| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171127144712.cc2ihvkj3ck5xvq6@pd.tnic>
Date: Mon, 27 Nov 2017 15:47:12 +0100
From: Borislav Petkov <bp@...en8.de>
To: Ingo Molnar <mingo@...nel.org>
Cc: linux-kernel@...r.kernel.org,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...capital.net>,
Thomas Gleixner <tglx@...utronix.de>,
"H . Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 01/21] x86/unwinder/orc: Don't bail on stack overflow
On Mon, Nov 27, 2017 at 11:45:09AM +0100, Ingo Molnar wrote:
> From: Andy Lutomirski <luto@...nel.org>
>
> If we overflow the stack into a guard page and then try to unwind it
> with ORC, it should work well: by construction, there can't be any
> meaningful data in the guard page because no writes to the guard page
> will have succeeded.
>
> This patch fixes a bug that unwinding from working correctly: if the
^
prevents
> starting register state has RSP pointing into a stack guard page, the
> ORC unwinder bails out immediately. This patch fixes that: the ORC
I believe here we can kill the second "This patch" :)
> unwinder will start the unwind.
>
> I tested this by intentionally overflowing the task stack. The
> result is an accurate call trace instead of a trace consisting
> purely of '?' entries.
>
> There are a few other bugs that are triggered if the unwinder
> encounters a stack overflow after the first step, and Josh has WIP
> patches to fix those as well.
I guess we don't need that paragraph.
> Signed-off-by: Andy Lutomirski <luto@...nel.org>
> Cc: Borislav Petkov <bpetkov@...e.de>
> Cc: Brian Gerst <brgerst@...il.com>
> Cc: Dave Hansen <dave.hansen@...el.com>
> Cc: Josh Poimboeuf <jpoimboe@...hat.com>
> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Link: http://lkml.kernel.org/r/927042950d7f1a7007dd0f58538966a593508f8b.1511715954.git.luto@kernel.org
> Signed-off-by: Ingo Molnar <mingo@...nel.org>
> ---
> arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
> index a3f973b2c97a..7f6e3935666b 100644
> --- a/arch/x86/kernel/unwind_orc.c
> +++ b/arch/x86/kernel/unwind_orc.c
> @@ -553,8 +553,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
> }
>
> if (get_stack_info((unsigned long *)state->sp, state->task,
> - &state->stack_info, &state->stack_mask))
> - return;
> + &state->stack_info, &state->stack_mask)) {
> + /*
> + * We weren't on a valid stack. It's possible that
> + * we overflowed a valid stack into a guard page.
> + * See if the next page up is valid so that we can
> + * generate some kind of backtrace if this happens.
> + */
Right, should we issue a marker or somesuch here to denote that we somehow
walked into the guard page?
It might be helpful when debugging issues, to see the big picture...
> + void *next_page = (void *)PAGE_ALIGN((unsigned long)regs->sp);
> + if (get_stack_info(next_page, state->task, &state->stack_info,
> + &state->stack_mask))
> + return;
> + }
>
> /*
> * The caller can provide the address of the first frame directly
> --
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
Powered by blists - more mailing lists