Re: UBSAN: Undefined behaviour in ./arch/x86/include/asm/futex.h:53:13

From: Randy Dunlap
Date: Fri Sep 15 2017 - 22:41:47 EST


On 09/06/17 10:23, Toralf FÃrster wrote:
> I catched the following UBSAN spew at a stable Gentoo Linux server with hardened tool chain (.config attached) :
>
> FWIW - The lines before the UBSAN might be completely unrelated - I'm unsure.
> They do come from the build bot [1] I do run at that machine for Gentoo.
>
> Sep 6 02:18:43 mr-fox kernel: [182842.823403] readonly.exe[3354]: segfault at 400518 ip 000000000040048f sp 00007ffc527356f0 error 7 in readonly.exe[400000+1000]
> Sep 6 02:19:07 mr-fox kernel: [182867.599599] readonly.exe[20803]: segfault at 400518 ip 000000000040048f sp 00007ffd2f10ab60 error 7 in readonly.exe[400000+1000]
> Sep 6 02:29:21 mr-fox kernel: [183481.309291] readonly.exe[5057]: segfault at 400518 ip 000000000040048f sp 00007ffccf238df0 error 7 in readonly.exe[400000+1000]
> Sep 6 05:00:43 mr-fox kernel: [192563.296629] ThreadTest[31675]: segfault at 0 ip 0000000000407967 sp 00007fbdb22d5ea0 error 4 in ThreadTest[400000+d000]
> Sep 6 05:00:44 mr-fox kernel: [192564.438163] ThreadTest[32629]: segfault at 0 ip 0000000000407967 sp 00007f3426479ea0 error 4 in ThreadTest[400000+d000]
> Sep 6 05:00:45 mr-fox kernel: [192565.289479] ThreadTest[790]: segfault at 0 ip 0000000000407967 sp 00007fafb495cea0 error 4 in ThreadTest[400000+d000]
> Sep 6 05:00:46 mr-fox kernel: [192566.645458] ThreadTest[1725]: segfault at 0 ip 0000000000407967 sp 00007f6007ffeea0 error 4 in ThreadTest[400000+d000]
> Sep 6 05:00:47 mr-fox kernel: [192567.340325] ThreadTest[2056]: segfault at 0 ip 00007f9d4eea33cc sp 00007f9d4ca4ad00 error 4 in libxerces-c-3.1.so[7f9d4ed4f000+33a000]
> Sep 6 05:00:49 mr-fox kernel: [192568.879404] ThreadTest[3237]: segfault at 0 ip 0000000000407967 sp 00007f35d9378ea0 error 4 in ThreadTest[400000+d000]
> Sep 6 05:00:49 mr-fox kernel: [192568.921071] ThreadTest[3295]: segfault at 0 ip 00007fd21fe2a3cc sp 00007fd21b9cdd00 error 4 in libxerces-c-3.1.so[7fd21fcd6000+33a000]
> Sep 6 06:00:27 mr-fox kernel: [196147.270993] TCP: request_sock_TCPv6: Possible SYN flooding on port 45651. Sending cookies. Check SNMP counters.
> Sep 6 06:53:13 mr-fox kernel: [199312.923377] tiff_read_bw[3757]: segfault at 1c50 ip 0000000000400f5d sp 00007fffa9abc950 error 4 in tiff_read_bw[400000+3000]
> Sep 6 08:02:32 mr-fox kernel: [203471.959326] lt-IlmCtlTest[21137]: segfault at 8 ip 00007f9490d0fcd0 sp 00007fff4adf6fc0 error 4 in libIlmCtlSimd.so.2.0.0[7f9490cd3000+168000]
> Sep 6 08:36:01 mr-fox kernel: [205480.927067] kworker/dying (9366) used greatest stack depth: 9384 bytes left
> Sep 6 11:24:41 mr-fox kernel: [215601.542468] ling_example[13697]: segfault at 0 ip 00007f8616e077b6 sp 00007ffdf64bda00 error 4 in libestbase.so.2.1.1[7f8616d09000+253000]
> Sep 6 11:24:41 mr-fox kernel: [215601.561549] ling_regression[13709]: segfault at 0 ip 00007faff2d267b6 sp 00007fff35129530 error 4 in libestbase.so.2.1.1[7faff2c28000+253000]
> Sep 6 11:24:44 mr-fox kernel: [215604.598147] ch_wave[15951]: segfault at 0 ip 00007f59faae77b6 sp 00007ffd8e4be770 error 4 in libestbase.so.2.1.1[7f59fa9e9000+253000]
> Sep 6 11:24:44 mr-fox kernel: [215604.621802] ch_wave[15960]: segfault at 0 ip 00007fa70eb957b6 sp 00007ffd533c8fc0 error 4 in libestbase.so.2.1.1[7fa70ea97000+253000]
> Sep 6 11:24:45 mr-fox kernel: [215604.922110] viterbi[16171]: segfault at 0 ip 00007f4503df27b6 sp 00007fffcde7d030 error 4 in libestbase.so.2.1.1[7f4503cf4000+253000]
> Sep 6 13:22:47 mr-fox kernel: [222687.240207] capability: warning: `caps' uses deprecated v2 capabilities in a way that may be insecure
> Sep 6 13:22:47 mr-fox kernel: [222687.240213] capability: warning: `caps' uses 32-bit capabilities (legacy support in use)
> Sep 6 13:22:48 mr-fox kernel: [222687.825742] execve[16964]: segfault at fffffffffffffff0 ip 00007f706beec1bb sp 00007ffc8ec20068 error 5 in libc-2.25.so[7f706bdb6000+1a8000]
> Sep 6 13:23:20 mr-fox kernel: [222720.041895] execve[26054]: segfault at fffffffffffffff0 ip 00007fcdf24011bb sp 00007ffc9a2624f8 error 5 in libc-2.25.so[7fcdf22cb000+1a8000]
> Sep 6 13:23:20 mr-fox kernel: [222720.100918] mmap: remap_file_page (26074) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
> Sep 6 13:23:22 mr-fox kernel: [222722.772032] execve[27083]: segfault at fffffffffffffff0 ip 00007f2742f041bb sp 00007fff5d8d3408 error 5 in libc-2.25.so[7f2742dce000+1a8000]
> Sep 6 13:23:30 mr-fox kernel: [222730.428190] execve[29792]: segfault at fffffffffffffff0 ip 00007fc3f8f361bb sp 00007fffc9c90238 error 5 in libc-2.25.so[7fc3f8e00000+1a8000]
> Sep 6 13:23:32 mr-fox kernel: [222732.084648] execve[30195]: segfault at fffffffffffffff0 ip 00007f763af981bb sp 00007ffe5672bb08 error 5 in libc-2.25.so[7f763ae62000+1a8000]
> Sep 6 13:23:34 mr-fox kernel: [222734.012531] execve[30632]: segfault at fffffffffffffff0 ip 00007f30fdfad1bb sp 00007ffc8b9f48e8 error 5 in libc-2.25.so[7f30fde77000+1a8000]
> Sep 6 13:23:35 mr-fox kernel: [222735.744645] execve[31002]: segfault at fffffffffffffff0 ip 00007fa955bd41bb sp 00007ffef0550678 error 5 in libc-2.25.so[7fa955a9e000+1a8000]
> Sep 6 13:23:37 mr-fox kernel: [222737.528766] execve[31766]: segfault at fffffffffffffff0 ip 00007f07ebc101bb sp 00007fff1f228298 error 5 in libc-2.25.so[7f07ebada000+1a8000]
> Sep 6 13:23:39 mr-fox kernel: [222739.225957] execve[32260]: segfault at fffffffffffffff0 ip 00007f3c176471bb sp 00007fff9f04cbe8 error 5 in libc-2.25.so[7f3c17511000+1a8000]
> Sep 6 13:23:41 mr-fox kernel: [222741.486196] execve-v[546]: segfault at fffffffffffffff0 ip 00007f2fe319d1bb sp 00007fff872d9568 error 5 in libc-2.25.so[7f2fe3067000+1a8000]
> Sep 6 13:23:41 mr-fox kernel: [222741.527207] execve[561]: segfault at fffffffffffffff0 ip 00007f6ece2de1bb sp 00007ffcdb970358 error 5 in libc-2.25.so[7f6ece1a8000+1a8000]
> Sep 6 13:23:41 mr-fox kernel: [222741.645409] ================================================================================
> Sep 6 13:23:41 mr-fox kernel: [222741.645412] UBSAN: Undefined behaviour in ./arch/x86/include/asm/futex.h:53:13
> Sep 6 13:23:41 mr-fox kernel: [222741.645413] shift exponent -849 is negative
> Sep 6 13:23:41 mr-fox kernel: [222741.645415] CPU: 3 PID: 595 Comm: futex Not tainted 4.13.0 #1

I don't know enough about futexes for this, but R09 = 00000000a0caffee.
The 'caf' part of that is 849.
When the UBSAN: Undefined behaviour happens in arch/x86/include/asm/futex.h:53:13,
in function futex_atomic_op_inuser(), it looks like 'int encoded_op' is in R09.
Bit 31 is set (FUTEX_OP_OPARG_SHIFT).
op = 2
cmp = 0
oparg = 0xfffffcaf
cmparg = 0xffffffee

Q1. How does FUTEX_OP_OPARG_SHIFT get set? Does this come from userspace as part of
the syscall? If so, does this just mean that the syscall needs more parameter
checking (internal protection)?

Q2. Should the futex_atomic_op_inuser() parameter 'encoded_op' be unsigned int
as well as the local variables (op, cmp, oparg, cmparg)?

Thanks.

> Sep 6 13:23:41 mr-fox kernel: [222741.645416] Hardware name: /DX79TO, BIOS SIX7910J.86A.0650.2014.0307.0138 03/07/2014
> Sep 6 13:23:41 mr-fox kernel: [222741.645417] Call Trace:
> Sep 6 13:23:41 mr-fox kernel: [222741.645423] dump_stack+0x60/0x9a
> Sep 6 13:23:41 mr-fox kernel: [222741.645427] ? val_is_negative+0x2b/0x50
> Sep 6 13:23:41 mr-fox kernel: [222741.645428] ubsan_epilogue+0xd/0x40
> Sep 6 13:23:41 mr-fox kernel: [222741.645430] __ubsan_handle_shift_out_of_bounds+0x10d/0x170
> Sep 6 13:23:41 mr-fox kernel: [222741.645433] ? get_futex_key+0x38a/0x6e0
> Sep 6 13:23:41 mr-fox kernel: [222741.645434] do_futex+0xd72/0x1380
> Sep 6 13:23:41 mr-fox kernel: [222741.645435] ? do_futex+0xd72/0x1380
> Sep 6 13:23:41 mr-fox kernel: [222741.645436] SyS_futex+0x7a/0x180
> Sep 6 13:23:41 mr-fox kernel: [222741.645438] ? SyS_write+0x4f/0xc0
> Sep 6 13:23:41 mr-fox kernel: [222741.645441] entry_SYSCALL_64_fastpath+0x13/0x94
> Sep 6 13:23:41 mr-fox kernel: [222741.645442] RIP: 0033:0x7f321f40e839
> Sep 6 13:23:41 mr-fox kernel: [222741.645443] RSP: 002b:00007fff2306c068 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> Sep 6 13:23:41 mr-fox kernel: [222741.645445] RAX: ffffffffffffffda RBX: 00007f321f6c6ae0 RCX: 00007f321f40e839
> Sep 6 13:23:41 mr-fox kernel: [222741.645446] RDX: badda7a0facefeed RSI: 0000000000000005 RDI: 00007f321fa95ffc
> Sep 6 13:23:41 mr-fox kernel: [222741.645446] RBP: 0000000000001011 R08: 00007f321fa8fffc R09: 00000000a0caffee
> Sep 6 13:23:41 mr-fox kernel: [222741.645447] R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000000
> Sep 6 13:23:41 mr-fox kernel: [222741.645448] R13: 00007f321f6c6b38 R14: 0000000000000000 R15: 0000000000001030
> Sep 6 13:23:41 mr-fox kernel: [222741.645449] ================================================================================



--
~Randy