Message ID | 20200914172750.852684-7-georgepope@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | UBSan Enablement for hyp/nVHE code | expand |
+ kernel-dynamic-tools to help review. On Mon, Sep 14, 2020 at 10:28 AM George-Aurelian Popescu <georgepope@google.com> wrote: > > From: George Popescu <georgepope@google.com> > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > the handler call, preventing it from printing any information processed > inside the buffer. > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > -fsanitize=local-bounds, and the latter adds a brk after the handler > call > > Signed-off-by: George Popescu <georgepope@google.com> > --- > scripts/Makefile.ubsan | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 27348029b2b8..3d15ac346c97 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -4,7 +4,14 @@ ifdef CONFIG_UBSAN_ALIGNMENT > endif > > ifdef CONFIG_UBSAN_BOUNDS > - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > + # For Clang -fsanitize=bounds translates to -fsanitize=array-bounds and > + # -fsanitize=local-bounds; the latter adds a brk right after the > + # handler is called. > + ifdef CONFIG_CC_IS_CLANG > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=array-bounds) You can remove the cc-option check above; Clang has supported this option for many releases. (One less compiler invocation at build time, FWIW). You cannot remove the below cc-option; GCC only implemented that sanitizer in the 5.0+ releases; the kernel still support GCC 4.9. > + else > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > + endif > endif > > ifdef CONFIG_UBSAN_MISC > -- > 2.28.0.618.gf4bc123cb7-goog >
On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > From: George Popescu <georgepope@google.com> > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > the handler call, preventing it from printing any information processed > inside the buffer. > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > -fsanitize=local-bounds, and the latter adds a brk after the handler > call That sounds like a compiler bug? > Signed-off-by: George Popescu <georgepope@google.com> > --- > scripts/Makefile.ubsan | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > index 27348029b2b8..3d15ac346c97 100644 > --- a/scripts/Makefile.ubsan > +++ b/scripts/Makefile.ubsan > @@ -4,7 +4,14 @@ ifdef CONFIG_UBSAN_ALIGNMENT > endif > > ifdef CONFIG_UBSAN_BOUNDS > - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > + # For Clang -fsanitize=bounds translates to -fsanitize=array-bounds and > + # -fsanitize=local-bounds; the latter adds a brk right after the > + # handler is called. > + ifdef CONFIG_CC_IS_CLANG > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=array-bounds) This would mean losing the local-bounds coverage? Isn't that for locally defined arrays on the stack? > + else > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > + endif > endif > > ifdef CONFIG_UBSAN_MISC > -- > 2.28.0.618.gf4bc123cb7-goog >
On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > From: George Popescu <georgepope@google.com> > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > the handler call, preventing it from printing any information processed > > inside the buffer. > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > call > > That sounds like a compiler bug? Actually in clang 12 documentation is written that -fsanitize=bounds expands to that. GCC doesn't have those two options, only the -fsanitize=bounds which looks similar to -fsanitize=array-bounds from clang. So I don't see it as a compiler bug, just a misuse of flags. > > Signed-off-by: George Popescu <georgepope@google.com> > > --- > > scripts/Makefile.ubsan | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan > > index 27348029b2b8..3d15ac346c97 100644 > > --- a/scripts/Makefile.ubsan > > +++ b/scripts/Makefile.ubsan > > @@ -4,7 +4,14 @@ ifdef CONFIG_UBSAN_ALIGNMENT > > endif > > > > ifdef CONFIG_UBSAN_BOUNDS > > - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > + # For Clang -fsanitize=bounds translates to -fsanitize=array-bounds and > > + # -fsanitize=local-bounds; the latter adds a brk right after the > > + # handler is called. > > + ifdef CONFIG_CC_IS_CLANG > > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=array-bounds) > > This would mean losing the local-bounds coverage? Isn't that for locally > defined arrays on the stack? This would mean losing the local-bounds coverage. I tried to test it without local-bounds and with a locally defined array on the stack and it works fine (the handler is called and the error reported). For me it feels like --array-bounds and --local-bounds are triggered for the same type of undefined_behaviours but they are handling them different. > > + else > > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > + endif > > endif > > > > ifdef CONFIG_UBSAN_MISC > > -- > > 2.28.0.618.gf4bc123cb7-goog > > > > -- Thanks, George
On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > From: George Popescu <georgepope@google.com> > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > the handler call, preventing it from printing any information processed > > > inside the buffer. > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > call > > > > That sounds like a compiler bug? > Actually in clang 12 documentation is written that -fsanitize=bounds > expands to that. GCC doesn't have those two options, only the > -fsanitize=bounds which looks similar to -fsanitize=array-bounds from > clang. So I don't see it as a compiler bug, just a misuse of flags. Clang just allows to be more selective, but ultimately we want to cover as many bug-classes as possible. There is little point in giving up checks with Clang just because GCC doesn't implement them. If there are other valid reasons to give it up, that's fine, but so far it seems we never ran into the issue you ran into -- which is also a bit odd, because I do see in the instrumentation passes that fsanitize=bounds emits traps sometimes. [...] > > > ifdef CONFIG_UBSAN_BOUNDS > > > - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > > + # For Clang -fsanitize=bounds translates to -fsanitize=array-bounds and > > > + # -fsanitize=local-bounds; the latter adds a brk right after the > > > + # handler is called. > > > + ifdef CONFIG_CC_IS_CLANG > > > + CFLAGS_UBSAN += $(call cc-option, -fsanitize=array-bounds) > > > > This would mean losing the local-bounds coverage? Isn't that for locally > > defined arrays on the stack? > This would mean losing the local-bounds coverage. I tried to test it without > local-bounds and with a locally defined array on the stack and it works fine > (the handler is called and the error reported). For me it feels like > --array-bounds and --local-bounds are triggered for the same type of > undefined_behaviours but they are handling them different. Does -fno-sanitize-trap=bounds help? Thanks, -- Marco
On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > From: George Popescu <georgepope@google.com> > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > the handler call, preventing it from printing any information processed > > > > inside the buffer. > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > call > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > local-bounds and with a locally defined array on the stack and it works fine > > (the handler is called and the error reported). For me it feels like > > --array-bounds and --local-bounds are triggered for the same type of > > undefined_behaviours but they are handling them different. > > Does -fno-sanitize-trap=bounds help?> I tried replacing it with: ifdef CONFIG_CC_IS_CLANG CFLAGS_UBSAN += $(call cc-option, -fno-sanitize-trap=bounds) CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) else CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) endif The code traps. Thanks, George
On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > the handler call, preventing it from printing any information processed > > > > > inside the buffer. > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > call > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > local-bounds and with a locally defined array on the stack and it works fine > > > (the handler is called and the error reported). For me it feels like > > > --array-bounds and --local-bounds are triggered for the same type of > > > undefined_behaviours but they are handling them different. > > > > Does -fno-sanitize-trap=bounds help?> > > I tried replacing it with: > ifdef CONFIG_CC_IS_CLANG > CFLAGS_UBSAN += $(call cc-option, -fno-sanitize-trap=bounds) > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > else > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > endif > > The code traps. What's your config? Do you have CONFIG_UBSAN_TRAP=y? If so, you have 2 options: honor UBSAN_TRAP and crash the kernel, or have a 'CFLAGS_REMOVE_... = -fsanitize-undefined-trap-on-error' for the files where you can't deal with traps. Thanks, -- Marco
On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > the handler call, preventing it from printing any information processed > > > > > > inside the buffer. > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > call > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > (the handler is called and the error reported). For me it feels like > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > undefined_behaviours but they are handling them different. > > > > > > Does -fno-sanitize-trap=bounds help?> > > > > I tried replacing it with: > > ifdef CONFIG_CC_IS_CLANG > > CFLAGS_UBSAN += $(call cc-option, -fno-sanitize-trap=bounds) > > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > else > > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > endif > > > > The code traps. > > What's your config? Do you have CONFIG_UBSAN_TRAP=y? If so, you have 2 > options: honor UBSAN_TRAP and crash the kernel, or have a > 'CFLAGS_REMOVE_... = -fsanitize-undefined-trap-on-error' for the files > where you can't deal with traps> I don't have CONFIG_UBSAN_TRAP=y. My .config is: CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y CONFIG_UBSAN=y # CONFIG_UBSAN_TRAP is not set CONFIG_UBSAN_KCOV_BROKEN=y CONFIG_UBSAN_MISC=y CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_ALIGNMENT is not set CONFIG_TEST_UBSAN=m Thanks, George
On Wed, 16 Sep 2020 at 09:40, George Popescu <georgepope@google.com> wrote: > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > > the handler call, preventing it from printing any information processed > > > > > > > inside the buffer. > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > > call > > > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > > (the handler is called and the error reported). For me it feels like > > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > > undefined_behaviours but they are handling them different. > > > > > > > > Does -fno-sanitize-trap=bounds help?> > > > > > > I tried replacing it with: > > > ifdef CONFIG_CC_IS_CLANG > > > CFLAGS_UBSAN += $(call cc-option, -fno-sanitize-trap=bounds) > > > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > > else > > > CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) > > > endif > > > > > > The code traps. > > > > What's your config? Do you have CONFIG_UBSAN_TRAP=y? If so, you have 2 > > options: honor UBSAN_TRAP and crash the kernel, or have a > > 'CFLAGS_REMOVE_... = -fsanitize-undefined-trap-on-error' for the files > > where you can't deal with traps> > > I don't have CONFIG_UBSAN_TRAP=y. My .config is: > CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y > CONFIG_UBSAN=y > # CONFIG_UBSAN_TRAP is not set > CONFIG_UBSAN_KCOV_BROKEN=y > CONFIG_UBSAN_MISC=y > CONFIG_UBSAN_SANITIZE_ALL=y > # CONFIG_UBSAN_ALIGNMENT is not set > CONFIG_TEST_UBSAN=m Your full config would be good, because it includes compiler version etc.
On Wed, Sep 16, 2020 at 12:14PM +0000, George Popescu wrote: > On Wed, Sep 16, 2020 at 10:32:40AM +0200, Marco Elver wrote: > > On Wed, 16 Sep 2020 at 09:40, George Popescu <georgepope@google.com> wrote: > > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > > > > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > > > > the handler call, preventing it from printing any information processed > > > > > > > > > inside the buffer. > > > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > > > > call > > > > > > > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > > > > (the handler is called and the error reported). For me it feels like > > > > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > > > > undefined_behaviours but they are handling them different. > > > > > > > > > > > > Does -fno-sanitize-trap=bounds help? [...] > > Your full config would be good, because it includes compiler version etc. > My full config is: Thanks. Yes, I can reproduce, and the longer I keep digging I start wondering why we have local-bounds at all. It appears that local-bounds finds a tiny subset of the issues that KASAN finds: http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html http://llvm.org/viewvc/llvm-project?view=revision&revision=193205 fsanitize=undefined also does not include local-bounds: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks And the reason is that we do want to enable KASAN and UBSAN together; but local-bounds is useless overhead if we already have KASAN. I'm inclined to say that what you propose is reasonable (but the commit message needs to be more detailed explaining the relationship with KASAN) -- but I have no idea if this is going to break somebody's usecase (e.g. find some OOB bugs, but without KASAN -- but then why not use KASAN?!) I'll ask some more people on LLVM side. Thanks, -- Marco
On Wed, 16 Sep 2020 at 15:40, Marco Elver <elver@google.com> wrote: > On Wed, Sep 16, 2020 at 12:14PM +0000, George Popescu wrote: > > On Wed, Sep 16, 2020 at 10:32:40AM +0200, Marco Elver wrote: > > > On Wed, 16 Sep 2020 at 09:40, George Popescu <georgepope@google.com> wrote: > > > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > > > > > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > > > > > the handler call, preventing it from printing any information processed > > > > > > > > > > inside the buffer. > > > > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > > > > > call > > > > > > > > > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > > > > > (the handler is called and the error reported). For me it feels like > > > > > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > > > > > undefined_behaviours but they are handling them different. > > > > > > > > > > > > > > Does -fno-sanitize-trap=bounds help? > [...] > > > Your full config would be good, because it includes compiler version etc. > > My full config is: > > Thanks. Yes, I can reproduce, and the longer I keep digging I start > wondering why we have local-bounds at all. > > It appears that local-bounds finds a tiny subset of the issues that > KASAN finds: > > http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html > http://llvm.org/viewvc/llvm-project?view=revision&revision=193205 > > fsanitize=undefined also does not include local-bounds: > > https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks > > And the reason is that we do want to enable KASAN and UBSAN together; > but local-bounds is useless overhead if we already have KASAN. > > I'm inclined to say that what you propose is reasonable (but the commit > message needs to be more detailed explaining the relationship with > KASAN) -- but I have no idea if this is going to break somebody's > usecase (e.g. find some OOB bugs, but without KASAN -- but then why not > use KASAN?!) So, it seems that local-bounds can still catch some rare OOB accesses, where KASAN fails to catch it because the access might skip over the redzone. The other more interesting bit of history is that -fsanitize=local-bounds used to be -fbounds-checking, and meant for production use as a hardening feature: http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html And local-bounds just does not behave like any other sanitizer as a result, it just traps. The fact that it's enabled via -fsanitize=local-bounds (or just bounds) but hasn't much changed in behaviour is a little unfortunate. I suppose there are 3 options: 1. George implements trap handling somehow. Is this feasible? If not, why not? Maybe that should also have been explained in the commit message. 2. Only enable -fsanitize=local-bounds if UBSAN_TRAP was selected, at least for as long as Clang traps for local-bounds. I think this makes sense either way, because if we do not expect UBSAN to trap, it really should not trap! 3. Change the compiler. As always, this will take a while to implement and then to reach whoever should have that updated compiler. Preferences? Thanks, -- Marco
On Thu, Sep 17, 2020 at 08:37:07AM +0200, Marco Elver wrote: > On Wed, 16 Sep 2020 at 15:40, Marco Elver <elver@google.com> wrote: > > On Wed, Sep 16, 2020 at 12:14PM +0000, George Popescu wrote: > > > On Wed, Sep 16, 2020 at 10:32:40AM +0200, Marco Elver wrote: > > > > On Wed, 16 Sep 2020 at 09:40, George Popescu <georgepope@google.com> wrote: > > > > > On Tue, Sep 15, 2020 at 07:32:28PM +0200, Marco Elver wrote: > > > > > > On Tue, 15 Sep 2020 at 14:01, George Popescu <georgepope@google.com> wrote: > > > > > > > On Tue, Sep 15, 2020 at 01:18:11PM +0200, Marco Elver wrote: > > > > > > > > On Tue, 15 Sep 2020 at 12:25, George Popescu <georgepope@google.com> wrote: > > > > > > > > > On Mon, Sep 14, 2020 at 03:13:14PM -0700, Kees Cook wrote: > > > > > > > > > > On Mon, Sep 14, 2020 at 05:27:42PM +0000, George-Aurelian Popescu wrote: > > > > > > > > > > > From: George Popescu <georgepope@google.com> > > > > > > > > > > > > > > > > > > > > > > When the kernel is compiled with Clang, UBSAN_BOUNDS inserts a brk after > > > > > > > > > > > the handler call, preventing it from printing any information processed > > > > > > > > > > > inside the buffer. > > > > > > > > > > > For Clang -fsanitize=bounds expands to -fsanitize=array-bounds and > > > > > > > > > > > -fsanitize=local-bounds, and the latter adds a brk after the handler > > > > > > > > > > > call > > > > > > > > > > > > > > > > > > > This would mean losing the local-bounds coverage. I tried to test it without > > > > > > > > > local-bounds and with a locally defined array on the stack and it works fine > > > > > > > > > (the handler is called and the error reported). For me it feels like > > > > > > > > > --array-bounds and --local-bounds are triggered for the same type of > > > > > > > > > undefined_behaviours but they are handling them different. > > > > > > > > > > > > > > > > Does -fno-sanitize-trap=bounds help? > > [...] > > > > Your full config would be good, because it includes compiler version etc. > > > My full config is: > > > > Thanks. Yes, I can reproduce, and the longer I keep digging I start > > wondering why we have local-bounds at all. > > > > It appears that local-bounds finds a tiny subset of the issues that > > KASAN finds: > > > > http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20131021/091536.html > > http://llvm.org/viewvc/llvm-project?view=revision&revision=193205 > > > > fsanitize=undefined also does not include local-bounds: > > > > https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks > > > > And the reason is that we do want to enable KASAN and UBSAN together; > > but local-bounds is useless overhead if we already have KASAN. > > > > I'm inclined to say that what you propose is reasonable (but the commit > > message needs to be more detailed explaining the relationship with > > KASAN) -- but I have no idea if this is going to break somebody's > > usecase (e.g. find some OOB bugs, but without KASAN -- but then why not > > use KASAN?!) > > So, it seems that local-bounds can still catch some rare OOB accesses, > where KASAN fails to catch it because the access might skip over the > redzone. > > The other more interesting bit of history is that > -fsanitize=local-bounds used to be -fbounds-checking, and meant for > production use as a hardening feature: > http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html > > And local-bounds just does not behave like any other sanitizer as a > result, it just traps. The fact that it's enabled via > -fsanitize=local-bounds (or just bounds) but hasn't much changed in > behaviour is a little unfortunate. > I suppose there are 3 options: > > 1. George implements trap handling somehow. Is this feasible? If not, > why not? Maybe that should also have been explained in the commit > message. > > 2. Only enable -fsanitize=local-bounds if UBSAN_TRAP was selected, at > least for as long as Clang traps for local-bounds. I think this makes > sense either way, because if we do not expect UBSAN to trap, it really > should not trap! > > 3. Change the compiler. As always, this will take a while to implement > and then to reach whoever should have that updated compiler. > > Preferences? Considering of what you said above, I find option 2 the most elegant. The first one doesn't sound doable for the moment, also the third. I will edit this patch considering your comments and resend it to the list. Thank you for your support. Thanks, George
On Tue, Sep 15, 2020 at 10:24:58AM +0000, George Popescu wrote: > This would mean losing the local-bounds coverage. I tried to test it without > local-bounds and with a locally defined array on the stack and it works fine > (the handler is called and the error reported). For me it feels like > --array-bounds and --local-bounds are triggered for the same type of > undefined_behaviours but they are handling them different. Er, if --array-bounds still works on local arrays, what does local-bounds actually do? >_> :P If we don't have a reduction in coverage, yeah, I'm fine to turn that off.
On Thu, Sep 17, 2020 at 11:35:40AM +0000, George Popescu wrote: > On Thu, Sep 17, 2020 at 08:37:07AM +0200, Marco Elver wrote: > > So, it seems that local-bounds can still catch some rare OOB accesses, > > where KASAN fails to catch it because the access might skip over the > > redzone. > > > > The other more interesting bit of history is that > > -fsanitize=local-bounds used to be -fbounds-checking, and meant for > > production use as a hardening feature: > > http://lists.llvm.org/pipermail/llvm-dev/2012-May/049972.html > > > > And local-bounds just does not behave like any other sanitizer as a > > result, it just traps. The fact that it's enabled via > > -fsanitize=local-bounds (or just bounds) but hasn't much changed in > > behaviour is a little unfortunate. > > > I suppose there are 3 options: > > > > 1. George implements trap handling somehow. Is this feasible? If not, > > why not? Maybe that should also have been explained in the commit > > message. > > > > 2. Only enable -fsanitize=local-bounds if UBSAN_TRAP was selected, at > > least for as long as Clang traps for local-bounds. I think this makes > > sense either way, because if we do not expect UBSAN to trap, it really > > should not trap! > > > > 3. Change the compiler. As always, this will take a while to implement > > and then to reach whoever should have that updated compiler. > > > > Preferences? > Considering of what you said above, I find option 2 the most elegant. > The first one doesn't sound doable for the moment, also the third. > I will edit this patch considering your comments and resend it to the > list. I have a slightly different suggestion that is very nearly #2 above: split local-bounds into a separate CONFIG that requires UBSAN_TRAP, and then carefully document both: - what does it catch that "bounds" doesn't - why it only operates in trap mode The rationale I have is that I don't like the coverage of some mitigation or detection to "silently" vary between builds. e.g. someone would build with/without UBSAN_TRAP and end up with unexpectedly different coverage. I'd rather there be a separate CONFIG that appears.
diff --git a/scripts/Makefile.ubsan b/scripts/Makefile.ubsan index 27348029b2b8..3d15ac346c97 100644 --- a/scripts/Makefile.ubsan +++ b/scripts/Makefile.ubsan @@ -4,7 +4,14 @@ ifdef CONFIG_UBSAN_ALIGNMENT endif ifdef CONFIG_UBSAN_BOUNDS - CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) + # For Clang -fsanitize=bounds translates to -fsanitize=array-bounds and + # -fsanitize=local-bounds; the latter adds a brk right after the + # handler is called. + ifdef CONFIG_CC_IS_CLANG + CFLAGS_UBSAN += $(call cc-option, -fsanitize=array-bounds) + else + CFLAGS_UBSAN += $(call cc-option, -fsanitize=bounds) + endif endif ifdef CONFIG_UBSAN_MISC