lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Apr 2017 21:11:53 -0500
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org,
        x86@...nel.org, Len Brown <lenb@...nel.org>,
        linux-acpi@...r.kernel.org, Borislav Petkov <bp@...en8.de>,
        "Rafael J . Wysocki" <rjw@...ysocki.net>, stable@...nel.org
Subject: Re: [PATCH v3] ftrace/x86/32: fix triple fault with graph tracing
 and suspend-to-ram

On Thu, Apr 13, 2017 at 07:02:36PM -0400, Steven Rostedt wrote:
> On Thu, 13 Apr 2017 17:53:55 -0500
> Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> 
> > On x86-32, with CONFIG_FIRMWARE and multiple CPUs, if you enable
> > function graph tracing and then suspend to RAM, it will triple fault and
> > reboot when it resumes.
> > 
> > The first fault happens when booting a secondary CPU:
> > 
> > startup_32_smp()
> >   load_ucode_ap()
> >     prepare_ftrace_return()
> >       ftrace_graph_is_dead()
> >         (accesses 'kill_ftrace_graph')
> > 
> > The early head_32.S code calls into load_ucode_ap(), which has an an
> > ftrace hook, so it calls prepare_ftrace_return(), which calls
> > ftrace_graph_is_dead(), which tries to access the global
> > 'kill_ftrace_graph' variable with a virtual address, causing a fault
> > because the CPU is still in real mode.
> > 
> > The fix is to add a check in prepare_ftrace_return() to make sure it's
> > running in protected mode before continuing.  The check makes sure the
> > stack pointer is a virtual kernel address.  It's a bit of a hack, but
> > it's not very intrusive and it works well enough.
> > 
> > For reference, here are a few other (more difficult) ways this could
> > have potentially been fixed:
> > 
> > - Move startup_32_smp()'s call to load_ucode_ap() down to *after* paging
> >   is enabled.  (No idea what that would break.)
> > 
> > - Track down load_ucode_ap()'s entire callee tree and mark all the
> >   functions 'notrace'.  (Probably not realistic.)
> > 
> > - Pause graph tracing in ftrace_suspend_notifier_call() or bringup_cpu()
> >   or __cpu_up(), and ensure that the pause facility can be queried from
> >   real mode.
> > 
> > Reported-by: Paul Menzel <pmenzel@...gen.mpg.de>
> > Tested-by: Paul Menzel <pmenzel@...gen.mpg.de>
> > Cc: stable@...nel.org
> > Signed-off-by: Josh Poimboeuf <jpoimboe@...hat.com>
> 
> This is pretty much the same thing we were talking about before, right?

Yeah, the same patch from before, now with more tags!

> If so, then:
> 
> Reviewed-by: Steven Rostedt (VMware) <rostedt@...dmis.org>

Thanks!

-- 
Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ