[Bug runtime/31699] New: UBSAN errors for systemtap map functions with Fedora Rawhide and Fedora 39 6.8.8 kernels

[Bug runtime/31699] New: UBSAN errors for systemtap map functions with Fedora Rawhide and Fedora 39 6.8.8 kernels

[wcohen at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31699

            Bug ID: 31699
           Summary: UBSAN errors for systemtap map functions with Fedora
                    Rawhide and Fedora 39 6.8.8 kernels
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
          Assignee: systemtap at sourceware dot org
          Reporter: wcohen at redhat dot com
  Target Milestone: ---

The new Fedora 6.8.8 kernels enable UBSAN* options:

$ grep UBSAN /boot/config-6.8.8-200.fc39.x86_64 
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
CONFIG_UBSAN=y
# CONFIG_UBSAN_TRAP is not set
CONFIG_CC_HAS_UBSAN_BOUNDS_STRICT=y
CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_BOUNDS_STRICT=y
CONFIG_UBSAN_SHIFT=y
# CONFIG_UBSAN_DIV_ZERO is not set
# CONFIG_UBSAN_BOOL is not set
# CONFIG_UBSAN_ENUM is not set
# CONFIG_UBSAN_ALIGNMENT is not set
CONFIG_UBSAN_SANITIZE_ALL=y
# CONFIG_TEST_UBSAN is not set

When running the systemtap tests that use map function in the runtime with
kernel-6.8.8-200.fc39.x86_64 like the following:

   sudo make installcheck RUNTESTFLAGS="systemtap.maps/*.exp"

Will see UBSAN messages in dmesg output like the following:


[  682.493441] ------------[ cut here ]------------
[  682.493444] UBSAN: array-index-out-of-bounds in
/home/wcohen/systemtap_write/install/share/systemtap/runtime/linux/map_runtime.h:111:3
[  682.493445] index 0 is out of range for type 'hlist_head [*]'
[  682.493447] CPU: 1 PID: 20290 Comm: stapio Tainted: G           OE     
6.8.8-200.fc39.x86_64 #1
[  682.493449] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-1.fc39 04/01/2014
[  682.493449] Call Trace:
[  682.493451]  <TASK>
[  682.493453]  dump_stack_lvl+0x64/0x80
[  682.493459]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  682.493463]  _stp_map_new_ii.constprop.0+0x171/0x280
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493472]  _stp_ctl_write_cmd+0xc20/0xf90
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493478]  proc_reg_write+0x5a/0xa0
[  682.493480]  vfs_write+0xed/0x470
[  682.493482]  ? __handle_mm_fault+0xba3/0xe50
[  682.493484]  ? mutex_lock+0x12/0x30
[  682.493486]  ksys_write+0x6f/0xf0
[  682.493488]  do_syscall_64+0x83/0x170
[  682.493490]  ? count_memcg_events.constprop.0+0x1a/0x30
[  682.493491]  ? handle_mm_fault+0xa2/0x360
[  682.493493]  ? do_user_addr_fault+0x304/0x690
[  682.493495]  ? clear_bhb_loop+0x55/0xb0
[  682.493497]  ? clear_bhb_loop+0x55/0xb0
[  682.493498]  ? clear_bhb_loop+0x55/0xb0
[  682.493500]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  682.493501] RIP: 0033:0x7f0a3c7a8f1d
[  682.493509] Code: e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 08 1b
f8 ff 48 8b 55 e8 48 8b 75 f0 41 89 c0 8b 7d f8 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 5f 1b f8 ff 48 8b
[  682.493511] RSP: 002b:00007ffe6999e8b0 EFLAGS: 00000293 ORIG_RAX:
0000000000000001
[  682.493512] RAX: ffffffffffffffda RBX: 0000000000000008 RCX:
00007f0a3c7a8f1d
[  682.493514] RDX: 000000000000000c RSI: 00007ffe6999e8e0 RDI:
0000000000000004
[  682.493515] RBP: 00007ffe6999e8d0 R08: 0000000000000000 R09:
00007ffe6999daa7
[  682.493516] R10: 0000000000000008 R11: 0000000000000293 R12:
00007ffe6999ed60
[  682.493516] R13: 0000000000000000 R14: 0000000000000001 R15:
00007ffe6999ede4
[  682.493518]  </TASK>
[  682.493518] ---[ end trace ]---
[  682.493547] stap_879665d1a5a686ace4d39253fe17891_20290 (foreach_limit.stp):
systemtap: 5.1/0.191, base: ffffffffc0b3c000, memory:
32data/52text/21ctx/32870net/225alloc kb, probes: 2
[  682.493551] ------------[ cut here ]------------
[  682.493551] UBSAN: array-index-out-of-bounds in
/home/wcohen/systemtap_write/install/share/systemtap/runtime/map-gen.c:818:21
[  682.493552] index 217 is out of range for type 'hlist_head [*]'
[  682.493553] CPU: 1 PID: 20290 Comm: stapio Tainted: G           OE     
6.8.8-200.fc39.x86_64 #1
[  682.493554] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-1.fc39 04/01/2014
[  682.493555] Call Trace:
[  682.493556]  <TASK>
[  682.493556]  dump_stack_lvl+0x64/0x80
[  682.493558]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  682.493561]  _stp_map_set_ii+0x1b9/0x1c0
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493567]  probe_6382+0x8e/0x25f0
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493573]  ? _printk+0x64/0x80
[  682.493575]  enter_be_probe.constprop.0+0x107/0x210
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493580]  _stp_ctl_write_cmd+0xd3c/0xf90
[stap_879665d1a5a686ace4d39253fe17891_20290]
[  682.493586]  proc_reg_write+0x5a/0xa0
[  682.493588]  vfs_write+0xed/0x470
[  682.493589]  ? __handle_mm_fault+0xba3/0xe50
[  682.493591]  ? mutex_lock+0x12/0x30
[  682.493592]  ksys_write+0x6f/0xf0
[  682.493594]  do_syscall_64+0x83/0x170
[  682.493595]  ? count_memcg_events.constprop.0+0x1a/0x30
[  682.493597]  ? handle_mm_fault+0xa2/0x360
[  682.493598]  ? do_user_addr_fault+0x304/0x690
[  682.493600]  ? clear_bhb_loop+0x55/0xb0
[  682.493601]  ? clear_bhb_loop+0x55/0xb0
[  682.493603]  ? clear_bhb_loop+0x55/0xb0
[  682.493604]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  682.493605] RIP: 0033:0x7f0a3c7a8f1d
[  682.493607] Code: e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 08 1b
f8 ff 48 8b 55 e8 48 8b 75 f0 41 89 c0 8b 7d f8 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 5f 1b f8 ff 48 8b
[  682.493608] RSP: 002b:00007ffe6999e8b0 EFLAGS: 00000293 ORIG_RAX:
0000000000000001
[  682.493610] RAX: ffffffffffffffda RBX: 0000000000000008 RCX:
00007f0a3c7a8f1d
[  682.493610] RDX: 000000000000000c RSI: 00007ffe6999e8e0 RDI:
0000000000000004
[  682.493611] RBP: 00007ffe6999e8d0 R08: 0000000000000000 R09:
00007ffe6999daa7
[  682.493612] R10: 0000000000000008 R11: 0000000000000293 R12:
00007ffe6999ed60
[  682.493613] R13: 0000000000000000 R14: 0000000000000001 R15:
00007ffe6999ede4
[  682.493614]  </TASK>
[  682.493614] ---[ end trace ]---

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/31699] UBSAN errors for systemtap map functions with Fedora Rawhide and Fedora 39 6.8.8 kernels

[wcohen at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31699

--- Comment #1 from William Cohen <wcohen at redhat dot com> ---
The variable sized structs are handled in the kernel is by using a
__counted_by() attribute to indicate which member of describes the variable
sized array at the end of the struct:

https://elixir.bootlin.com/linux/v6.9-rc6/source/include/linux/compiler_attributes.h#L105

#if __has_attribute(__counted_by__)
# define __counted_by(member)           __attribute__((__counted_by__(member)))
#else
# define __counted_by(member)
#endif

And example use
https://elixir.bootlin.com/linux/v6.9-rc6/source/arch/x86/events/rapl.c#L118

struct rapl_pmus {
        struct pmu              pmu;
        unsigned int            maxdie;
        struct rapl_pmu         *pmus[] __counted_by(maxdie);
};

For systemtap it looks like will need to the same for MAP (struct map_root).

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/31699] UBSAN errors for systemtap map functions with Fedora Rawhide and Fedora 39 6.8.8 kernels

[wcohen at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31699

--- Comment #2 from William Cohen <wcohen at redhat dot com> ---
Created attachment 15490
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15490&action=edit
Proposed patch to address UBSAN messages

This patch addresses the issue for the kernel.  It dummies out the
__counted_by__ attribute if it isn't defined for code for the dyninst backend.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/31699] UBSAN errors for systemtap map functions with Fedora Rawhide and Fedora 39 6.8.8 kernels

[wcohen at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31699

William Cohen <wcohen at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|systemtap at sourceware dot org    |wcohen at redhat dot com
             Status|NEW                         |ASSIGNED

--- Comment #3 from William Cohen <wcohen at redhat dot com> ---
Created attachment 15495
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15495&action=edit
Another UBSAN fix in runtime/linux/addr-map.c

Reviewed the systemtap runtime found another struct that UBSAN checks might
flag in runtime/linux/addr-map.c:

struct addr_map
{
  size_t size;
  struct addr_map_entry entries[0];
};

-- 
You are receiving this mail because:
You are the assignee for the bug.