lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1568776174-84980-1-git-send-email-chenzefeng2@huawei.com>
Date:   Wed, 18 Sep 2019 11:09:34 +0800
From:   chenzefeng <chenzefeng2@...wei.com>
To:     <linux@...linux.org.uk>, <matthias.schiffer@...tq-group.com>,
        <tglx@...utronix.de>, <info@...ux.net>,
        <gregkh@...uxfoundation.org>
CC:     <chenzefeng2@...wei.com>, <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>, <nixiaoming@...wei.com>,
        <liucheng32@...wei.com>, <cj.chengjian@...wei.com>
Subject: [PATCH] arm:unwind: fix incorrect backtrace with unwind_table

For arm, if the CONFIG_ARM_UNWIND is open, when insmod a module,
the init section add to the unwind_table, the code path as follow:
	load_module
	--->post_relocation
	------->module_finalize
	----------->maps[ARM_SEC_INIT].txt_sec = s
	----------->unwind_table_add

Later if load_module success, the init section's memory will be
vfree, the code path as follow:
	load_module
	--->do_init_module
	------->freeinit->module_init = mod->init_layout.base
	------->schedule_work(&init_free_wq)
	----------->do_free_init
	--------------->vfree(freeinit->module_init)

But after the init section's had been vfree, but it's unwind_table
is not removed.

The issue as follow:
When insmod module A, the system alloc the "Addr1" for it's init
text section, and add it to the unwind_table list, after insmod
success, the "Addr1" would be vfreed.
Unfortunately, later insmod module B, the system alloc the "Addr1"
for it's text section, and add it to the unwind_table list, too.
And we dumpstack in module B, we may get a incorrect backtrace.

Signed-off-by: chenzefeng <chenzefeng2@...wei.com>
---
 arch/arm/kernel/module.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
index deef17f..438ed67 100644
--- a/arch/arm/kernel/module.c
+++ b/arch/arm/kernel/module.c
@@ -410,7 +410,20 @@ int module_finalize(const Elf32_Ehdr *hdr, const Elf_Shdr *sechdrs,
 	int i;
 
 	for (i = 0; i < ARM_SEC_MAX; i++)
-		if (mod->arch.unwind[i])
+		if (mod->arch.unwind[i]) {
 			unwind_table_del(mod->arch.unwind[i]);
+			mod->arch.unwind[i] = NULL;
+		}
+#endif
+}
+
+void
+module_arch_freeing_init(struct module *mod)
+{
+#ifdef CONFIG_ARM_UNWIND
+	if (mod->arch.unwind[ARM_SEC_INIT]) {
+		unwind_table_del(mod->arch.unwind[ARM_SEC_INIT]);
+		mod->arch.unwind[ARM_SEC_INIT] = NULL;
+	}
 #endif
 }
-- 
1.8.5.6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ