netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:LINE, null pointer p

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 28fdd03c s/ixgbe_set_multi/ixgbe_set_rxfilter/. No functio..
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=145d0bc3600000
kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
dashboard link: https://syzkaller.appspot.com/bug?extid=48cfcefd986572d7e677

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+48cfce...@syzkaller.appspotmail.com

[ 1.0000000] panic: UBSan: Undefined Behavior in
/syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:113:3, null
pointer passed as argument 2, which is declared to never be null

[ 1.0000000] cpu0: Begin traceback...
[ 1.0000000] vpanic() at netbsd:vpanic+0x258 sys/kern/subr_prf.c:336
[ 1.0000000] isAlreadyReported() at netbsd:isAlreadyReported
[ 1.0000000] HandleNonnullArg() at netbsd:HandleNonnullArg+0x13a
sys/../common/lib/libc/misc/ubsan.c:647
[ 1.0000000] percpu_cpu_swap() at netbsd:percpu_cpu_swap+0x263
sys/kern/subr_percpu.c:113
[ 1.0000000] percpu_backend_alloc() at netbsd:percpu_backend_alloc+0xb7
percpu_cpu_enlarge sys/kern/subr_percpu.c:152 [inline]
[ 1.0000000] percpu_backend_alloc() at netbsd:percpu_backend_alloc+0xb7
sys/kern/subr_percpu.c:182
[ 1.0000000] vmem_xalloc() at netbsd:vmem_xalloc+0xb0f vmem_import
sys/kern/subr_vmem.c:772 [inline]
[ 1.0000000] vmem_xalloc() at netbsd:vmem_xalloc+0xb0f
sys/kern/subr_vmem.c:1198
[ 1.0000000] vmem_alloc() at netbsd:vmem_alloc+0x240
sys/kern/subr_vmem.c:1065
[ 1.0000000] percpu_alloc() at netbsd:percpu_alloc+0x30
sys/kern/subr_percpu.c:262
[ 1.0000000] pserialize_init() at netbsd:pserialize_init+0x93
sys/kern/subr_pserialize.c:99
[ 1.0000000] main() at netbsd:main+0x135 sys/kern/init_main.c:331
[ 1.0000000] cpu0: End traceback...
[ 1.0000000] fatal breakpoint trap in supervisor mode
[ 1.0000000] trap type 1 code 0 rip 0xffffffff8021ddad cs 0x8 rflags
0x202 cr2 0 ilevel 0x8 rsp 0xffffffff85e162e0
[ 1.0000000] curlwp 0xffffffff84c01a20 pid 0.1 lowest kstack
0xffffffff85e122c0
Stopped in pid 0.1 (system) at netbsd:breakpoint+0x5: leave
db{0}>


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Dmitry Vyukov]

On Wed, Sep 18, 2019 at 3:42 PM syzbot
<syzbot+48cfce...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 28fdd03c s/ixgbe_set_multi/ixgbe_set_rxfilter/. No functio..
> git tree: netbsd
> console output: https://syzkaller.appspot.com/x/log.txt?x=145d0bc3600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
> dashboard link: https://syzkaller.appspot.com/bug?extid=48cfcefd986572d7e677
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+48cfce...@syzkaller.appspotmail.com
>
> [ 1.0000000] panic: UBSan: Undefined Behavior in
> /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:113:3, null
> pointer passed as argument 2, which is declared to never be null

So KUBSAN is working as intended... for some definition of "intended" :)

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-netbsd-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-netbsd...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-netbsd-bugs/000000000000c75c120592d4003c%40google.com.

[Kamil Rytarowski]

On 18.09.2019 15:46, 'Dmitry Vyukov' via syzkaller-netbsd-bugs wrote:
> On Wed, Sep 18, 2019 at 3:42 PM syzbot
> <syzbot+48cfce...@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 28fdd03c s/ixgbe_set_multi/ixgbe_set_rxfilter/. No functio..
>> git tree: netbsd
>> console output: https://syzkaller.appspot.com/x/log.txt?x=145d0bc3600000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
>> dashboard link: https://syzkaller.appspot.com/bug?extid=48cfcefd986572d7e677
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+48cfce...@syzkaller.appspotmail.com
>>
>> [ 1.0000000] panic: UBSan: Undefined Behavior in
>> /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:113:3, null
>> pointer passed as argument 2, which is declared to never be null
>
> So KUBSAN is working as intended... for some definition of "intended" :)
>

Thanks, I will fix it soon!

I was evaluating how to address this report and I don't have a better
idea than disabling UBSan for percpu_cpu_swap(). Have you got an other
suggestion?

[Dmitry Vyukov]

On Wed, Sep 18, 2019 at 3:51 PM Kamil Rytarowski <n...@gmx.com> wrote:
>
> On 18.09.2019 15:46, 'Dmitry Vyukov' via syzkaller-netbsd-bugs wrote:
> > On Wed, Sep 18, 2019 at 3:42 PM syzbot
> > <syzbot+48cfce...@syzkaller.appspotmail.com> wrote:
> >>
> >> Hello,
> >>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit: 28fdd03c s/ixgbe_set_multi/ixgbe_set_rxfilter/. No functio..
> >> git tree: netbsd
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=145d0bc3600000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=824b23e1f4b6c76b
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=48cfcefd986572d7e677
> >>
> >> Unfortunately, I don't have any reproducer for this crash yet.
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+48cfce...@syzkaller.appspotmail.com
> >>
> >> [ 1.0000000] panic: UBSan: Undefined Behavior in
> >> /syzkaller/managers/netbsd-kubsan/kernel/sys/kern/subr_percpu.c:113:3, null
> >> pointer passed as argument 2, which is declared to never be null
> >
> > So KUBSAN is working as intended... for some definition of "intended" :)
> >
>
> Thanks, I will fix it soon!
>
> I was evaluating how to address this report and I don't have a better
> idea than disabling UBSan for percpu_cpu_swap(). Have you got an other
> suggestion?

Is pcc->pcc_size == 0 in this case?

One alternative would be:

if (pcc->pcc_size)
memcpy(....);

[Dmitry Vyukov]

One interesting implication of assuming that memcpy with 0 size and
NULL pointer is fine is that compiler may assume that pointer is not
NULL. So if it later sees:

if (pcc->pcc_data)
do something with pcc->pcc_data;

it can drop the if check.

[Kamil Rytarowski]

The problem is that pcc->pcc_data is 0x0. At this address there are
interrupt descriptor table. Size is != 0.

[Dmitry Vyukov]

Oh, I see. The old friend, real mode interrupt table!
Yes, I guess disable instrumentation with a comment. Maybe somebody
will figure out a better solution later. But it's probably more
important to get us going here with KUBSAN in general now.

[Dmitry Vyukov]

But the compiler problem still applies, though.

Try:

#include <string.h>

void foobar(void *p, void *y, int size)
{
memcpy(p, y, size);
if (y)
*(int*)y = 1;
}

gcc /tmp/test.c -c -O2

0000000000000000 <foobar>:
0: 53 push %rbx
1: 48 63 d2 movslq %edx,%rdx
4: 48 89 f3 mov %rsi,%rbx
7: e8 00 00 00 00 callq c <foobar+0xc>
c: c7 03 01 00 00 00 movl $0x1,(%rbx)
12: 5b pop %rbx
13: c3 retq


I guess it's not a problem with the current code, but may strike in future...

[Kamil Rytarowski]

I have landed the patch. I don't have a reproducer in my setup for it,
but it should be addressed.

There were generated few __ubsan_handle_nonnull_arg() calls in
percpu_cpu_swap() and now they are gone.

I presume that there might be other similar reports before getting the
executor to work. This depends now heavily on setup/hardware.

[Dmitry Vyukov]

This one seems to be fixed:

#syz fix: Decorate percpu_cpu_swap() with __noubsan

There is another one now. syzbot will report it soon.

[Kamil Rytarowski]

On 18.09.2019 20:22, 'Dmitry Vyukov' via syzkaller-netbsd-bugs wrote:

> This one seems to be fixed:
>
> #syz fix: Decorate percpu_cpu_swap() with __noubsan
>
> There is another one now. syzbot will report it soon.

It looks like static-assert was changed into runtime-assert.

[ 1.0000000] panic: UBSan: Undefined Behavior in

/syzkaller/managers/netbsd-kubsan/kernel/sys/crypto/nist_hash_drbg/nist_hash_drbg.c:1090:4,
variable length array bound value -1 <= 0

It is probably a recent regression, as this code was changed 2-3 weeks
ago. I have informed the committer about it.