lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190722083216.16192-2-devel@etsukata.com>
Date:   Mon, 22 Jul 2019 17:32:16 +0900
From:   Eiichi Tsukata <devel@...ukata.com>
To:     mhiramat@...nel.org
Cc:     juri.lelli@...il.com, linux-kernel@...r.kernel.org,
        mingo@...nel.org, peterz@...radead.org, rostedt@...dmis.org,
        tglx@...utronix.de, torvalds@...ux-foundation.org,
        williams@...hat.com, Eiichi Tsukata <devel@...ukata.com>
Subject: [PATCH 1/1] x86/stacktrace: Fix userstacktrace access_ok() WARNING in irq events

When arch_stack_walk_user() is called from irq context, access_ok() can
trigger the following WARNING if compiled with CONFIG_DEBUG_ATOMIC_SLEEP=y.

Reproducer:

  // CONFIG_DEBUG_ATOMIC_SLEEP=y
  # cd /sys/kernel/debug/tracing
  # echo 1 > options/userstacktrace
  # echo 1 > events/irq/irq_handler_entry/enable

WARNING:

  WARNING: CPU: 0 PID: 2649 at arch/x86/kernel/stacktrace.c:103 arch_stack_walk_user+0x6e/0xf6
  Modules linked in:
  CPU: 0 PID: 2649 Comm: bash Not tainted 5.3.0-rc1+ #99
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
  RIP: 0010:arch_stack_walk_user+0x6e/0xf6
  Code: 00 48 89 45 c8 48 89 da 49 89 c7 49 89 c5 65 8b 05 5f 3f 3c 72 a9 00 01 1f 00 74 10 48 8b 45 c8 8b 80 58 16 00 00 85 c0 75 02 <0f> 0b 49 8b 85 18 17 00 00 48 83 e8 10 48 39 c2 77 32 41 83 85 58
  RSP: 0018:ffff888068a09bc0 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: 00005567f28dc6a0 RCX: ffffffff8ddf6b71
  RDX: 00005567f28dc6a0 RSI: 00007f3fcf7d20f8 RDI: ffff888068475048
  RBP: ffff888068a09bf8 R08: ffffffff8ddf6b4b R09: ffffed100ced26f1
  R10: ffffed100ced26f0 R11: ffff888067693787 R12: ffff88807c1bff58
  R13: ffff888067693780 R14: ffff888068a09c28 R15: ffff888067693780
  FS:  00007f3fcf6e3740(0000) GS:ffff888068a00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000055cd64646630 CR3: 000000005e230004 CR4: 0000000000160ef0
  Call Trace:
   <IRQ>
   ? stack_trace_save+0xc0/0xc0
   stack_trace_save_user+0x10a/0x16d
   ? stack_trace_save_tsk_reliable+0x1c0/0x1c0
   ? __kasan_check_read+0x11/0x20
   trace_buffer_unlock_commit_regs+0x185/0x240
   trace_event_buffer_commit+0xec/0x330
   trace_event_raw_event_irq_handler_entry+0x159/0x1e0
   ? perf_trace_softirq+0x250/0x250
   ? check_chain_key+0x1da/0x2d0
   ? perf_trace_softirq+0x250/0x250
   __handle_irq_event_percpu+0x22d/0x440
   handle_irq_event_percpu+0x70/0x100
   ? __handle_irq_event_percpu+0x440/0x440
   ? __kasan_check_read+0x11/0x20
   ? preempt_count_sub+0x1a/0x120
   handle_irq_event+0x5a/0x8b
   handle_edge_irq+0x12f/0x3f0
   handle_irq+0x34/0x40
   do_IRQ+0xa6/0x1f0
   common_interrupt+0xf/0xf
   </IRQ>

Fix it by calling __range_not_ok() directly instead of access_ok() as
copy_from_user_nmi() does. This is fine here because the actual copy is
inside a pagefault disabled region.

Reported-by: Juri Lelli <juri.lelli@...il.com>
Signed-off-by: Eiichi Tsukata <devel@...ukata.com>
---
 arch/x86/kernel/stacktrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 4f36d3241faf..2d6898c2cb64 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -100,7 +100,7 @@ copy_stack_frame(const void __user *fp, struct stack_frame_user *frame)
 {
 	int ret;
 
-	if (!access_ok(fp, sizeof(*frame)))
+	if (__range_not_ok(fp, sizeof(*frame), TASK_SIZE))
 		return 0;
 
 	ret = 1;
-- 
2.21.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ