lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 22 Jan 2016 17:27:38 -0800
From:	Andi Kleen <ak@...ux.intel.com>
To:	kernel test robot <fengguang.wu@...el.com>
Cc:	LKP <lkp@...org>, linux-kernel@...r.kernel.org,
	"Peter Zijlstra (Intel)" <peterz@...radead.org>,
	Ingo Molnar <mingo@...nel.org>, wfg@...ux.intel.com
Subject: Re: [perf/x86] 75925e1ad7:  BUG: unable to handle kernel paging
 request at 000045b8

On Fri, Jan 22, 2016 at 12:33:24PM +0800, kernel test robot wrote:
> Greetings,
> 
> 0day kernel testing robot got the below dmesg and the first bad commit is
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Thanks. I managed to break 32bit kernels. The appended patch should
fix it.

----

x86, perf: Fix perf user stack trace walking
    
Fix 75925e1ad7 (perf/x86: Optimize stack walk user accesses)
   
Replace the hard coded 64bit frame pointer sizes, with sizeof depending
on the size of unsigned long on the host.
    
This avoids a stack smash on 32bit kernels, which was dutifully reported
by the 0day kbuild robot.
    
Signed-off-by: Andi Kleen <ak@...ux.intel.com>

diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 1b443db..ea4eb5c 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -2328,13 +2328,16 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
 		frame.next_frame	     = NULL;
 		frame.return_address = 0;
 
-		if (!access_ok(VERIFY_READ, fp, 16))
+		if (!access_ok(VERIFY_READ, fp, sizeof(frame)))
 			break;
 
-		bytes = __copy_from_user_nmi(&frame.next_frame, fp, 8);
+		bytes = __copy_from_user_nmi(&frame.next_frame, fp,
+						sizeof(frame.next_frame));
 		if (bytes != 0)
 			break;
-		bytes = __copy_from_user_nmi(&frame.return_address, fp+8, 8);
+		bytes = __copy_from_user_nmi(&frame.return_address,
+					fp + sizeof(frame.next_frame),
+					sizeof(frame.return_address));
 		if (bytes != 0)
 			break;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ