On Fri, Nov 22, 2019 at 10:07:29AM +0100, Dmitry Vyukov wrote: > On Thu, Nov 21, 2019 at 7:15 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > v2: > > - clarify Kconfig help text (aryabinin) > > - add reviewed-by > > - aim series at akpm, which seems to be where ubsan goes through? > > v1: https://lore.kernel.org/lkml/20191120010636.27368-1-keescook@xxxxxxxxxxxx > > > > This splits out the bounds checker so it can be individually used. This > > is expected to be enabled in Android and hopefully for syzbot. Includes > > LKDTM tests for behavioral corner-cases (beyond just the bounds checker). > > > > -Kees > > +syzkaller mailing list > > This is great! BTW, can I consider this your Acked-by for these patches? :) > I wanted to enable UBSAN on syzbot for a long time. And it's > _probably_ not lots of work. But it was stuck on somebody actually > dedicating some time specifically for it. Do you have a general mechanism to test that syzkaller will actually pick up the kernel log splat of a new check? I noticed a few things about the ubsan handlers: they don't use any of the common "warn" infrastructure (neither does kasan from what I can see), and was missing a check for panic_on_warn (kasan has this, but does it incorrectly). I think kasan and ubsan should be reworked to use the common warn infrastructure, and at the very least, ubsan needs this: diff --git a/lib/ubsan.c b/lib/ubsan.c index e7d31735950d..a2535a62c9af 100644 --- a/lib/ubsan.c +++ b/lib/ubsan.c @@ -160,6 +160,17 @@ static void ubsan_epilogue(unsigned long *flags) "========================================\n"); spin_unlock_irqrestore(&report_lock, *flags); current->in_ubsan--; + + if (panic_on_warn) { + /* + * This thread may hit another WARN() in the panic path. + * Resetting this prevents additional WARN() from panicking the + * system on this thread. Other threads are blocked by the + * panic_mutex in panic(). + */ + panic_on_warn = 0; + panic("panic_on_warn set ...\n"); + } } static void handle_overflow(struct overflow_data *data, void *lhs, > Kees, or anybody else interested, could you provide relevant configs > that (1) useful for kernel, As mentioned in the other email (but just to keep the note together with the other thoughts here) after this series, you'd want: CONFIG_UBSAN=y CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_MISC is not set > (2) we want 100% cleanliness, What do you mean here by "cleanliness"? It seems different from (3) about the test tripping a lot? > (3) don't > fire all the time even without fuzzing? I ran with the bounds checker enabled (and the above patch) under syzkaller for the weekend and saw 0 bounds checker reports. > Anything else required to > enable UBSAN? I don't see anything. syzbot uses gcc 8.something, which > I assume should be enough (but we can upgrade if necessary). As mentioned, gcc 8+ should be fine. -- Kees Cook
