On Mon, Oct 30, 2017 at 05:14:59PM -0700, Kees Cook wrote: > On Wed, Oct 25, 2017 at 9:22 AM, kernel test robot > <xiaolong...@intel.com> wrote:
thanks for looking at this, I was at a loss as to what (if any) action I needed to take. > > FYI, we noticed the following commit (built with gcc-4.9): > > > > commit: 7f7c60e0663645e757e520245606fde9c6e326bb ("printk: hash addresses > > printed with %p") > > url: > > https://github.com/0day-ci/linux/commits/Tobin-C-Harding/printk-hash-addresses-printed-with-p/20171024-231922 > > It's not clear to me which of the various versions this test ran > against, but it seems like the printf self-tests got very confused by > the results: > > > [ 40.275423] test_printf: kvasprintf(..., "%p %p", ...) returned > > '3cf9adbe eff717bf', expected '0000000001234567 fffffffffedcba98' > > [ 40.296739] test_printf: vsnprintf(buf, 256, "|%-*p|%*p|", ...) returned > > 19, expected 39 > > [ 40.322776] test_printf: vsnprintf(buf, 16, "|%-*p|%*p|", ...) returned > > 19, expected 39 > > [ 40.334834] test_printf: vsnprintf(buf, 0, "|%-*p|%*p|", ...) returned > > 19, expected 39 > > I assume v10 will fix the width issues, but probably not the value tests... Oh, so I need to update lib/test_printf.c to cover hashed %p. > And it claims a use-after-free, too: > > > [ 39.757461] The buggy address belongs to the object at 22cb34bb > > [ 39.757461] which belongs to the cache kmalloc-32 of size 32 > > [ 39.757461] The buggy address is located 0 bytes inside of > > [ 39.757461] 32-byte region [22cb34bb, 24ac3a60) > > Which becomes rather unreadable, since the address got hashed. :P So I think we need to patch mm/kasan/report to use %pK instead of %p. I don't know what I should be doing about [ 39.757461] BUG: KASAN: slab-out-of-bounds in __test+0xee/0x13f Awesome, thanks, Tobin.