| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Jul 2019 17:32:16 +0900
From: Eiichi Tsukata <devel@...ukata.com>
To: mhiramat@...nel.org
Cc: juri.lelli@...il.com, linux-kernel@...r.kernel.org,
mingo@...nel.org, peterz@...radead.org, rostedt@...dmis.org,
tglx@...utronix.de, torvalds@...ux-foundation.org,
williams@...hat.com, Eiichi Tsukata <devel@...ukata.com>
Subject: [PATCH 1/1] x86/stacktrace: Fix userstacktrace access_ok() WARNING in irq events
When arch_stack_walk_user() is called from irq context, access_ok() can
trigger the following WARNING if compiled with CONFIG_DEBUG_ATOMIC_SLEEP=y.
Reproducer:
// CONFIG_DEBUG_ATOMIC_SLEEP=y
# cd /sys/kernel/debug/tracing
# echo 1 > options/userstacktrace
# echo 1 > events/irq/irq_handler_entry/enable
WARNING:
WARNING: CPU: 0 PID: 2649 at arch/x86/kernel/stacktrace.c:103 arch_stack_walk_user+0x6e/0xf6
Modules linked in:
CPU: 0 PID: 2649 Comm: bash Not tainted 5.3.0-rc1+ #99
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
RIP: 0010:arch_stack_walk_user+0x6e/0xf6
Code: 00 48 89 45 c8 48 89 da 49 89 c7 49 89 c5 65 8b 05 5f 3f 3c 72 a9 00 01 1f 00 74 10 48 8b 45 c8 8b 80 58 16 00 00 85 c0 75 02 <0f> 0b 49 8b 85 18 17 00 00 48 83 e8 10 48 39 c2 77 32 41 83 85 58
RSP: 0018:ffff888068a09bc0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 00005567f28dc6a0 RCX: ffffffff8ddf6b71
RDX: 00005567f28dc6a0 RSI: 00007f3fcf7d20f8 RDI: ffff888068475048
RBP: ffff888068a09bf8 R08: ffffffff8ddf6b4b R09: ffffed100ced26f1
R10: ffffed100ced26f0 R11: ffff888067693787 R12: ffff88807c1bff58
R13: ffff888067693780 R14: ffff888068a09c28 R15: ffff888067693780
FS: 00007f3fcf6e3740(0000) GS:ffff888068a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cd64646630 CR3: 000000005e230004 CR4: 0000000000160ef0
Call Trace:
<IRQ>
? stack_trace_save+0xc0/0xc0
stack_trace_save_user+0x10a/0x16d
? stack_trace_save_tsk_reliable+0x1c0/0x1c0
? __kasan_check_read+0x11/0x20
trace_buffer_unlock_commit_regs+0x185/0x240
trace_event_buffer_commit+0xec/0x330
trace_event_raw_event_irq_handler_entry+0x159/0x1e0
? perf_trace_softirq+0x250/0x250
? check_chain_key+0x1da/0x2d0
? perf_trace_softirq+0x250/0x250
__handle_irq_event_percpu+0x22d/0x440
handle_irq_event_percpu+0x70/0x100
? __handle_irq_event_percpu+0x440/0x440
? __kasan_check_read+0x11/0x20
? preempt_count_sub+0x1a/0x120
handle_irq_event+0x5a/0x8b
handle_edge_irq+0x12f/0x3f0
handle_irq+0x34/0x40
do_IRQ+0xa6/0x1f0
common_interrupt+0xf/0xf
</IRQ>
Fix it by calling __range_not_ok() directly instead of access_ok() as
copy_from_user_nmi() does. This is fine here because the actual copy is
inside a pagefault disabled region.
Reported-by: Juri Lelli <juri.lelli@...il.com>
Signed-off-by: Eiichi Tsukata <devel@...ukata.com>
---
arch/x86/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 4f36d3241faf..2d6898c2cb64 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -100,7 +100,7 @@ copy_stack_frame(const void __user *fp, struct stack_frame_user *frame)
{
int ret;
- if (!access_ok(fp, sizeof(*frame)))
+ if (__range_not_ok(fp, sizeof(*frame), TASK_SIZE))
return 0;
ret = 1;
--
2.21.0
Powered by blists - more mailing lists