] ret_from_fork+0x2c/0x50
> <4>[ 11.086528] </TASK>
> <6>[ 11.094437] ata17: SATA link down (SStatus 0 SControl 300)
> <4>[ 11.094645] Modules linked in:
> <4>[ 11.097999] ---[ end trace 0000000000000000 ]---
> <6>[ 11.100194] ata18: SATA link down (SStatus 0 SControl 300)
>
>
> Kind regards,
> Niklas
+netdev
+bnxt maintainers
next prev parent reply other threads:[~2023-01-13 16:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-20 19:21 [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available Kees Cook
2022-09-20 19:21 ` [PATCH 1/4] x86/entry: Work around Clang __bdos() bug Kees Cook
2022-09-21 0:07 ` Boris Ostrovsky
2022-09-20 19:22 ` [PATCH 2/4] fortify: Explicitly check bounds are compile-time constants Kees Cook
2022-09-21 11:48 ` Siddhesh Poyarekar
2022-09-22 3:46 ` Kees Cook
2022-09-20 19:22 ` [PATCH 3/4] fortify: Convert to struct vs member helpers Kees Cook
2022-09-20 19:22 ` [PATCH 4/4] fortify: Use __builtin_dynamic_object_size() when available Kees Cook
2022-09-21 11:24 ` Miguel Ojeda
2022-09-21 11:43 ` Siddhesh Poyarekar
2022-09-22 3:33 ` Kees Cook
2022-09-22 14:45 ` Siddhesh Poyarekar
2022-11-22 10:20 ` Siddhesh Poyarekar
2022-11-23 5:15 ` Kees Cook
2022-11-23 15:29 ` Siddhesh Poyarekar
2023-01-13 15:59 ` linux-next - bxnt buffer overflow in strnlen Niklas Cassel
2023-01-13 16:08 ` Niklas Cassel [this message]
2023-01-13 22:44 ` linux-next - bnxt " Kees Cook
2023-01-16 10:56 ` Niklas Cassel
2022-09-22 20:26 ` [PATCH 0/4] fortify: Use __builtin_dynamic_object_size() when available Siddhesh Poyarekar
2022-09-23 0:20 ` Kees Cook
2022-09-23 0:55 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8GB9DMtcSP/8e/i@x1-carbon \
--to=niklas.cassel@wdc.com \
--cc=arnd@arndb.de \
--cc=boris.ostrovsky@oracle.com \
--cc=damien.lemoal@opensource.wdc.com \
--cc=jgross@suse.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=michael.chan@broadcom.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=siddhesh@gotplt.org \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).