2024-04-15 18:28:49

by Kees Cook

[permalink] [raw]
Subject: [PATCH] ubsan: Add awareness of signed integer overflow traps

On arm64, UBSAN traps can be decoded from the trap instruction. Add the
add, sub, and mul overflow trap codes now that CONFIG_UBSAN_SIGNED_WRAP
exists. Seen under clang 19:

Internal error: UBSAN: unrecognized failure code: 00000000f2005515 [#1] PREEMPT SMP

Reported-by: Nathan Chancellor <[email protected]>
Closes: https://lore.kernel.org/lkml/20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org
Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer")
Signed-off-by: Kees Cook <[email protected]>
---
Cc: Marco Elver <[email protected]>
Cc: Justin Stitt <[email protected]>
Cc: Andrey Konovalov <[email protected]>
Cc: Andrey Ryabinin <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
lib/ubsan.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/ubsan.c b/lib/ubsan.c
index 5fc107f61934..ad32beb8c058 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -44,9 +44,10 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type)
case ubsan_shift_out_of_bounds:
return "UBSAN: shift out of bounds";
#endif
-#ifdef CONFIG_UBSAN_DIV_ZERO
+#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_SIGNED_INTEGER_WRAP)
/*
- * SanitizerKind::IntegerDivideByZero emits
+ * SanitizerKind::IntegerDivideByZero and
+ * SanitizerKind::SignedIntegerOverflow emit
* SanitizerHandler::DivremOverflow.
*/
case ubsan_divrem_overflow:
@@ -77,6 +78,19 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type)
return "UBSAN: alignment assumption";
case ubsan_type_mismatch:
return "UBSAN: type mismatch";
+#endif
+#ifdef CONFIG_UBSAN_SIGNED_INTEGER_WRAP
+ /*
+ * SanitizerKind::SignedIntegerOverflow emits
+ * SanitizerHandler::AddOverflow, SanitizerHandler::SubOverflow,
+ * or SanitizerHandler::MulOverflow.
+ */
+ case ubsan_add_overflow:
+ return "UBSAN: integer addition overflow";
+ case ubsan_sub_overflow:
+ return "UBSAN: integer subtraction overflow";
+ case ubsan_mul_overflow:
+ return "UBSAN: integer multiplication overflow";
#endif
default:
return "UBSAN: unrecognized failure code";
--
2.34.1



2024-04-15 18:35:05

by Nathan Chancellor

[permalink] [raw]
Subject: Re: [PATCH] ubsan: Add awareness of signed integer overflow traps

On Mon, Apr 15, 2024 at 11:28:35AM -0700, Kees Cook wrote:
> On arm64, UBSAN traps can be decoded from the trap instruction. Add the
> add, sub, and mul overflow trap codes now that CONFIG_UBSAN_SIGNED_WRAP
> exists. Seen under clang 19:
>
> Internal error: UBSAN: unrecognized failure code: 00000000f2005515 [#1] PREEMPT SMP
>
> Reported-by: Nathan Chancellor <[email protected]>
> Closes: https://lore.kernel.org/lkml/20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org
> Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer")
> Signed-off-by: Kees Cook <[email protected]>

As I mentioned, CONFIG_UBSAN_SIGNED_INTEGER_WRAP needs to be
CONFIG_UBSAN_SIGNED_WRAP. I applied this change with that fix up and the
warning now becomes:

Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP

So:

Tested-by: Nathan Chancellor <[email protected]>

> ---
> Cc: Marco Elver <[email protected]>
> Cc: Justin Stitt <[email protected]>
> Cc: Andrey Konovalov <[email protected]>
> Cc: Andrey Ryabinin <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> lib/ubsan.c | 18 ++++++++++++++++--
> 1 file changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/lib/ubsan.c b/lib/ubsan.c
> index 5fc107f61934..ad32beb8c058 100644
> --- a/lib/ubsan.c
> +++ b/lib/ubsan.c
> @@ -44,9 +44,10 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type)
> case ubsan_shift_out_of_bounds:
> return "UBSAN: shift out of bounds";
> #endif
> -#ifdef CONFIG_UBSAN_DIV_ZERO
> +#if defined(CONFIG_UBSAN_DIV_ZERO) || defined(CONFIG_UBSAN_SIGNED_INTEGER_WRAP)
> /*
> - * SanitizerKind::IntegerDivideByZero emits
> + * SanitizerKind::IntegerDivideByZero and
> + * SanitizerKind::SignedIntegerOverflow emit
> * SanitizerHandler::DivremOverflow.
> */
> case ubsan_divrem_overflow:
> @@ -77,6 +78,19 @@ const char *report_ubsan_failure(struct pt_regs *regs, u32 check_type)
> return "UBSAN: alignment assumption";
> case ubsan_type_mismatch:
> return "UBSAN: type mismatch";
> +#endif
> +#ifdef CONFIG_UBSAN_SIGNED_INTEGER_WRAP
> + /*
> + * SanitizerKind::SignedIntegerOverflow emits
> + * SanitizerHandler::AddOverflow, SanitizerHandler::SubOverflow,
> + * or SanitizerHandler::MulOverflow.
> + */
> + case ubsan_add_overflow:
> + return "UBSAN: integer addition overflow";
> + case ubsan_sub_overflow:
> + return "UBSAN: integer subtraction overflow";
> + case ubsan_mul_overflow:
> + return "UBSAN: integer multiplication overflow";
> #endif
> default:
> return "UBSAN: unrecognized failure code";
> --
> 2.34.1
>

2024-04-16 00:46:40

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] ubsan: Add awareness of signed integer overflow traps

On Mon, Apr 15, 2024 at 11:34:54AM -0700, Nathan Chancellor wrote:
> On Mon, Apr 15, 2024 at 11:28:35AM -0700, Kees Cook wrote:
> > On arm64, UBSAN traps can be decoded from the trap instruction. Add the
> > add, sub, and mul overflow trap codes now that CONFIG_UBSAN_SIGNED_WRAP
> > exists. Seen under clang 19:
> >
> > Internal error: UBSAN: unrecognized failure code: 00000000f2005515 [#1] PREEMPT SMP
> >
> > Reported-by: Nathan Chancellor <[email protected]>
> > Closes: https://lore.kernel.org/lkml/20240411-fix-ubsan-in-hardening-config-v1-0-e0177c80ffaa@kernel.org
> > Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer")
> > Signed-off-by: Kees Cook <[email protected]>
>
> As I mentioned, CONFIG_UBSAN_SIGNED_INTEGER_WRAP needs to be
> CONFIG_UBSAN_SIGNED_WRAP. I applied this change with that fix up and the

Whoops; thanks!

> warning now becomes:
>
> Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP

Perfecto. :)

> So:
>
> Tested-by: Nathan Chancellor <[email protected]>

Thanks!

--
Kees Cook