Re: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
On 6/7/18 5:07 PM, Jakub Kicinski wrote:
>> After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the
>> following:
>>
>> [ 25.427424]
>>
>> [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
>> [ 25.431920] member access within null pointer of type 'struct tnode'
>> [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1
>> [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd.
>> H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012
>> [ 25.438647] Call Trace:
>> [ 25.440889] dump_stack+0x62/0x9f
>> [ 25.443104] ubsan_epilogue+0x9/0x35
>> [ 25.445293] handle_null_ptr_deref+0x80/0x90
>> [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80
>> [ 25.449628] tnode_free+0xce/0x120
arguably this one should be guarded:
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 5bc0c89e81e4..32c589059fb3 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -501,7 +501,8 @@ static void tnode_free(struct key_vector *tn)
tnode_free_size += TNODE_SIZE(1ul << tn->bits);
node_free(tn);
- tn = container_of(head, struct tnode, rcu)->kv;
+ if (head)
+ tn = container_of(head, struct tnode, rcu)->kv;
}
if (tnode_free_size >= PAGE_SIZE * sync_pages) {
but if head is NULL, tn is set but not dereferenced as the loop breaks.
Re: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
On Mon, 7 May 2018 10:33:45 -0700, Stephen Hemminger wrote: > Begin forwarded message: > > Date: Mon, 07 May 2018 16:07:24 + > From: bugzilla-dae...@bugzilla.kernel.org > To: step...@networkplumber.org > Subject: [Bug 199637] New: UBSAN: Undefined behaviour in > net/ipv4/fib_trie.c:503:6 > > > https://bugzilla.kernel.org/show_bug.cgi?id=199637 > > Bug ID: 199637 >Summary: UBSAN: Undefined behaviour in > net/ipv4/fib_trie.c:503:6 >Product: Networking >Version: 2.5 > Kernel Version: 4.16.7 > Hardware: x86-64 > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: IPV4 > Assignee: step...@networkplumber.org > Reporter: combus...@archlinux.us > Regression: No > > After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following: > > [ 25.427424] > > [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 > [ 25.431920] member access within null pointer of type 'struct tnode' > [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1 > [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd. > H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 > [ 25.438647] Call Trace: > [ 25.440889] dump_stack+0x62/0x9f > [ 25.443104] ubsan_epilogue+0x9/0x35 > [ 25.445293] handle_null_ptr_deref+0x80/0x90 > [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80 > [ 25.449628] tnode_free+0xce/0x120 > [ 25.451749] ? replace+0xa0/0x1f0 > [ 25.453833] ? resize+0x4e2/0xb70 > [ 25.455916] ? __kmalloc+0x1fe/0x2d0 > [ 25.457997] ? tnode_new+0x66/0x160 > [ 25.460072] ? fib_insert_alias+0x4a8/0x9e0 > [ 25.462145] ? fib_table_insert+0x208/0x690 > [ 25.464214] ? fib_magic+0x20c/0x310 > [ 25.466280] ? fib_netdev_event+0x81/0x200 > [ 25.468339] ? notifier_call_chain+0x63/0x110 > [ 25.470407] ? __dev_notify_flags+0xa8/0x170 > [ 25.472472] ? dev_change_flags+0x56/0x80 > [ 25.474538] ? do_setlink+0x3c2/0x1a00 > [ 25.476603] ? fib_magic+0x20c/0x310 > [ 25.478666] ? rtnl_setlink+0x129/0x1e0 > [ 25.480728] ? rtnetlink_rcv_msg+0x2a4/0x7d0 > [ 25.482765] ? rtnetlink_rcv+0x10/0x10 > [ 25.484757] ? netlink_rcv_skb+0x6f/0x170 > [ 25.486741] ? netlink_unicast+0x1c0/0x2d0 > [ 25.488716] ? netlink_sendmsg+0x2c1/0x630 > [ 25.490661] ? sock_sendmsg+0x49/0xb0 > [ 25.492564] ? SyS_sendto+0x12b/0x1d0 > [ 25.494449] ? do_syscall_64+0xad/0x5cc > [ 25.496305] ? page_fault+0x2f/0x50 > [ 25.498140] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 > [ 25.499974] > > > UBSAN reported nothing when the same kernel was compiled with gcc 7.3.1 from > Arch Linux repositories. > > I have three more similar reports to make, if I continue to c/p in each I'm > gonna feel like a fuzzbot... > And this one I'm seeing too (once at boot): [ 32.459535] [ 32.469133] UBSAN: Undefined behaviour in ../net/ipv4/fib_trie.c:504:6 [ 32.476534] member access within null pointer of type 'struct tnode' [ 32.483733] CPU: 8 PID: 1 Comm: systemd Not tainted 4.17.0-rc7-debug-01088-g47bffcfef048 #9 [ 32.493191] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4 11/08/2016 [ 32.501680] Call Trace: [ 32.504513] dump_stack+0xe6/0x1a0 [ 32.508412] ? dump_stack_print_info.cold.0+0x1b/0x1b [ 32.514164] ? do_raw_spin_lock+0xcf/0x220 [ 32.518848] ubsan_epilogue+0x9/0x7a [ 32.522940] handle_null_ptr_deref+0x16b/0x1e0 [ 32.528008] ? ucs2_as_utf8+0x6b0/0x6b0 [ 32.532397] ? __x64_sys_sendto+0xe6/0x1d0 [ 32.537079] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.543025] __ubsan_handle_type_mismatch_v1+0x16b/0x19e [ 32.549054] ? ubsan_type_mismatch_common.part.5.cold.9+0x1bb/0x1bb [ 32.556168] ? fib_find_node+0x350/0x350 [ 32.560655] tnode_free+0x115/0x180 [ 32.564655] replace+0x21d/0x5e0 [ 32.568361] ? fib_insert_alias+0x1b20/0x1b20 [ 32.573332] ? put_child+0x546/0x7b0 [ 32.577427] ? __kmalloc+0x1b1/0x5f0 [ 32.581520] ? fib_trie_seq_start+0x510/0x510 [ 32.586497] resize+0x1253/0x2150 [ 32.590299] ? netlink_sendmsg+0x7b5/0x10c0 [ 32.595074] ? __sys_sendto+0x340/0x680 [ 32.599460] ? do_syscall_64+0x14b/0x720 [ 32.603954] ? __node_free_rcu+0x70/0x70 [ 32.608442] ? rcu_lockdep_current_cpu_online+0x1e7/0x2c0 [ 32.614578] ? rcu_dynticks_curr_cpu_in_eqs+0xd6/0x1f0 [ 32.620435] ? lockdep_rtnl_is_
Fw: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6
Begin forwarded message: Date: Mon, 07 May 2018 16:07:24 + From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 199637] New: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 https://bugzilla.kernel.org/show_bug.cgi?id=199637 Bug ID: 199637 Summary: UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 Product: Networking Version: 2.5 Kernel Version: 4.16.7 Hardware: x86-64 OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: IPV4 Assignee: step...@networkplumber.org Reporter: combus...@archlinux.us Regression: No After recompiling the 4.16.7 kernel with gcc 8.1, UBSAN reports the following: [ 25.427424] [ 25.429680] UBSAN: Undefined behaviour in net/ipv4/fib_trie.c:503:6 [ 25.431920] member access within null pointer of type 'struct tnode' [ 25.434153] CPU: 3 PID: 1 Comm: systemd Not tainted 4.16.7-CUSTOM #1 [ 25.436384] Hardware name: Gigabyte Technology Co., Ltd. H67MA-UD2H-B3/H67MA-UD2H-B3, BIOS F8 03/27/2012 [ 25.438647] Call Trace: [ 25.440889] dump_stack+0x62/0x9f [ 25.443104] ubsan_epilogue+0x9/0x35 [ 25.445293] handle_null_ptr_deref+0x80/0x90 [ 25.447464] __ubsan_handle_type_mismatch_v1+0x6a/0x80 [ 25.449628] tnode_free+0xce/0x120 [ 25.451749] ? replace+0xa0/0x1f0 [ 25.453833] ? resize+0x4e2/0xb70 [ 25.455916] ? __kmalloc+0x1fe/0x2d0 [ 25.457997] ? tnode_new+0x66/0x160 [ 25.460072] ? fib_insert_alias+0x4a8/0x9e0 [ 25.462145] ? fib_table_insert+0x208/0x690 [ 25.464214] ? fib_magic+0x20c/0x310 [ 25.466280] ? fib_netdev_event+0x81/0x200 [ 25.468339] ? notifier_call_chain+0x63/0x110 [ 25.470407] ? __dev_notify_flags+0xa8/0x170 [ 25.472472] ? dev_change_flags+0x56/0x80 [ 25.474538] ? do_setlink+0x3c2/0x1a00 [ 25.476603] ? fib_magic+0x20c/0x310 [ 25.478666] ? rtnl_setlink+0x129/0x1e0 [ 25.480728] ? rtnetlink_rcv_msg+0x2a4/0x7d0 [ 25.482765] ? rtnetlink_rcv+0x10/0x10 [ 25.484757] ? netlink_rcv_skb+0x6f/0x170 [ 25.486741] ? netlink_unicast+0x1c0/0x2d0 [ 25.488716] ? netlink_sendmsg+0x2c1/0x630 [ 25.490661] ? sock_sendmsg+0x49/0xb0 [ 25.492564] ? SyS_sendto+0x12b/0x1d0 [ 25.494449] ? do_syscall_64+0xad/0x5cc [ 25.496305] ? page_fault+0x2f/0x50 [ 25.498140] ? entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 25.499974] UBSAN reported nothing when the same kernel was compiled with gcc 7.3.1 from Arch Linux repositories. I have three more similar reports to make, if I continue to c/p in each I'm gonna feel like a fuzzbot... -- You are receiving this mail because: You are the assignee for the bug.
