lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 5 Oct 2017 08:57:34 -0500
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:     fengguang.wu@...el.com, byungchul.park@....com, mingo@...nel.org,
        peterz@...radead.org, linux-kernel@...r.kernel.org, lkp@...org,
        torvalds@...ux-foundation.org, bp@...en8.de, x86@...nel.org,
        hpa@...or.com, tglx@...utronix.de
Subject: Re: [lockdep] b09be676e0 BUG: unable to handle kernel NULL pointer
 dereference at 000001f2

On Thu, Oct 05, 2017 at 08:02:33PM +0900, Tetsuo Handa wrote:
> Josh Poimboeuf wrote:
> > On Wed, Oct 04, 2017 at 06:44:50AM +0900, Tetsuo Handa wrote:
> > > Josh Poimboeuf wrote:
> > > > On Tue, Oct 03, 2017 at 11:28:15AM -0500, Josh Poimboeuf wrote:
> > > > > There are two bugs:
> > > > > 
> > > > > 1) Somebody -- presumably lockdep -- is corrupting the stack.  Need the
> > > > >    lockdep people to look at that.
> > > > > 
> > > > > 2) The 32-bit FP unwinder isn't handling the corrupt stack very well,
> > > > >    It's blindly dereferencing untrusted data:
> > > > > 
> > > > > 	/* Is the next frame pointer an encoded pointer to pt_regs? */
> > > > > 	regs = decode_frame_pointer(next_bp);
> > > > > 	if (regs) {
> > > > > 		frame = (unsigned long *)regs;
> > > > > 		len = regs_size(regs);
> > > > > 		state->got_irq = true;
> > > > > 
> > > > >   On 32-bit, regs_size() dereferences the regs pointer before we know it
> > > > >   points to a valid stack.  I'll fix that, along with the other unwinder
> > > > >   improvements I discussed with Linus.
> > > > 
> > > > Tetsuo and/or Fengguang,
> > > > 
> > > > Would you mind testing with this patch?  It should at least prevent the
> > > > unwinder panic and should hopefully print a useful unwinder dump
> > > > instead.
> > > > 
> > > Here are two outputs.
> > 
> > Tetsuo, would you mind trying the following patch?
> > 
> Here are two outputs. Same kernel with different host hardware.

Thanks, these dumps are more "normal":

- The first shows a missing frame pointer setup in
  atomic64_add_unless_cx8().

- The second shows some frame pointer related issue in the kthread
  creation path.

I don't plan on fixing those, because we don't yet have objtool support
for 32-bit and we don't have anything which needs reliable stack traces
there.  I'll probably just disable those unwinder dumps on 32-bit.

-- 
Josh

Powered by blists - more mailing lists