[Kernel-packages] [Bug 2059237] Re: [Ubuntu-24.04] "array-index-out-of-bounds" error is observed after every reboot

Andrea Righi Wed, 27 Mar 2024 06:55:37 -0700

Looking at the code this issue seems to be introduced by `UBUNTU: SAUCE:
modpost: support arbitrary symbol length in modversion` and the UBSAN
warning tells us that accessing vers->name[0] could be an out-of-bounds
access.


The struct modversion_info contains a flexibile array (name), that is
correctly defined as the last member of the struct, and its size is
allocated dynamically at runtime, so I would expect that vars->name[0]
is always allocated, unless vars is not initialized properly or there's
an empty name.

So, my guess is that UBSAN isn't really happy about the flexible array
and this is just a false positive.

However, to be 100% sure that we are not actually doing and out-of-bound
access and prevent the warning, we could apply something like the
following on top of our SAUCE patch:

diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
index 195714fc6e22..1f5960e25758 100644
--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -350,6 +350,8 @@ static void dedotify_versions(struct modversion_info *vers,
        struct modversion_info *end = (void *)vers + size;
 
        for (; vers < end && vers->next; vers = (void *)vers + vers->next) {
+               if (size <= offsetof(struct modversion_info, name))
+                       continue;
                if (vers->name[0] == '.') {
                        memmove(vers->name, vers->name+1, strlen(vers->name));
                }


In this case even if (for any reason) vars->name[] is an empty string we can 
prevent the out-of-bound access and make UBSAN happy.

Opinions?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2059237

Title:
  [Ubuntu-24.04] "array-index-out-of-bounds" error is observed after
  every reboot

Status in The Ubuntu-power-systems project:
  Confirmed
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  == Comment:- Kowshik Jois B S ==
  ---Problem Description---
  Below trace messges are observed in dmesg after every reboot.

  
  [    0.474287] integrity: Unable to open file: /etc/keys/x509_evm.der (-2)
  [    0.475750] Freeing unused kernel image (initmem) memory: 8832K
  [    0.507388] Checked W+X mappings: passed, no W+X pages found
  [    0.507400] Run /init as init process
  [    0.507403]   with arguments:
  [    0.507404]     /init
  [    0.507405]   with environment:
  [    0.507406]     HOME=/
  [    0.507407]     TERM=linux
  [    0.507408]     BOOT_IMAGE=/vmlinux-6.8.0-11-generic
  [    0.511892] ------------[ cut here ]------------
  [    0.511904] UBSAN: array-index-out-of-bounds in 
/build/linux-MzA0lF/linux-6.8.0/arch/powerpc/kernel/module_64.c:353:17
  [    0.511909] index 0 is out of range for type 'char [*]'
  [    0.511912] CPU: 13 PID: 1 Comm: systemd Not tainted 6.8.0-11-generic 
#11-Ubuntu
  [    0.511917] Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 
of:IBM,FW1060.00 (NH1060_013) hv:phyp pSeries
  [    0.511921] Call Trace:
  [    0.511922] [c000000006683620] [c0000000016b2f28] dump_stack_lvl+0x70/0xb4 
(unreliable)
  [    0.511931] [c000000006683650] [c000000000c7bc58] 
__ubsan_handle_out_of_bounds+0xc4/0x12c
  [    0.511938] [c000000006683700] [c00000000005d2a8] 
module_frob_arch_sections+0x4ec/0x8d0
  [    0.511943] [c0000000066837e0] [c0000000002b98cc] 
layout_and_allocate.isra.0+0x38/0x2a8
  [    0.511948] [c000000006683850] [c0000000002b9dec] load_module+0x138/0xca0
  [    0.511953] [c000000006683990] [c0000000002baca8] 
init_module_from_file+0xb4/0x14c
  [    0.511958] [c000000006683a70] [c0000000002baf70] 
sys_finit_module+0x230/0x48c
  [    0.511963] [c000000006683b80] [c000000000033248] 
system_call_exception+0xe8/0x240
  [    0.511967] [c000000006683e50] [c00000000000d15c] 
system_call_vectored_common+0x15c/0x2ec
  [    0.511972] --- interrupt: 3000 at 0x7879b903b8a8
  [    0.511977] NIP:  00007879b903b8a8 LR: 0000000000000000 CTR: 
0000000000000000
  [    0.511980] REGS: c000000006683e80 TRAP: 3000   Not tainted  
(6.8.0-11-generic)
  [    0.511984] MSR:  800000000000f033 <SF,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 
48222428  XER: 00000000
  [    0.511993] IRQMASK: 0 
                 GPR00: 0000000000000161 00007fffd683b580 00007879b9166d00 
0000000000000004 
                 GPR04: 00007879b8e0c160 0000000000000004 0000000000000010 
0000000000000004 
                 GPR08: 0000000000000001 0000000000000000 0000000000000000 
0000000000000000 
                 GPR12: 0000000000000000 00007879b99d3a00 0000000020000000 
0000000000020000 
                 GPR16: 0000000000000000 0000000000000000 00001b5c7d7453e0 
00007fffd683ba68 
                 GPR20: 0000000000000000 0000000000000000 00001b5c82154ae0 
00001b5c82142360 
                 GPR24: 00007879b957f7b0 00001b5c82154ae0 0000000000000000 
00001b5c82142160 
                 GPR28: 00007879b8e0c160 0000000000020000 00001b5c82154ae0 
00001b5c82142380 
  [    0.512029] NIP [00007879b903b8a8] 0x7879b903b8a8
  [    0.512032] LR [0000000000000000] 0x0
  [    0.512034] --- interrupt: 3000
  [    0.512036] ---[ end trace ]---
  [    0.518326] systemd[1]: Inserted module 'autofs4'
  [    0.521570] systemd[1]: systemd 255.2-3ubuntu2 running in system mode 
(+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL 
+ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP 
+LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD 
-BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
  [    0.521583] systemd[1]: Detected virtualization powervm.
  [    0.521589] systemd[1]: Detected architecture ppc64-le.
  [    0.521593] systemd[1]: Running in initrd.
  [    0.521743] systemd[1]: No hostname configured, using default hostname.
  [    0.521789] systemd[1]: Hostname set to <localhost>.
  [    0.521847] systemd[1]: Initializing machine ID from random generator.
  [    0.600736] systemd[1]: Queued start job for default target initrd.target.

  
   
  Machine Type = P10  LPAR 
   
  Contact Information = Kowshik Jois B S kowshik.j...@in.ibm.com 
   
  ---Steps to Reproduce---
  1. reboot the system
  2. Once the system is booted back, look at dmesg
   
  ---uname output---
  Linux ubuntu2404 6.8.0-11-generic #11-Ubuntu SMP Wed Feb 14 00:33:03 UTC 2024 
ppc64le ppc64le ppc64le GNU/Linux
   
   
  Additional Information:
  Same trace messages are seen on L2 guest as well.

  == Comment: - Kowshik Jois B S ==
  Hello Likhitha,

  The ubuntu bug
  https://bugs.launchpad.net/ubuntu/+source/virtinst/+bug/2055126 was
  created for tracking a different issue which is resolved. I just
  posted a question about this issue as well at the end. But its been 20
  days and we haven't heard anything back on that. Also, the bug is
  already closed. So I think it makes sense to initiate a new discussion
  with ubuntu on this issue.

  Earlier I had initiated a discussion through
  https://bugs.launchpad.net/ubuntu/+bug/2052767 but no updates on that
  one as well till now.

  
  As you mentioned, compiled upstream kernel by disabling the UBSAN in the 
config. As expected I am not seeing the issue is getting recreated anymore with 
that.

  But the ubuntu ISO will have this configs enabled by default and we
  will still see this issue on ubuntu default kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2059237/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 2059237] Re: [Ubuntu-24.04] "array-index-out-of-bounds" error is observed after every reboot

Reply via email to