GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
signed-overflow-UB warnings. The type mismatch between 'i' and
'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
which also happens to violate uaccess rules:
lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
Fix it by making the variable types match.
This is similar to a previous commit:
29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
Reported-by: Randy Dunlap <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
---
lib/iov_iter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1635111c5bd2..2e6a42f5d1df 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1656,7 +1656,8 @@ static int copy_compat_iovec_from_user(struct iovec *iov,
{
const struct compat_iovec __user *uiov =
(const struct compat_iovec __user *)uvec;
- int ret = -EFAULT, i;
+ int ret = -EFAULT;
+ unsigned long i;
if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))
return -EFAULT;
--
2.29.2
On 12/22/20 9:04 PM, Josh Poimboeuf wrote:
> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> signed-overflow-UB warnings. The type mismatch between 'i' and
> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> which also happens to violate uaccess rules:
>
> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
>
> Fix it by making the variable types match.
>
> This is similar to a previous commit:
>
> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>
> Reported-by: Randy Dunlap <[email protected]>
> Signed-off-by: Josh Poimboeuf <[email protected]>
All good. Thanks.
Acked-by: Randy Dunlap <[email protected]> # build-tested
> ---
> lib/iov_iter.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 1635111c5bd2..2e6a42f5d1df 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -1656,7 +1656,8 @@ static int copy_compat_iovec_from_user(struct iovec *iov,
> {
> const struct compat_iovec __user *uiov =
> (const struct compat_iovec __user *)uvec;
> - int ret = -EFAULT, i;
> + int ret = -EFAULT;
> + unsigned long i;
>
> if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))
> return -EFAULT;
>
--
~Randy
On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> signed-overflow-UB warnings. The type mismatch between 'i' and
> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> which also happens to violate uaccess rules:
>
> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
>
> Fix it by making the variable types match.
>
> This is similar to a previous commit:
>
> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
Maybe it's time we make UBSAN builds depend on GCC-8+ ?
On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> > GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > signed-overflow-UB warnings. The type mismatch between 'i' and
> > 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > which also happens to violate uaccess rules:
> >
> > lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> >
> > Fix it by making the variable types match.
> >
> > This is similar to a previous commit:
> >
> > 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>
> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
I would be totally fine with that. The only thing I can think of that
might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
--
Kees Cook
On 1/6/21 3:37 PM, Kees Cook wrote:
> On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
>> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
>>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
>>> signed-overflow-UB warnings. The type mismatch between 'i' and
>>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
>>> which also happens to violate uaccess rules:
>>>
>>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
>>>
>>> Fix it by making the variable types match.
>>>
>>> This is similar to a previous commit:
>>>
>>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>>
>> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
>
> I would be totally fine with that. The only thing I can think of that
> might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
I use UBSAN successfully with GCC 7.5.0.
However, I can revert whatever future patch someone adds for this...
--
~Randy
From: Randy Dunlap
> Sent: 23 December 2020 07:19
>
> On 12/22/20 9:04 PM, Josh Poimboeuf wrote:
> > GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > signed-overflow-UB warnings. The type mismatch between 'i' and
> > 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > which also happens to violate uaccess rules:
> >
> > lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow()
> with UACCESS enabled
> >
> > Fix it by making the variable types match.
> >
> > This is similar to a previous commit:
> >
> > 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> >
> > Reported-by: Randy Dunlap <[email protected]>
> > Signed-off-by: Josh Poimboeuf <[email protected]>
>
> All good. Thanks.
>
> Acked-by: Randy Dunlap <[email protected]> # build-tested
FWIW I've tested the equivalent change locally.
It generates rather better code on amd64.
(You don't want to index arrays with 'int' unless you really have to.)
So probably:
Acked-by: David Laight <[email protected]>
David
>
>
> > ---
> > lib/iov_iter.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> > index 1635111c5bd2..2e6a42f5d1df 100644
> > --- a/lib/iov_iter.c
> > +++ b/lib/iov_iter.c
> > @@ -1656,7 +1656,8 @@ static int copy_compat_iovec_from_user(struct iovec *iov,
> > {
> > const struct compat_iovec __user *uiov =
> > (const struct compat_iovec __user *)uvec;
> > - int ret = -EFAULT, i;
> > + int ret = -EFAULT;
> > + unsigned long i;
> >
> > if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))
> > return -EFAULT;
> >
>
>
> --
> ~Randy
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
On Thu, Jan 7, 2021 at 12:37 AM Kees Cook <[email protected]> wrote:
>
> On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> > On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> > > GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > > signed-overflow-UB warnings. The type mismatch between 'i' and
> > > 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > > which also happens to violate uaccess rules:
> > >
> > > lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> > >
> > > Fix it by making the variable types match.
> > >
> > > This is similar to a previous commit:
> > >
> > > 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> >
> > Maybe it's time we make UBSAN builds depend on GCC-8+ ?
>
> I would be totally fine with that. The only thing I can think of that
> might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
syzbot should use gcc 10 everywhere by now (and if not, we will update).
And in general I think it's a reasonable requirement today.
On Wed, Jan 06, 2021 at 04:06:57PM -0800, Randy Dunlap wrote:
> On 1/6/21 3:37 PM, Kees Cook wrote:
> > On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> >> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> >>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> >>> signed-overflow-UB warnings. The type mismatch between 'i' and
> >>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> >>> which also happens to violate uaccess rules:
> >>>
> >>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> >>>
> >>> Fix it by making the variable types match.
> >>>
> >>> This is similar to a previous commit:
> >>>
> >>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> >>
> >> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
> >
> > I would be totally fine with that. The only thing I can think of that
> > might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
>
> I use UBSAN successfully with GCC 7.5.0.
> However, I can revert whatever future patch someone adds for this...
Peter, which GCC version specifically are you seeing this on? (i.e. can
I just make in 7.5+ instead of 8+ to make Randy's life easier?)
--
Kees Cook
On Thu, Jan 07, 2021 at 01:07:21PM -0800, Kees Cook wrote:
> On Wed, Jan 06, 2021 at 04:06:57PM -0800, Randy Dunlap wrote:
> > On 1/6/21 3:37 PM, Kees Cook wrote:
> > > On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> > >> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> > >>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > >>> signed-overflow-UB warnings. The type mismatch between 'i' and
> > >>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > >>> which also happens to violate uaccess rules:
> > >>>
> > >>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> > >>>
> > >>> Fix it by making the variable types match.
> > >>>
> > >>> This is similar to a previous commit:
> > >>>
> > >>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> > >>
> > >> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
> > >
> > > I would be totally fine with that. The only thing I can think of that
> > > might care is syzbot. Dmitry, does syzbot use anything older than gcc 8?
> >
> > I use UBSAN successfully with GCC 7.5.0.
> > However, I can revert whatever future patch someone adds for this...
>
> Peter, which GCC version specifically are you seeing this on? (i.e. can
> I just make in 7.5+ instead of 8+ to make Randy's life easier?)
I don't think that would help, we saw this bug on GCC 7.5.
--
Josh
On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> > GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > signed-overflow-UB warnings. The type mismatch between 'i' and
> > 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > which also happens to violate uaccess rules:
> >
> > lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> >
> > Fix it by making the variable types match.
> >
> > This is similar to a previous commit:
> >
> > 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>
> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
---
Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
a sane version of GCC for UBSAN.
Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
signed arithmetic is buggered.
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
---
lib/Kconfig.ubsan | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan
index 8b635fd75fe4..acc3df62460e 100644
--- a/lib/Kconfig.ubsan
+++ b/lib/Kconfig.ubsan
@@ -2,8 +2,13 @@
config ARCH_HAS_UBSAN_SANITIZE_ALL
bool
+# UBSAN prior to GCC-8 gets -fwrapv wrong, we rely on that
+config UBSAN_SANE
+ def_bool !CC_IS_GCC || GCC_VERSION >= 80000
+
menuconfig UBSAN
bool "Undefined behaviour sanity checker"
+ depends on UBSAN_SANE
help
This option enables the Undefined Behaviour sanity checker.
Compile-time instrumentation is used to detect various undefined
On 1/14/21 1:59 PM, Peter Zijlstra wrote:
> On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
>> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
>>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
>>> signed-overflow-UB warnings. The type mismatch between 'i' and
>>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
>>> which also happens to violate uaccess rules:
>>>
>>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
>>>
>>> Fix it by making the variable types match.
>>>
>>> This is similar to a previous commit:
>>>
>>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>>
>> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
>
> ---
> Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
>
> Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
> a sane version of GCC for UBSAN.
>
> Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
> signed arithmetic is buggered.
>
Actually removing CONFIG_UBSAN_SIGNED_OVERFLOW would give us the same effect without restricting GCC versions.
On Thu, Jan 14, 2021 at 02:09:28PM +0300, Andrey Ryabinin wrote:
>
>
> On 1/14/21 1:59 PM, Peter Zijlstra wrote:
> > On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> >> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> >>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> >>> signed-overflow-UB warnings. The type mismatch between 'i' and
> >>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> >>> which also happens to violate uaccess rules:
> >>>
> >>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> >>>
> >>> Fix it by making the variable types match.
> >>>
> >>> This is similar to a previous commit:
> >>>
> >>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> >>
> >> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
> >
> > ---
> > Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
> >
> > Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
> > a sane version of GCC for UBSAN.
> >
> > Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
> > signed arithmetic is buggered.
> >
>
> Actually removing CONFIG_UBSAN_SIGNED_OVERFLOW would give us the same
> effect without restricting GCC versions.
Is that preferable? Always happy to remove code, just need some
justification behind it.
--
Josh
On Mon, Jan 18, 2021 at 11:53:37AM -0600, Josh Poimboeuf wrote:
> On Thu, Jan 14, 2021 at 02:09:28PM +0300, Andrey Ryabinin wrote:
> >
> >
> > On 1/14/21 1:59 PM, Peter Zijlstra wrote:
> > > On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
> > >> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
> > >>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
> > >>> signed-overflow-UB warnings. The type mismatch between 'i' and
> > >>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
> > >>> which also happens to violate uaccess rules:
> > >>>
> > >>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
> > >>>
> > >>> Fix it by making the variable types match.
> > >>>
> > >>> This is similar to a previous commit:
> > >>>
> > >>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
> > >>
> > >> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
> > >
> > > ---
> > > Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
> > >
> > > Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
> > > a sane version of GCC for UBSAN.
> > >
> > > Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
> > > signed arithmetic is buggered.
> > >
> >
> > Actually removing CONFIG_UBSAN_SIGNED_OVERFLOW would give us the same
> > effect without restricting GCC versions.
>
> Is that preferable? Always happy to remove code, just need some
> justification behind it.
Andrey,
Is Peter's patch acceptable or do you want to do something else?
--
Josh
On 2/9/21 9:24 PM, Josh Poimboeuf wrote:
> On Mon, Jan 18, 2021 at 11:53:37AM -0600, Josh Poimboeuf wrote:
>> On Thu, Jan 14, 2021 at 02:09:28PM +0300, Andrey Ryabinin wrote:
>>>
>>>
>>> On 1/14/21 1:59 PM, Peter Zijlstra wrote:
>>>> On Mon, Jan 04, 2021 at 04:13:17PM +0100, Peter Zijlstra wrote:
>>>>> On Tue, Dec 22, 2020 at 11:04:54PM -0600, Josh Poimboeuf wrote:
>>>>>> GCC 7 has a known bug where UBSAN ignores '-fwrapv' and generates false
>>>>>> signed-overflow-UB warnings. The type mismatch between 'i' and
>>>>>> 'nr_segs' in copy_compat_iovec_from_user() is causing such a warning,
>>>>>> which also happens to violate uaccess rules:
>>>>>>
>>>>>> lib/iov_iter.o: warning: objtool: iovec_from_user()+0x22d: call to __ubsan_handle_add_overflow() with UACCESS enabled
>>>>>>
>>>>>> Fix it by making the variable types match.
>>>>>>
>>>>>> This is similar to a previous commit:
>>>>>>
>>>>>> 29da93fea3ea ("mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions")
>>>>>
>>>>> Maybe it's time we make UBSAN builds depend on GCC-8+ ?
>>>>
>>>> ---
>>>> Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
>>>>
>>>> Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
>>>> a sane version of GCC for UBSAN.
>>>>
>>>> Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
>>>> signed arithmetic is buggered.
>>>>
>>>
>>> Actually removing CONFIG_UBSAN_SIGNED_OVERFLOW would give us the same
>>> effect without restricting GCC versions.
>>
>> Is that preferable? Always happy to remove code, just need some
>> justification behind it.
>
> Andrey,
>
> Is Peter's patch acceptable or do you want to do something else?
>
I do prefer to just remove the code, I'll send the patch shortly.
On Wed, Feb 10, 2021 at 02:17:57AM +0300, Andrey Rybainin wrote:
> >>>> Subject: ubsan: Require GCC-8+ or Clang to use UBSAN
> >>>>
> >>>> Just like how we require GCC-8.2 for KASAN due to compiler bugs, require
> >>>> a sane version of GCC for UBSAN.
> >>>>
> >>>> Specifically, before GCC-8 UBSAN doesn't respect -fwrapv and thinks
> >>>> signed arithmetic is buggered.
> >>>
> >>> Actually removing CONFIG_UBSAN_SIGNED_OVERFLOW would give us the same
> >>> effect without restricting GCC versions.
> >>
> >> Is that preferable? Always happy to remove code, just need some
> >> justification behind it.
> >
> > Is Peter's patch acceptable or do you want to do something else?
>
> I do prefer to just remove the code, I'll send the patch shortly.
I have a specific goal of getting both signed and unsigned overflow
detection working sanely, so removing this entirely from the kernel
really makes working on that difficult. :)
I view the primary problem as compiler-specific. I'd much rather we
correctly mask against versions (or better yet, behaviors).
--
Kees Cook