OVERFLOW_KUNIT_TEST fails with BUG: KASAN: stack-out-of-bounds in string_nocheck+0x168/0x1c8 (kernel 6.11-rc2, PowerMac G4 DP)

[Ivan Orlov]

On 8/15/24 00:26, Ivan Orlov wrote:
> 
> As you can see, the device name is defined as a local variable, which 
> means that it doesn't exist out of the 'overflow_allocation_test' 
> function scope. This patch:
> 
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f314a0c15a6d..fa7ca8c94eee 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -668,7 +668,7 @@ DEFINE_TEST_ALLOC(devm_kzalloc,  devm_kfree, 1, 1, 0);
> 
>   static void overflow_allocation_test(struct kunit *test)
>   {
> -    const char device_name[] = "overflow-test";
> +    static const char device_name[] = "overflow-test";
>       struct device *dev;
>       int count = 0;
> 
> 
> Seems to fix the problem and it is not reproducable anymore.
> 
> I will send the proper patch tomorrow.
> 
> Good night!
> 

Forgot to mention that the problem is intermittently reproducible on 
QEMU x86_64, and this is the only architecture I tested the solution on.

However, it looks like the initial report points us to 
'module_remove_driver' function, which presumably calls the following 
kasprintf as a part of 'make_driver_name' function which also operates 
on driver name. If driver name points to invalid memory range (because 
it is out of scope), it is going to cause a KASAN bug kernel panic.

-- 
Kind regards,
Ivan Orlov