From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 007A3EB64DB for ; Tue, 13 Jun 2023 20:58:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5D4726B0074; Tue, 13 Jun 2023 16:58:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5853D8E0003; Tue, 13 Jun 2023 16:58:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 44CA78E0002; Tue, 13 Jun 2023 16:58:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 30EB76B0074 for ; Tue, 13 Jun 2023 16:58:47 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B1D1CC061D for ; Tue, 13 Jun 2023 20:58:46 +0000 (UTC) X-FDA: 80898938652.25.97D4D67 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by imf08.hostedemail.com (Postfix) with ESMTP id B3F1C160011 for ; Tue, 13 Jun 2023 20:58:44 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=H80e47cr; spf=pass (imf08.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.172 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686689924; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kaJ1SlZ50WSiGQJPsQQTsMtPEKHuyraiHKR0QOdAX9I=; b=DeRZwxzkZthrA8ez2puLN7y1+bQDRMhZ27NaS88fCNxRV9GYWAcskthkxOCJAfkTxV1HNr FJ//YTXywXl1U1fFSvtf9NjeulBRuENDMZh57l8scPJzb4sn51OomwQRAIuuUJ/E6b0w8K zdzvzvZXgYB2EZyQpELe03pHEWractU= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=H80e47cr; spf=pass (imf08.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.172 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686689924; a=rsa-sha256; cv=none; b=qsfx7m9hq6SF8rAlRfo1OTClY8Y23uqgif2b3D/EAAVL/TD4tHXmO4CjmnKGK5JLup/3HY XVdAsLZV5dhhSn6tJm7GuvT2ImQh6mOCRyhHEJ1qH4hWjkhITOq70MRhL/+r8KIDFViflm UqcxLc2ckAlP8NyPjYYCTW3cA+W/15k= Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-65292f79456so4579053b3a.2 for ; Tue, 13 Jun 2023 13:58:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1686689923; x=1689281923; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kaJ1SlZ50WSiGQJPsQQTsMtPEKHuyraiHKR0QOdAX9I=; b=H80e47crm4ESXow/QaIuxPk66TgxVa/iJGaHnH95xfD08xVJrKMNHs8ysh9jIGX/dr NDw2UibOZWY96JQi/qehTglV6bBwPEKNS9cB24g/qjELKgnSsGugeXdqfhSWJE2tQTe6 QS/TOUG6kPDT9evqGfodFJrPyJwJtMP47mu9o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686689923; x=1689281923; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kaJ1SlZ50WSiGQJPsQQTsMtPEKHuyraiHKR0QOdAX9I=; b=BAYRCcM3pXBC2KI3GE/jdEodIJuzzEx4ijk4v10t5ViXEE8UIJtY83SXJLOPIWDO0+ pz+slgWiKGHXcfKidP7L7F0FjieHeUM0P8jWvAf5Fiqc81jxrSCUYSPRkCOeT0EekDOY lkqPHqMG6j9r5wP7dSrmLd5sImQIC+vCtirzT7B1YxDQU/JObKLn4q8zHrgw7gl+1G/f 413ObEuJ4Nx/FKdC6WI97SgB4ScUAsF+vHuqrpKIZF8a/sluxPn0fSO9x9KvaIVoyIx6 jIxLK3UKYQuLSI2hYQQPOq/CCXE8p2W9ZV513zKRG5OuZQLwuJGW6t04paKAbY1FSsSq 5FzA== X-Gm-Message-State: AC+VfDwgEszNMcYaAzUTSID2gPIBfa8zQHcOi0fV1vocWChcN61Hk0uX 8rz3EkyzSzlWIrrzcghbfW/gSA== X-Google-Smtp-Source: ACHHUZ7n7RXpBZeC4liksc7ps6dJc9YnbYCeZyY/kUOx53JAf3fL+kUrRrJ+Xsm2JqhZ7HUXteWTew== X-Received: by 2002:a05:6a00:13a6:b0:65a:cbf3:4687 with SMTP id t38-20020a056a0013a600b0065acbf34687mr54961pfg.0.1686689923521; Tue, 13 Jun 2023 13:58:43 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id j1-20020aa78d01000000b0065418efa5ebsm9022926pfe.155.2023.06.13.13.58.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jun 2023 13:58:43 -0700 (PDT) Date: Tue, 13 Jun 2023 13:58:42 -0700 From: Kees Cook To: "Gustavo A. R. Silva" Cc: oe-lkp@lists.linux.dev, lkp@intel.com, kernel test robot , Linux Memory Management List , Masahiro Yamada , Nathan Chancellor , Nick Desaulniers , Nicolas Schier , linux-kbuild@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: Re: [linux-next:master] [kbuild] df8fc4e934: BUG:unable_to_handle_page_fault_for_address Message-ID: <202306131354.A499DE60@keescook> References: <202306102333.8f5a7443-oliver.sang@intel.com> <202306131342.51A51F651C@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202306131342.51A51F651C@keescook> X-Rspamd-Queue-Id: B3F1C160011 X-Rspam-User: X-Stat-Signature: e9x1tbznpau1thws7ae1mcrhq1k1wgwi X-Rspamd-Server: rspam01 X-HE-Tag: 1686689924-604257 X-HE-Meta: U2FsdGVkX1/qS/boZGDYh5gsp9cCXqfar59N7xRNIerO/TspsIl2F+mas0hrKcVrUuI5xPgW8liZjJMi7VgMDANqeMd7hIdJVo7raI0ie1Sc+36znSFP7Zl53FUXKm93eYs9j9DDeepaiYKtS8lUqG50z7OGq72ojrt6HsW6vBVS8OQxMLLOzrUkOUR73s/qywKPfZr5Iyex+BwTeS4MgdJ7gGcr1P/Us0hKZWfOFzMjRcsJzazwuQ/HihRe27thrsax3fy4UrtYss6i6ZqJJd2iPNAqv/2WWQpAMPcit4omc8yugrZOuJDN8Q4CNm2/Wf9IMxz5mn1TsKPsKxpO0dw0SvljRKSNS3rCt3yK6Rfp2+xNW1YxueMqEJp6BshR1UVrBAx+xsZU/lvplxDmcmaygxNnCJpDcGF6a71P/JFLcl5z9YBwJA+Drk/EQsArmJ3WZherjzpThC0kaV02yZ9qSMPIoek/qtHqvGl6sact4YUiQyZR4iikP8FuFkdxIHAorjc4x17g8r9RL+GzzKybZyXKztOG6+NhyD2dILQ83htdDJ4vqBLSqCXQpOVaT5lkBHT2iECsTRvDjaytR/OCvpPP+0+s4Dc5Rn+nH5PSgsS2w5ATgcnKDQq+GRSU6yyfdd5ZWzx8hvSQI+q04AL5arYNUk306JPcKR1LuOjS7ycLSKo0NHsfKyHrauJnHmdUx3rsOkZfNDMqaIEoqkPSS05X1F7bE+ZhesEljiulM9SQCj1SgfSBQWsyOAw6AL/xmm/dx9uSDl4qFBbExvCoinEgPdd4BiNwUbGQmrrN4eTVBw/vyvz6Yxyibbh00X3lg0PqKJxb8w6G5uvxxLtBXf2wYNeC4XFwVgl1vmQsOBMHTPaNC3JHyGzkMKef7KL5QY3LjsqHUnxWR8wFz04auDyScd5kiEY0SZVyAQXDCJy7nyds6Ed7gybxrfaUZ7u885I7grfUM8siCTX OyNmMg3l yB0l+IVtEBUxVy8MKSgYwLt0n9ge5XEWJcF+siIYdUdbVabSTvqV6wa6hgjm+afO/8QyunFpFQdUQmEz7dHlXsArw5E0PDeHMzc5yV74RzHn1T2e3SbnptlVw8kmMOx62AGCN192EoKQhV5Bn7pFgKAAqLhgxl4Fee0hR5J0tjWAYPqfhTdsH/m90t2EPAmPtMTh9sJViirMU3ILHBIyO3VyRJFc3wme5jXtRPGPBKc7WYQSld5KB9dTv15Uj2ss6rWipGbv/b13fUyuyh5x+9/RW3GWXkCOxyZqng867OzZlT4mnkYaUs5El0hJw54PDTLeaRvre/Aoabyyv5VU+i2TYVO2NPenXTWAlRRXw2Vi4cTvhBQjmOAX+3oTk9V3WzJIVSMjnMxi7X9BbWEo/xJ52Tw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jun 13, 2023 at 01:46:54PM -0700, Kees Cook wrote: > On Sun, Jun 11, 2023 at 09:41:30PM +0800, kernel test robot wrote: > > the issue we found below is by clang-15, but we confirmed clang-15 we use is > > commit 8dfdcc7b7b in llvm-project. it supports the flag already. > > Interesting! Thanks for the report. > > > [ 228.605608][ C1] BUG: unable to handle page fault for address: 04090300 > > [...] > > [ 228.608262][ C1] EIP: string (lib/vsprintf.c:644 lib/vsprintf.c:726) > > [...] > > [ 228.608262][ C1] Call Trace: > > [ 228.608262][ C1] > > [ 228.608262][ C1] vsnprintf (lib/vsprintf.c:2817) > > [ 228.608262][ C1] vprintk_store (kernel/printk/printk.c:2191) > > [ 228.608262][ C1] vprintk_emit (kernel/printk/printk.c:2288) > > [ 228.608262][ C1] vprintk_default (kernel/printk/printk.c:2318) > > [ 228.608262][ C1] vprintk (kernel/printk/printk_safe.c:50) > > [ 228.608262][ C1] _printk (kernel/printk/printk.c:2331) > > [ 228.608262][ C1] __ubsan_handle_out_of_bounds (lib/ubsan.c:209 lib/ubsan.c:343) > > This is a crash within the UBSAN handler! That's very unexpected. I still don't understand this. Is printk() not allowed in SOFTIRQ? > > [ 228.608262][ C1] get_string (drivers/usb/gadget/composite.c:1314) > > [ 228.608262][ C1] composite_setup (drivers/usb/gadget/composite.c:1871) > > [ 228.608262][ C1] dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:?) > > And the out-of-bounds condition got triggered in dummy_hcd. I found this. I'm surprised we didn't trip over it earlier! /* USB_DT_STRING: String descriptor */ struct usb_string_descriptor { __u8 bLength; __u8 bDescriptorType; __le16 wData[1]; /* UTF-16LE encoded */ } __attribute__ ((packed)); $ git grep 'struct usb_string_descriptor' drivers/usb/early/xhci-dbc.c: struct usb_string_descriptor *s_desc; drivers/usb/early/xhci-dbc.c: s_desc = (struct usb_string_descriptor *)strings->serial; drivers/usb/early/xhci-dbc.c: s_desc = (struct usb_string_descriptor *)strings->product; drivers/usb/early/xhci-dbc.c: s_desc = (struct usb_string_descriptor *)strings->manufacturer; drivers/usb/gadget/composite.c: struct usb_string_descriptor *s = buf; drivers/usb/gadget/udc/aspeed-vhub/hub.c: struct usb_string_descriptor *sdesc = buf; drivers/usb/host/xhci-dbgcap.c: struct usb_string_descriptor *s_desc; drivers/usb/host/xhci-dbgcap.c: s_desc = (struct usb_string_descriptor *)strings->serial; drivers/usb/host/xhci-dbgcap.c: s_desc = (struct usb_string_descriptor *)strings->product; drivers/usb/host/xhci-dbgcap.c: s_desc = (struct usb_string_descriptor *)strings->manufacturer; include/uapi/linux/usb/ch9.h:struct usb_string_descriptor { Looking at each use, none are using sizeof() on the struct, so it should be a trivial replacement. I'll send a patch. -Kees -- Kees Cook