CC: kbuild-...@lists.01.org TO: Alexander Potapenko <gli...@google.com> CC: Marco Elver <el...@google.com> CC: Dmitry Vyukov <dvyu...@google.com> CC: Jann Horn <ja...@google.com> CC: Andrew Morton <a...@linux-foundation.org> CC: Linux Memory Management List <linux...@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/jpoimboe/linux.git elants-enum-overflow head: 076e0e0471faf811c736b456df8319d329ae544b commit: e404a0621ad48df9ef39680d75dcfcf3068b1146 [8814/9238] x86, kfence: enable KFENCE for x86 :::::: branch date: 25 hours ago :::::: commit date: 5 days ago config: i386-randconfig-s002-20210211 (attached as .config) compiler: gcc-9 (Debian 9.3.0-15) 9.3.0 reproduce: # apt-get install sparse # sparse version: v0.6.3-215-g0fb77bb6-dirty # https://git.kernel.org/pub/scm/linux/kernel/git/jpoimboe/linux.git/commit/?id=e404a0621ad48df9ef39680d75dcfcf3068b1146 git remote add jpoimboe https://git.kernel.org/pub/scm/linux/kernel/git/jpoimboe/linux.git git fetch --no-tags jpoimboe elants-enum-overflow git checkout e404a0621ad48df9ef39680d75dcfcf3068b1146 # save the attached .config to linux build tree make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <l...@intel.com> "sparse warnings: (new ones prefixed by >>)" >> mm/kfence/core.c:839:9: sparse: sparse: context imbalance in >> 'kfence_handle_page_fault' - different lock contexts for basic block vim +/kfence_handle_page_fault +839 mm/kfence/core.c 56b81990d5e67e Alexander Potapenko 2021-02-03 768 56b81990d5e67e Alexander Potapenko 2021-02-03 769 bool kfence_handle_page_fault(unsigned long addr) 56b81990d5e67e Alexander Potapenko 2021-02-03 770 { 56b81990d5e67e Alexander Potapenko 2021-02-03 771 const int page_index = (addr - (unsigned long)__kfence_pool) / PAGE_SIZE; 56b81990d5e67e Alexander Potapenko 2021-02-03 772 struct kfence_metadata *to_report = NULL; 56b81990d5e67e Alexander Potapenko 2021-02-03 773 enum kfence_error_type error_type; 56b81990d5e67e Alexander Potapenko 2021-02-03 774 unsigned long flags; 56b81990d5e67e Alexander Potapenko 2021-02-03 775 56b81990d5e67e Alexander Potapenko 2021-02-03 776 if (!is_kfence_address((void *)addr)) 56b81990d5e67e Alexander Potapenko 2021-02-03 777 return false; 56b81990d5e67e Alexander Potapenko 2021-02-03 778 56b81990d5e67e Alexander Potapenko 2021-02-03 779 if (!READ_ONCE(kfence_enabled)) /* If disabled at runtime ... */ 56b81990d5e67e Alexander Potapenko 2021-02-03 780 return kfence_unprotect(addr); /* ... unprotect and proceed. */ 56b81990d5e67e Alexander Potapenko 2021-02-03 781 56b81990d5e67e Alexander Potapenko 2021-02-03 782 atomic_long_inc(&counters[KFENCE_COUNTER_BUGS]); 56b81990d5e67e Alexander Potapenko 2021-02-03 783 56b81990d5e67e Alexander Potapenko 2021-02-03 784 if (page_index % 2) { 56b81990d5e67e Alexander Potapenko 2021-02-03 785 /* This is a redzone, report a buffer overflow. */ 56b81990d5e67e Alexander Potapenko 2021-02-03 786 struct kfence_metadata *meta; 56b81990d5e67e Alexander Potapenko 2021-02-03 787 int distance = 0; 56b81990d5e67e Alexander Potapenko 2021-02-03 788 56b81990d5e67e Alexander Potapenko 2021-02-03 789 meta = addr_to_metadata(addr - PAGE_SIZE); 56b81990d5e67e Alexander Potapenko 2021-02-03 790 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) { 56b81990d5e67e Alexander Potapenko 2021-02-03 791 to_report = meta; 56b81990d5e67e Alexander Potapenko 2021-02-03 792 /* Data race ok; distance calculation approximate. */ 56b81990d5e67e Alexander Potapenko 2021-02-03 793 distance = addr - data_race(meta->addr + meta->size); 56b81990d5e67e Alexander Potapenko 2021-02-03 794 } 56b81990d5e67e Alexander Potapenko 2021-02-03 795 56b81990d5e67e Alexander Potapenko 2021-02-03 796 meta = addr_to_metadata(addr + PAGE_SIZE); 56b81990d5e67e Alexander Potapenko 2021-02-03 797 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) { 56b81990d5e67e Alexander Potapenko 2021-02-03 798 /* Data race ok; distance calculation approximate. */ 56b81990d5e67e Alexander Potapenko 2021-02-03 799 if (!to_report || distance > data_race(meta->addr) - addr) 56b81990d5e67e Alexander Potapenko 2021-02-03 800 to_report = meta; 56b81990d5e67e Alexander Potapenko 2021-02-03 801 } 56b81990d5e67e Alexander Potapenko 2021-02-03 802 56b81990d5e67e Alexander Potapenko 2021-02-03 803 if (!to_report) 56b81990d5e67e Alexander Potapenko 2021-02-03 804 goto out; 56b81990d5e67e Alexander Potapenko 2021-02-03 805 56b81990d5e67e Alexander Potapenko 2021-02-03 806 raw_spin_lock_irqsave(&to_report->lock, flags); 56b81990d5e67e Alexander Potapenko 2021-02-03 807 to_report->unprotected_page = addr; 56b81990d5e67e Alexander Potapenko 2021-02-03 808 error_type = KFENCE_ERROR_OOB; 56b81990d5e67e Alexander Potapenko 2021-02-03 809 56b81990d5e67e Alexander Potapenko 2021-02-03 810 /* 56b81990d5e67e Alexander Potapenko 2021-02-03 811 * If the object was freed before we took the look we can still 56b81990d5e67e Alexander Potapenko 2021-02-03 812 * report this as an OOB -- the report will simply show the 56b81990d5e67e Alexander Potapenko 2021-02-03 813 * stacktrace of the free as well. 56b81990d5e67e Alexander Potapenko 2021-02-03 814 */ 56b81990d5e67e Alexander Potapenko 2021-02-03 815 } else { 56b81990d5e67e Alexander Potapenko 2021-02-03 816 to_report = addr_to_metadata(addr); 56b81990d5e67e Alexander Potapenko 2021-02-03 817 if (!to_report) 56b81990d5e67e Alexander Potapenko 2021-02-03 818 goto out; 56b81990d5e67e Alexander Potapenko 2021-02-03 819 56b81990d5e67e Alexander Potapenko 2021-02-03 820 raw_spin_lock_irqsave(&to_report->lock, flags); 56b81990d5e67e Alexander Potapenko 2021-02-03 821 error_type = KFENCE_ERROR_UAF; 56b81990d5e67e Alexander Potapenko 2021-02-03 822 /* 56b81990d5e67e Alexander Potapenko 2021-02-03 823 * We may race with __kfence_alloc(), and it is possible that a 56b81990d5e67e Alexander Potapenko 2021-02-03 824 * freed object may be reallocated. We simply report this as a 56b81990d5e67e Alexander Potapenko 2021-02-03 825 * use-after-free, with the stack trace showing the place where 56b81990d5e67e Alexander Potapenko 2021-02-03 826 * the object was re-allocated. 56b81990d5e67e Alexander Potapenko 2021-02-03 827 */ 56b81990d5e67e Alexander Potapenko 2021-02-03 828 } 56b81990d5e67e Alexander Potapenko 2021-02-03 829 56b81990d5e67e Alexander Potapenko 2021-02-03 830 out: 56b81990d5e67e Alexander Potapenko 2021-02-03 831 if (to_report) { 56b81990d5e67e Alexander Potapenko 2021-02-03 832 kfence_report_error(addr, to_report, error_type); 56b81990d5e67e Alexander Potapenko 2021-02-03 833 raw_spin_unlock_irqrestore(&to_report->lock, flags); 56b81990d5e67e Alexander Potapenko 2021-02-03 834 } else { 56b81990d5e67e Alexander Potapenko 2021-02-03 835 /* This may be a UAF or OOB access, but we can't be sure. */ 56b81990d5e67e Alexander Potapenko 2021-02-03 836 kfence_report_error(addr, NULL, KFENCE_ERROR_INVALID); 56b81990d5e67e Alexander Potapenko 2021-02-03 837 } 56b81990d5e67e Alexander Potapenko 2021-02-03 838 56b81990d5e67e Alexander Potapenko 2021-02-03 @839 return kfence_unprotect(addr); /* Unprotect and let access proceed. */ :::::: The code at line 839 was first introduced by commit :::::: 56b81990d5e67e9bd2963fda52f15dbea59dcbe3 mm: add Kernel Electric-Fence infrastructure :::::: TO: Alexander Potapenko <gli...@google.com> :::::: CC: Stephen Rothwell <s...@canb.auug.org.au> --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
_______________________________________________ kbuild mailing list -- kbuild@lists.01.org To unsubscribe send an email to kbuild-le...@lists.01.org
