Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S941558AbcKQRpT (ORCPT <rfc822;w@1wt.eu>);
        Thu, 17 Nov 2016 12:45:19 -0500
Received: from mail-qk0-f169.google.com ([209.85.220.169]:33470 "EHLO
        mail-qk0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753778AbcKQRpR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Nov 2016 12:45:17 -0500
MIME-Version: 1.0
In-Reply-To: <20161117143620.qi6ebud3xqwj6pvb@treble>
References: <20161116143746.zoxdxrfqvmx35wln@treble> <20161116144943.GB3117@twins.programming.kicks-ass.net>
 <20161116145849.GR3157@twins.programming.kicks-ass.net> <20161117044828.vedc3whqkuki624r@treble>
 <20161117090446.GC3142@twins.programming.kicks-ass.net> <20161117091341.GS3157@twins.programming.kicks-ass.net>
 <20161117093028.GT3157@twins.programming.kicks-ass.net> <CACT4Y+bg_rDLqx5o17MJSi-5dpgbNanEQNhGPcJGOkhu-xyGww@mail.gmail.com>
 <20161117140150.o6vy7bsrbjkg2nzd@treble> <alpine.DEB.2.20.1611170924260.10901@macbook-air>
 <20161117143620.qi6ebud3xqwj6pvb@treble>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 17 Nov 2016 15:58:38 +0100
Message-ID: <CACT4Y+ZRCnnB0G=eF-oCqZQ1EiCgFTCdYXdbM07ZztHcqFnoLA@mail.gmail.com>
Subject: Re: perf: fuzzer KASAN unwind_get_return_address
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>,
        Peter Zijlstra <peterz@infradead.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        "davej@codemonkey.org.uk" <davej@codemonkey.org.uk>,
        Stephane Eranian <eranian@gmail.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1742
Lines: 35

On Thu, Nov 17, 2016 at 3:36 PM, Josh Poimboeuf <jpoimboe@redhat.com> wrote:
> On Thu, Nov 17, 2016 at 09:25:58AM -0500, Vince Weaver wrote:
>> On Thu, 17 Nov 2016, Josh Poimboeuf wrote:
>>
>> > On Thu, Nov 17, 2016 at 10:48:27AM +0100, Dmitry Vyukov wrote:
>> > > Just in case, there is currently a known KASAN false positive related
>> > > to longjmp's on GPFs. When a syscall hits GPF stack is unwound to
>> > > kernel entry point, this leaves a bunch of stray poisoned redzones on
>> > > the thread stack. They later cause false stack-out-of-bounds reports.
>> > >
>> > > But this does not seem to be the case here. Kernel is not tainted. And
>> > > shadow at the bottom of the reports looks sane.
>> > >
>> > > But if that's the case somehow, we will need to add
>> > > kasan_unpoison_remaining_stack() call before a longjmp like we did for
>> > > jprobe_return():
>> > > https://groups.google.com/d/msg/kasan-dev/Hzox58yZ4MU/TOdFoWMuBQAJ
>> >
>> > I'm pretty sure this isn't a KASAN false positive.  The unwinder does
>> > actually seem to be accessing a bad area of the stack, in the middle of
>> > a function's stack frame.
>>
>> I'm having trouble reproducing it on a few other machines I have fuzzing.
>> So there might be some kernel option contributing, I need to compare
>> .configs.
>>
>> Also the machine that easily triggers the problem I'm compiling with
>> gcc-5.4 where the machines I can't are using gcc-4.9.
>
> I believe KASAN only works with gcc 5 and later, so that would explain
> why you aren't seeing it with gcc 4.9.

Right. 4.9 has limited support for KASAN. It supports general
instrumentation, but only with CONFIG_KASAN_OUTLINE, and it does not
support stack poisoning. Which is required to detect stack OOBs.