lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 12 Nov 2019 21:29:38 +0800
From:   Mark-PK Tsai <mark-pk.tsai@...iatek.com>
To:     <linux@...linux.org.uk>
CC:     <matthias.bgg@...il.com>, <kstewart@...uxfoundation.org>,
        <allison@...utok.net>, <lvqiang.huang@...soc.com>,
        <gregkh@...uxfoundation.org>, <info@...ux.net>,
        <tglx@...utronix.de>, <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-mediatek@...ts.infradead.org>, <yj.chiang@...iatek.com>,
        <mark-pk.tsai@...iatek.com>, <alix.wu@...iatek.com>,
        <mike-sl.lin@...iatek.com>, <eddy.lin@...iatek.com>,
        <phil.chang@...iatek.com>
Subject: [PATCH] ARM: fix race in for_each_frame

The sv_pc, which is saved in the stack, may be an invalid address
if the target thread is running on another processor in the meantime.
It will cause kernel crash at `ldr r2, [sv_pc, #-4]`.

Check if sv_pc is valid before use it like unwind_frame in
arch/arm/kernel/unwind.c.

Signed-off-by: Mike-SL Lin <mike-sl.lin@...iatek.com>
Signed-off-by: Mark-PK Tsai <mark-pk.tsai@...iatek.com>
---
 arch/arm/lib/backtrace.S | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/lib/backtrace.S b/arch/arm/lib/backtrace.S
index 582925238d65..84f06381bbfb 100644
--- a/arch/arm/lib/backtrace.S
+++ b/arch/arm/lib/backtrace.S
@@ -64,6 +64,11 @@ for_each_frame:	tst	frame, mask		@ Check for address exceptions
 		sub	sv_pc, sv_pc, offset	@ Correct PC for prefetching
 		bic	sv_pc, sv_pc, mask	@ mask PC/LR for the mode
 
+		mov	r0, sv_pc
+		bl	kernel_text_address	@ check if sv_pc is valid
+		cmp	r0, #0			@ if sv_pc is not kernel text
+		beq	1006f			@ address, abort backtrace
+
 1003:		ldr	r2, [sv_pc, #-4]	@ if stmfd sp!, {args} exists,
 		ldr	r3, .Ldsi+4		@ adjust saved 'pc' back one
 		teq	r3, r2, lsr #11		@ instruction
-- 
2.18.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ