OVERFLOW_KUNIT_TEST fails with BUG: KASAN: stack-out-of-bounds in string_nocheck+0x168/0x1c8 (kernel 6.11-rc2, PowerMac G4 DP)
Michael Ellerman
mpe at ellerman.id.au
Fri Aug 16 22:00:09 AEST 2024
Ivan Orlov <ivan.orlov0322 at gmail.com> writes:
> On 8/15/24 00:26, Ivan Orlov wrote:
>>
>> As you can see, the device name is defined as a local variable, which
>> means that it doesn't exist out of the 'overflow_allocation_test'
>> function scope. This patch:
>>
>> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
>> index f314a0c15a6d..fa7ca8c94eee 100644
>> --- a/lib/overflow_kunit.c
>> +++ b/lib/overflow_kunit.c
>> @@ -668,7 +668,7 @@ DEFINE_TEST_ALLOC(devm_kzalloc, devm_kfree, 1, 1, 0);
>>
>> static void overflow_allocation_test(struct kunit *test)
>> {
>> - const char device_name[] = "overflow-test";
>> + static const char device_name[] = "overflow-test";
>> struct device *dev;
>> int count = 0;
>>
>>
>> Seems to fix the problem and it is not reproducable anymore.
>>
>> I will send the proper patch tomorrow.
>>
>> Good night!
>>
>
> Forgot to mention that the problem is intermittently reproducible on
> QEMU x86_64, and this is the only architecture I tested the solution on.
>
> However, it looks like the initial report points us to
> 'module_remove_driver' function, which presumably calls the following
> kasprintf as a part of 'make_driver_name' function which also operates
> on driver name. If driver name points to invalid memory range (because
> it is out of scope), it is going to cause a KASAN bug kernel panic.
Nice catch.
I notice there's at least one other case that looks similar in
lib/fortify_kunit.c
cheers
More information about the Linuxppc-dev
mailing list