From: Kees Cook <keescook@chromium.org>
To: kernel test robot <rong.a.chen@intel.com>
Cc: clang-built-linux@googlegroups.com, LKP <lkp@lists.01.org>,
"Linus, Torvalds," <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux Memory Management List <linux-mm@kvack.org>,
linux-kernel@vger.kernel.org
Subject: Re: 0887a7ebc9 ("ubsan: add trap instrumentation option"): BUG: kernel hang in early-boot stage, last printk: early console in setup code
Date: Mon, 8 Jun 2020 12:00:11 -0700 [thread overview]
Message-ID: <202006081144.933995E4@keescook> (raw)
In-Reply-To: <20200608060407.GX12456@shao2-debian>
On Mon, Jun 08, 2020 at 02:04:08PM +0800, kernel test robot wrote:
> The issue seems due to the lack of "-fsanitize-undefined-trap-on-error" in clang.
Hm? No, that's supported in Clang (at least as far back as Clang 9.)
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>
> commit 0887a7ebc97770c7870abf3075a2e8cd502a7f52
> Author: Kees Cook <keescook@chromium.org>
> AuthorDate: Mon Apr 6 20:12:27 2020 -0700
> Commit: Linus Torvalds <torvalds@linux-foundation.org>
> CommitDate: Tue Apr 7 10:43:44 2020 -0700
>
> ubsan: add trap instrumentation option
In the randconfig, I see CONFIG_UBSAN_TRAP is enabled with lots of other
UBSAN options. If you're not expecting the results, it's very likely the
false positives in UBSAN are going to do bad things. :) This is "working
as expected", as noted in the commit log quoted below.
>
> Patch series "ubsan: Split out bounds checker", v5.
>
> This splits out the bounds checker so it can be individually used. This
> is enabled in Android and hopefully for syzbot. Includes LKDTM tests for
> behavioral corner-cases (beyond just the bounds checker), and adjusts
> ubsan and kasan slightly for correct panic handling.
>
> This patch (of 6):
>
> The Undefined Behavior Sanitizer can operate in two modes: warning
> reporting mode via lib/ubsan.c handler calls, or trap mode, which uses
> __builtin_trap() as the handler. Using lib/ubsan.c means the kernel image
> is about 5% larger (due to all the debugging text and reporting structures
> to capture details about the warning conditions). Using the trap mode,
> the image size changes are much smaller, though at the loss of the
> "warning only" mode.
>
> In order to give greater flexibility to system builders that want minimal
> changes to image size and are prepared to deal with kernel code being
> aborted and potentially destabilizing the system, this introduces
> CONFIG_UBSAN_TRAP. The resulting image sizes comparison:
>
> text data bss dec hex filename
> 19533663 6183037 18554956 44271656 2a38828 vmlinux.stock
> 19991849 7618513 18874448 46484810 2c54d4a vmlinux.ubsan
> 19712181 6284181 18366540 44362902 2a4ec96 vmlinux.ubsan-trap
>
> CONFIG_UBSAN=y: image +4.8% (text +2.3%, data +18.9%)
> CONFIG_UBSAN_TRAP=y: image +0.2% (text +0.9%, data +1.6%)
>
> Additionally adjusts the CONFIG_UBSAN Kconfig help for clarity and removes
> the mention of non-existing boot param "ubsan_handle".
If you're trying to _boot_ a randconfig, I suspect there are going to be
a lot of surprises with UBSAN (in any mode) enabled. Right now, likely the
least noisy of them all is UBSAN_BOUNDS, which was split out for fuzzers.
FWIW, the dmesg appears to be catching a NULL pointer dereference
(enabled via CONFIG_UBSAN_MISC):
[ 0.047646] UBSAN: Undefined behaviour in drivers/acpi/acpica/tbfadt.c:459:37
[ 0.047650] member access within null pointer of type 'struct acpi_table_fadt'
[ 0.047655] CPU: 0 PID: 0 Comm: swapper Not tainted 5.6.0-11597-g7baf219982281 #1
[ 0.047659] Call Trace:
[ 0.047676] dump_stack+0x88/0xb9
[ 0.047684] ? ubsan_prologue+0x21/0x46
[ 0.047689] ? ubsan_type_mismatch_common+0x188/0x19e
[ 0.047695] ? __ubsan_handle_type_mismatch_v1+0x45/0x4a
[ 0.047701] ? acpi_tb_create_local_fadt+0xaa/0x435
[ 0.047706] ? acpi_tb_parse_fadt+0x54/0xd4
[ 0.047712] ? acpi_tb_parse_root_table+0x192/0x1bf
[ 0.047717] ? acpi_table_init+0x3b/0x56
[ 0.047721] ? acpi_boot_table_init+0xf/0x6e
[ 0.047726] ? setup_arch+0x459/0x520
[ 0.047732] ? start_kernel+0x5e/0x3ba
[ 0.047737] ? secondary_startup_64+0xa4/0xb0
I'm not sure how ACPI defines acpi_gbl_FADT though? There's no
dereference...
459: if (acpi_gbl_FADT.header.length <= ACPI_FADT_V2_SIZE) {
BTW, this report only contained 1 actual dmesg. There were two files with
dmesg file names, but one of them was the gzipped reproduction steps again.
-Kees
--
Kees Cook
next parent reply other threads:[~2020-06-08 19:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200608060407.GX12456@shao2-debian>
2020-06-08 19:00 ` Kees Cook [this message]
[not found] ` <20200608192828.GB987@lca.pw>
2020-06-08 19:32 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006081144.933995E4@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=clang-built-linux@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@lists.01.org \
--cc=rong.a.chen@intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox