lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YWgyy+KvNLQ7eMIV@shell.armlinux.org.uk>
Date:   Thu, 14 Oct 2021 14:38:19 +0100
From:   "Russell King (Oracle)" <linux@...linux.org.uk>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     keescook@...omium.org, jannh@...gle.com,
        linux-kernel@...r.kernel.org, vcaputo@...garu.com,
        mingo@...hat.com, juri.lelli@...hat.com,
        vincent.guittot@...aro.org, dietmar.eggemann@....com,
        rostedt@...dmis.org, bsegall@...gle.com, mgorman@...e.de,
        bristot@...hat.com, akpm@...ux-foundation.org,
        christian.brauner@...ntu.com, amistry@...gle.com,
        Kenta.Tada@...y.com, legion@...nel.org,
        michael.weiss@...ec.fraunhofer.de, mhocko@...e.com, deller@....de,
        zhengqi.arch@...edance.com, me@...in.cc, tycho@...ho.pizza,
        tglx@...utronix.de, bp@...en8.de, hpa@...or.com,
        mark.rutland@....com, axboe@...nel.dk, metze@...ba.org,
        laijs@...ux.alibaba.com, luto@...nel.org,
        dave.hansen@...ux.intel.com, ebiederm@...ssion.com,
        ohoono.kwon@...sung.com, kaleshsingh@...gle.com,
        yifeifz2@...inois.edu, jpoimboe@...hat.com,
        linux-hardening@...r.kernel.org, linux-arch@...r.kernel.org,
        vgupta@...nel.org, will@...nel.org, guoren@...nel.org,
        bcain@...eaurora.org, monstr@...str.eu, tsbogend@...ha.franken.de,
        nickhu@...estech.com, jonas@...thpole.se, mpe@...erman.id.au,
        paul.walmsley@...ive.com, hca@...ux.ibm.com,
        ysato@...rs.sourceforge.jp, davem@...emloft.net, chris@...kel.net
Subject: Re: [PATCH 0/7] wchan: Fix wchan support

On Thu, Oct 14, 2021 at 01:02:34PM +0100, Russell King (Oracle) wrote:
> On Fri, Oct 08, 2021 at 01:15:27PM +0200, Peter Zijlstra wrote:
> > Hi,
> > 
> > This fixes up wchan which is various degrees of broken across the
> > architectures.
> > 
> > Patch 4 fixes wchan for x86, which has been returning 0 for the past many
> > releases.
> > 
> > Patch 5 fixes the fundamental race against scheduling.
> > 
> > Patch 6 deletes a lot and makes STACKTRACE unconditional
> > 
> > patch 7 fixes up a few STACKTRACE arch oddities
> > 
> > 0day says all builds are good, so it must be perfect :-) I'm planning on
> > queueing up at least the first 5 patches, but I'm hoping the last two patches
> > can be too.
> > 
> > Also available here:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git sched/wchan
> 
> These patches introduce a regression on ARM. Whereas before, I have
> /proc/*/wchan populated with non-zero values, with these patches they
> _all_ contain "0":
> 
> root@...arfog21:~# cat /proc/*/wchan
> 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000root@...arfog21:~#
> 
> I'll try to investigate what is going on later today.

What is going on here is that the ARM stacktrace code refuses to trace
non-current tasks in a SMP environment due to the racy nature of doing
so if the non-current tasks are running.

When walking the stack with frame pointers, we:

- validate that the frame pointer is between the stack pointer and the
  top of stack defined by that stack pointer.
- we then load the next stack pointer and next frame pointer from the
  stack.

The reason this is unsafe when the task is not blocked is the stack can
change at any moment, which can cause the value read as a stack pointer
to be wildly different. If the read frame pointer value is roughly in
agreement, we can end up reading any part of memory, which would be an
information leak.

The table based unwinding is much more complex being essentially a set
of instructions to the unwinder code about which values to read from
the stack into a set of pseudo-registers, corrections to the stack
pointer, or transfers from the pseudo-registers. I haven't analysed
this code enough to really know the implications of what could be
possible if the values on the stack change while this code is running
on another CPU (it's not my code!) There is an attempt to bounds-limit
the virtual stack pointer after each unwind instruction is processed
to catch the unwinder doing anything silly, so it may be safe in so far
as it will fail should it encounter anything "stupid".

However, get_wchan() is a different case; we know for certain that the
task is blocked, so it won't be running on another CPU, and with your
patch 4, we have this guarantee. However, that is not true of all
callers to the stacktracing code, so I don't see how we can sanely
switch to using the stacktracing code for this.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ