New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 897215 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
mka@chromium.org
gwendal@chromium.org
ndesaulniers@google.com
keescook@chromium.org
rajatja@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

chromeos-4.19: Bad or missing usercopy whitelist?

Project Member Reported by groeck@chromium.org, Oct 19 
Seen with chromeos.4.19 boots.

[    6.004806] ------------[ cut here ]------------
[    6.010012] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'task_struct' (offset 1888, size 8)!
[    6.024165] WARNING: CPU: 0 PID: 1 at /mnt/host/source/src/third_party/kernel/next/mm/usercopy.c:83 usercopy_warn+0x97/0x9e
[    6.036620] Modules linked in:
[    6.040045] CPU: 0 PID: 1 Comm: init Not tainted 4.19.0-rc8 #23
[    6.046667] Hardware name: Google Caroline/Caroline, BIOS Google_Caroline.7820.286.0 03/15/2017
[    6.056401] RIP: 0010:usercopy_warn+0x97/0x9e
[    6.061277] Code: c6 04 25 9d 76 14 b5 01 48 c7 c3 03 fa cf b4 48 0f 44 d8 48 c7 c7 85 f9 cf b4 31 c0 41 52 41 53 53 e8 0b 13 c1 ff 48 83 c4 18 <0f> 0b e9 76 ff ff ff 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 54
[    6.082276] RSP: 0018:ffff8801566b7a00 EFLAGS: 00010296
[    6.088127] RAX: b7c923d637968000 RBX: ffffffffb4cffa03 RCX: 0000000000000000
[    6.096108] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8801566a890c
[    6.104089] RBP: ffff8801566b7a08 R08: ffff8801566a8908 R09: 0000000000000003
[    6.112070] R10: ffffffffb5149093 R11: dffffc0000000000 R12: 0000000000000001
[    6.120050] R13: ffff8801566a87a0 R14: 0000000000000008 R15: ffffea000559aa00
[    6.128050] FS:  00007ed29687a800(0000) GS:ffff880156e00000(0000) knlGS:0000000000000000
[    6.137101] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.143532] CR2: 00005a0edf615908 CR3: 000000014fd80003 CR4: 00000000003606f0
[    6.151511] Call Trace:
[    6.154249]  __check_object_size+0x1c8/0x325
[    6.159032]  do_signal+0xb5a/0x10a3
[    6.162959]  ? signal_fault+0x1e7/0x1e7
[    6.167257]  ? core_sys_select+0x495/0x61a
[    6.171892]  ? trace_hardirqs_on+0x3f/0x3f
[    6.176482]  ? prepare_exit_to_usermode+0x2b1/0x381
[    6.181944]  ? print_irqtrace_events+0x223/0x223
[    6.187116]  ? __do_sys_exit_group+0x17/0x17
[    6.191900]  prepare_exit_to_usermode+0x2de/0x381
[    6.197189]  ? __bpf_trace_sys_exit+0xa/0xa
[    6.201894]  syscall_return_slowpath+0x132/0x518
[    6.207066]  ? prepare_exit_to_usermode+0x381/0x381
[    6.212518]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[    6.217786]  ? __se_sys_select+0xe6/0x1b6
[    6.222276]  ? lockdep_hardirqs_on+0x218/0x6d0
[    6.227252]  ? __x64_sys_select+0xca/0xca
[    6.231739]  ? do_syscall_64+0x28/0x121
[    6.236032]  ? print_irqtrace_events+0x223/0x223
[    6.241206]  ? do_syscall_64+0xce/0x121
[    6.245506]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[    6.251161] RIP: 0033:0x7ed2962d2023
[    6.255162] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d a9 b0 2b 00 00 75 13 49 89 ca b8 17 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 3b 51 01 00 48 89 04 24
[    6.276158] RSP: 002b:00007ffe05cc8d28 EFLAGS: 00000246 ORIG_RAX: 0000000000000017
[    6.284630] RAX: fffffffffffffffc RBX: 00007ffe05cc8d80 RCX: 00007ed2962d2023
[    6.292611] RDX: 00007ffe05cc8e00 RSI: 00007ffe05cc8e80 RDI: 0000000000000008
[    6.300593] RBP: 00007ffe05cc8f30 R08: 0000000000000000 R09: 0000000000002034
[    6.308573] R10: 00007ffe05cc8d80 R11: 0000000000000246 R12: 00007ffe05cc8d80
[    6.316556] R13: 00007ffe05cc8e00 R14: 00007ffe05cc8d7f R15: 00007ffe05cc8d40
[    6.324546] irq event stamp: 1057718
[    6.328550] hardirqs last  enabled at (1057717): [<ffffffffb2c1a2d9>] console_unlock+0xb19/0xbff
[    6.338379] hardirqs last disabled at (1057718): [<ffffffffb2a039c8>] trace_hardirqs_off_thunk+0x1a/0x1c
[    6.348988] softirqs last  enabled at (1057714): [<ffffffffb48008b9>] __do_softirq+0x8b9/0xa72
[    6.358621] softirqs last disabled at (1057693): [<ffffffffb2b334d3>] irq_exit+0x186/0x1e0
[    6.367872] ---[ end trace 8413ededba56adc9 ]---

Comment 1 by groeck@chromium.org, Oct 19 

Compiler:

[    0.000000] Linux version 4.19.0-rc8 (groeck@groeck0.mtv.corp.google.com) (Chromium OS 8.0_pre339409_p20180926-r3 clang version 8.0.0 (/var/cache/chromeos-cache/distfiles/host/egit-src/clang.git 6601c8f525499269dba75f75bbd1ee
2671aaa262) (/var/cache/chromeos-cache/distfiles/host/egit-src/llvm.git 36f54002c931a026f490f9fb074c11d91e3487a2) (based on LLVM 8.0.0svn)) #23 SMP PREEMPT Fri Oct 19 10:40:37 PDT 2018

Comment 2 by groeck@chromium.org, Oct 19

Cc: mka@chromium.org
The problem is not seen when building the kernel with gcc.

[    0.000000] Linux version 4.19.0-rc8 (groeck@groeck0.mtv.corp.google.com) (gcc version 4.9.x 20150123 (prerelease) (4.9.2_cos_gg_4.9.2-r197-ac6128e0a17a52f011797f33ac3e7d6273a9368d_4.9.2-r197)) #25 SMP PREEMPT Fri Oct 19 10:5
5:15 PDT 2018

Comment 3 by mka@chromium.org, Oct 19

Cc: ndesaulniers@google.com keescook@chromium.org

Comment 4 by keescook@google.com, Oct 19 

Yup, it's due to Clang/LLVM's inability to resolve __builtin_constant_p() through inlining:

https://github.com/ClangBuiltLinux/linux/issues/7

Comment 5 by mka@chromium.org, Oct 19 

ndesaulniers@ told me that this is a known issue related with the use of __builtin_constant_p() in inline functions: https://github.com/ClangBuiltLinux/linux/issues/7

A fix in clang is underway.

Comment 6 by mka@chromium.org, Oct 19 

Thanks Kees :)

Comment 7 by groeck@chromium.org, Nov 1

Cc: gwendal@chromium.org
 Issue 901133  has been merged into this issue.

Comment 9 by rajatja@google.com, Jan 11

Cc: rajatja@google.com
This is still seen as recent as 11540.0.0

Sign in to add a comment