Closed Bernhard40 closed 6 years ago
FWIW, you probably only want to enable CONFIG_FORTIFY_SOURCE=y
without that for production use right now rather than for finding bugs.
Yes, I know that. My goal was exactly to find some bugs and I was successful. :smile: I don't know however what to do next with that. Is that useful for you?
Can you try with CONFIG_DEBUG_INFO=y
so there are line numbers?
I tried with CONFIG_DEBUG_INFO=y
and CONFIG_CFG80211_DEBUGFS=y
but the results were similar:
kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: ccm arc4 iwlmvm mac80211 snd_soc_skl snd_soc_core iwlwifi intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel snd_soc_skl_ipc kvm snd_soc_sst_ipc hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_rotation snd_soc_sst_dsp hid_sensor_als cdc_mbim qcserial hid_sensor_gyro_3d hid_sensor_trigger cdc_wdm snd_hda_ext_core usb_wwan hid_sensor_iio_common cdc_ncm industrialio_triggered_buffer joydev kfifo_buf usbserial snd_hda_codec_hdmi industrialio cfg80211 usbnet snd_soc_acpi wacom snd_hda_codec_conexant snd_hda_codec_generic xt_mark mii xt_owner mousedev snd_hda_intel ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common hid_sensor_hub xt_LOG snd_hda_codec xt_tcpudp mei_wdt intel_ishtp_hid xt_conntrack snd_hwdep snd_hda_core iptable_mangle snd_pcm iptable_nat nf_conntrack_ipv4
kernel: nf_defrag_ipv4 wmi_bmof intel_wmi_thunderbolt nf_nat_ipv4 nf_nat irqbypass nf_conntrack psmouse intel_cstate intel_uncore snd_timer libcrc32c crc32c_generic iptable_filter mei_me nls_iso8859_1 mei nls_cp437 intel_rapl_perf vfat tpm_crb fat tpm_tis intel_ish_ipc rtsx_pci_ms tpm_tis_core thinkpad_acpi memstick nvram snd input_leds tpm ucsi_acpi intel_ishtp shpchp typec_ucsi i2c_i801 intel_pch_thermal typec soundcore led_class wmi rfkill rtc_cmos i2c_hid evdev battery ac mac_hid loop coretemp msr tun ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod rtsx_pci_sdmmc crct10dif_pclmul crc32_pclmul mmc_core crc32c_intel ghash_clmulni_intel pcbc serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd
kernel: cryptd rtsx_pci glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 3 PID: 568 Comm: kworker/3:2 Not tainted 4.15.2 #1
kernel: Workqueue: events reg_todo [cfg80211]
kernel: RIP: 0010:fortify_panic+0x13/0x23
kernel: RSP: 0018:ffffb4e9c06d3d68 EFLAGS: 00010282
kernel: RAX: 0000000000000022 RBX: ffffffffc0ae31d8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff9aac615956d8 RDI: ffff9aac615956d8
kernel: RBP: ffff9aac46c9302c R08: 000000000000035d R09: 0000000000000004
kernel: R10: 0000000000006030 R11: 0000000000000030 R12: ffffb4e9c06d3dc0
kernel: R13: ffffb4e9c06d3ddc R14: 0000000000000000 R15: 0000000000000025
kernel: FS: 0000000000000000(0000) GS:ffff9aac61580000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000679374104000 CR3: 0000000062008003 CR4: 00000000003606e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel: nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel: reg_process_self_managed_hints+0x14b/0x1b0 [cfg80211]
kernel: ? reg_todo+0x260/0x2a0 [cfg80211]
kernel: reg_todo+0x260/0x2a0 [cfg80211]
kernel: process_one_work+0x193/0x3b0
kernel: worker_thread+0x31/0x3a0
kernel: ? process_one_work+0x3b0/0x3b0
kernel: kthread+0x113/0x130
kernel: ? kthread_create_on_node+0x90/0x90
kernel: ret_from_fork+0x35/0x40
kernel: Code: 48 89 c2 e8 e3 71 00 00 c6 04 2b 00 4c 89 e8 5b 5d 41 5c 41 5d c3 0f 0b 53 48 89 fb 48 89 de 48 c7 c7 e8 88 e7 87 e8 d2 7e a0 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 fd 53
kernel: RIP: fortify_panic+0x13/0x23 RSP: ffffb4e9c06d3d68
kernel: ---[ end trace d7823b7c4dda1c42 ]---
As for additional info I have CONFIG_IPV6=n
.
If that leads us to nowhere feel free to ignore this. Sorry for bothering.
You might be able to get useful debug info with addr2line / gdb. I won't have time to work on this in the near future unfortunately.
It could be this bit:
if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
NL80211_REGDOM_TYPE_COUNTRY) ||
nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
request->alpha2))
goto nla_put_failure;
Yeah, I was thinking that this can be related to regdb which I don't have installed. I have following info in logs:
platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
cfg80211: failed to load regulatory.db
Installing crda
make this error worse as it crash boot:
kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: snd_hda_ext_core qcserial(+) cdc_wdm usb_wwan snd_hda_codec_hdmi cfg80211 snd_hda_codec_conexant snd_hda_codec_generic cdc_ncm snd_soc_acpi joydev xt_mark mousedev xt_owner snd_hda_intel intel_rapl hid_sensor_rotation usbserial hid_sensor_magn_3d ipt_REJECT x86_pkg_temp_thermal hid_sensor_gyro_3d nf_reject_ipv4 usbnet nf_log_ipv4 hid_sensor_als hid_sensor_accel_3d nf_log_common intel_powerclamp hid_sensor_trigger wacom mii xt_LOG hid_sensor_iio_common industrialio_triggered_buffer xt_tcpudp snd_hda_codec kfifo_buf kvm_intel industrialio xt_conntrack hid_sensor_hub iptable_mangle kvm intel_ishtp_hid iptable_nat snd_hwdep snd_hda_core nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack snd_pcm psmouse mei_wdt libcrc32c crc32c_generic wmi_bmof iptable_filter
kernel: intel_wmi_thunderbolt nls_iso8859_1 nls_cp437 vfat intel_ish_ipc fat snd_timer irqbypass intel_cstate thinkpad_acpi intel_uncore mei_me nvram snd rtsx_pci_ms mei intel_ishtp memstick shpchp intel_rapl_perf input_leds i2c_i801 intel_pch_thermal wmi soundcore tpm_crb led_class rfkill tpm_tis battery tpm_tis_core ac tpm rtc_cmos i2c_hid loop evdev coretemp mac_hid msr tun fuse ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel rtsx_pci_sdmmc pcbc mmc_core serio_raw atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd rtsx_pci glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common i915 intel_gtt i2c_algo_bit drm_kms_helper
kernel: syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 2 PID: 989 Comm: crda Not tainted 4.15.2 #1
kernel: RIP: 0010:fortify_panic+0x13/0x23
kernel: RSP: 0000:ffffa5be0072b9b8 EFLAGS: 00010286
kernel: RAX: 0000000000000022 RBX: ffffffffc0bdc1d8 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff8ec7215156d8 RDI: ffff8ec7215156d8
kernel: RBP: ffff8ec716750014 R08: 0000000000000333 R09: 0000000000000000
kernel: R10: 0000000000001008 R11: ffff8ec717861faf R12: ffff8ec714d9d750
kernel: R13: ffff8ec714d9d76c R14: 0000000000000000 R15: ffff8ec71634297c
kernel: FS: 00006cd727cb5740(0000) GS:ffff8ec721500000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00000affca69d008 CR3: 00000002144b8001 CR4: 00000000003606e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel: nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel: set_regdom+0x25e/0x5c0 [cfg80211]
kernel: nl80211_set_reg+0x282/0x2b0 [cfg80211]
kernel: genl_family_rcv_msg+0x33c/0x400
kernel: genl_rcv_msg+0x47/0x90
kernel: ? genl_family_rcv_msg+0x400/0x400
kernel: netlink_rcv_skb+0x77/0x140
kernel: genl_rcv+0x24/0x40
kernel: netlink_unicast+0x1b1/0x230
kernel: netlink_sendmsg+0x377/0x3c0
kernel: sock_sendmsg+0x39/0x50
kernel: ___sys_sendmsg+0x2c2/0x320
kernel: ? __sys_sendmsg+0x6c/0xb0
kernel: __sys_sendmsg+0x6c/0xb0
kernel: do_syscall_64+0x75/0x180
kernel: entry_SYSCALL_64_after_hwframe+0x21/0x86
kernel: RIP: 0033:0x6cd7271f2097
kernel: RSP: 002b:00007fc08053f158 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
kernel: RAX: ffffffffffffffda RBX: 00000000086c45f0 RCX: 00006cd7271f2097
kernel: RDX: 0000000000000000 RSI: 00007fc08053f190 RDI: 0000000000000000
kernel: RBP: 00000000086c9240 R08: 0000000000000000 R09: 00006cd7274ad200
kernel: R10: 0000000000000059 R11: 0000000000000246 R12: 00000000086c4500
kernel: R13: 00007fc08053f190 R14: 00000000086c4460 R15: 00000000086c98c0
kernel: Code: 48 89 c2 e8 e3 71 00 00 c6 04 2b 00 4c 89 e8 5b 5d 41 5c 41 5d c3 0f 0b 53 48 89 fb 48 89 de 48 c7 c7 e8 88 e7 8a e8 d2 7e a0 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 48 89 fd 53
kernel: RIP: fortify_panic+0x13/0x23 RSP: ffffa5be0072b9b8
kernel: ---[ end trace a71e1b62a5a662d3 ]---
I tried it on 4.16rc1 with CONFIG_CFG80211_CRDA_SUPPORT=n
but it still breaks:
kernel: platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
kernel: detected buffer overflow in strlen
kernel: ------------[ cut here ]------------
kernel: kernel BUG at lib/string.c:1052!
kernel: invalid opcode: 0000 [#1] SMP PTI
kernel: Modules linked in: arc4 xt_mark xt_owner qcserial cdc_mbim ipt_REJECT cdc_wdm nf_reject_ipv4 cdc_ncm usb_wwan usbnet nf_log_ipv4 wacom usbserial nf_log_common mii xt_LOG iwlmvm xt_tcpudp xt_conntrack mac80211 iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c crc32c_generic iptable_filter iwlwifi nls_iso8859_1 nls_cp437 snd_soc_skl vfat fat snd_soc_acpi cfg80211 hid_sensor_als hid_sensor_accel_3d snd_soc_core hid_sensor_gyro_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_trigger snd_hda_codec_hdmi hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf industrialio snd_hda_codec_conexant snd_hda_codec_generic snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core mei_wdt hid_sensor_hub intel_ishtp_hid joydev mousedev
kernel: wmi_bmof intel_wmi_thunderbolt intel_rapl x86_pkg_temp_thermal intel_powerclamp kvm_intel kvm irqbypass intel_cstate intel_uncore snd_hda_intel snd_hda_codec snd_hwdep psmouse snd_hda_core input_leds mei_me intel_rapl_perf snd_pcm mei intel_pch_thermal snd_timer thinkpad_acpi i2c_i801 shpchp intel_ish_ipc intel_ishtp wmi ac battery nvram snd tpm_crb soundcore led_class rfkill rtc_cmos i2c_hid tpm_tis tpm_tis_core tpm evdev mac_hid loop coretemp msr tun fuse ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto algif_skcipher af_alg hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid dm_crypt dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw pcbc atkbd libps2 aesni_intel aes_x86_64 crypto_simd cryptd glue_helper xhci_pci i8042 serio xhci_hcd usbcore usb_common
kernel: i915 intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart
kernel: CPU: 0 PID: 563 Comm: kworker/0:3 Not tainted 4.16.0 #2
kernel: Workqueue: events reg_todo [cfg80211]
kernel: RIP: 0010:fortify_panic+0x13/0x1a
kernel: RSP: 0018:ffffb4750042fd68 EFLAGS: 00010282
kernel: RAX: 0000000000000022 RBX: ffffffffc0c85f98 RCX: 0000000000000000
kernel: RDX: 0000000000000000 RSI: ffff8b2f214156d8 RDI: ffff8b2f214156d8
kernel: RBP: ffff8b2ef0468014 R08: 0000000000000350 R09: 0000000000000004
kernel: R10: 0000000000005028 R11: 0000000000000030 R12: ffffb4750042fdc0
kernel: R13: ffffb4750042fddc R14: 0000000000000000 R15: 0000000000000025
kernel: FS: 0000000000000000(0000) GS:ffff8b2f21400000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 000006fca1936828 CR3: 00000000b8008003 CR4: 00000000003606f0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kernel: Call Trace:
kernel: nl80211_common_reg_change_event+0x23e/0x250 [cfg80211]
kernel: reg_process_self_managed_hints+0x14b/0x1b0 [cfg80211]
kernel: ? reg_todo+0x260/0x2b0 [cfg80211]
kernel: reg_todo+0x260/0x2b0 [cfg80211]
kernel: process_one_work+0x193/0x3a0
kernel: worker_thread+0x2e/0x390
kernel: ? process_one_work+0x3a0/0x3a0
kernel: kthread+0x113/0x130
kernel: ? kthread_create_on_node+0x90/0x90
kernel: ret_from_fork+0x35/0x40
kernel: Code: 49 39 ec 76 e1 31 c0 5b 5d 41 5c 41 5d c3 48 89 d8 5b 5d 41 5c 41 5d c3 53 48 89 fb 48 89 de 48 c7 c7 90 1f e5 95 e8 d9 8a 9f ff <0f> 0b 90 90 90 90 90 55 48 89 fd 53 48 89 f3 48 89 ea 31 c9 48
kernel: RIP: fortify_panic+0x13/0x1a RSP: ffffb4750042fd68
kernel: ---[ end trace e6cd075f36da39d1 ]---
I don't see option to disable regulatory database firmware loading to test if this bug dissapears.
struct regulatory_request { ... char alpha2[2]; ...
static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { ... [NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 }, ...
AIUI, only NLA_NUL_STRING has a trailing NULL byte. Working with NLA_STRING needs nla_strlcpy() to "extract" them.
However: /**
It looks like nla_put_string() must have NULL-terminated strings...
I installed new version of wireless-regdb and now firmware is correctly loaded by kernel and this bug doesn't trigger then. It triggers when firmware isn't available as described above.
This issue doesn't occur anymore on 4.16-rc3. Probably fixed with https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=657308f73e674e86b60509a430a46e569bf02846
It happens early after boot with
CONFIG_FORTIFY_SOURCE_STRICT_STRING=y
. Kernel 4.15.2