On 3/30/22 14:46, Kees Cook wrote:
On Wed, Mar 30, 2022 at 07:59:57AM -0700, Tadeusz Struk wrote:
On 3/30/22 07:46, Greg KH wrote:
On Tue, Mar 29, 2022 at 03:02:56PM -0700, Tadeusz Struk wrote:
Please apply this to stable 5.10.y, and 5.15.y
---8<---
From: Kees Cook<keescook@xxxxxxxxxxxx>
Upstream commit: 1a2fb220edca ("skbuff: Extract list pointers to silence compiler warnings")
Under both -Warray-bounds and the object_size sanitizer, the compiler is
upset about accessing prev/next of sk_buff when the object it thinks it
is coming from is sk_buff_head. The warning is a false positive due to
the compiler taking a conservative approach, opting to warn at casting
time rather than access time.
However, in support of enabling -Warray-bounds globally (which has
found many real bugs), arrange things for sk_buff so that the compiler
can unambiguously see that there is no intention to access anything
except prev/next. Introduce and cast to a separate struct sk_buff_list,
which contains_only_ the first two fields, silencing the warnings:
We don't have -Warray-bounds enabled on any stable kernel tree, so why
is this needed?
Where is this showing up as a problem?
The issue shows up and hinders testing stable kernels in test automations
like syzkaller:
https://syzkaller.appspot.com/text?tag=Error&x=12b3aac3700000
Applying it to stable would enable more test coverage.
Hi! I think a better solution may be to backport this change instead:
69d0db01e210 ("ubsan: remove CONFIG_UBSAN_OBJECT_SIZE")
i.e. remove CONFIG_UBSAN_OBJECT_SIZE entirely, which is the cause of
these syzkaller splats.
That works for me. I will test it and send a request or a backport soon.
--
Thanks,
Tadeusz
