lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAK8P3a0ojj7mYg0-gBG8a=CWubBE-0XtDSw-B4nqmqHcmE34pw@mail.gmail.com>
Date:   Mon, 30 Dec 2019 16:58:31 +0100
From:   Arnd Bergmann <arnd@...db.de>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     Paul Burton <paulburton@...nel.org>,
        "open list:BROADCOM NVRAM DRIVER" <linux-mips@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Vincenzo Frascino <vincenzo.frascino@....com>,
        Christian Brauner <christian.brauner@...onical.com>
Subject: Re: vdso-related userspace crashes on 5.5 mips64

On Tue, Dec 24, 2019 at 2:37 PM Jason A. Donenfeld <Jason@...c4.com> wrote:
>
> More details forthcoming, but I just bisected this to:
>
> commit 942437c97fd9ff23a17c13118f50bd0490f6868c (refs/bisect/bad)
> Author: Arnd Bergmann <arnd@...db.de>
> Date:   Mon Jul 15 11:46:10 2019 +0200
>
>    y2038: allow disabling time32 system calls
>
>    At the moment, the compilation of the old time32 system calls depends
>    purely on the architecture. As systems with new libc based on 64-bit
>    time_t are getting deployed, even architectures that previously supported
>    these (notably x86-32 and arm32 but also many others) no longer depend on
>    them, and removing them from a kernel image results in a smaller kernel
>    binary, the same way we can leave out many other optional system calls.

My best guess right now is that there is a bug in the error handling
inside the mips vdso: clock_gettime32_fallback() is defined like

static __always_inline long clock_gettime32_fallback(
                                        clockid_t _clkid,
                                        struct old_timespec32 *_ts)
{
        register struct old_timespec32 *ts asm("a1") = _ts;
        register clockid_t clkid asm("a0") = _clkid;
        register long ret asm("v0");
        register long nr asm("v0") = __NR_clock_gettime;
        register long error asm("a3");

        asm volatile(
        "       syscall\n"
        : "=r" (ret), "=r" (error)
        : "r" (clkid), "r" (ts), "r" (nr)
        : "$1", "$3", "$8", "$9", "$10", "$11", "$12", "$13",
          "$14", "$15", "$24", "$25", "hi", "lo", "memory");

        return error ? -ret : ret;
}

and it's possible that this does not work correctly when the system
call fails. With my patch, the __NR_clock_gettime syscall always
fails, and this may end up corrupting the registers or the stack
in some way.

One thing you could try is to use a working kernel version (before
my patch, with my patch reverted, or with your workaround applied)
and pass an invalid _clkid argument to make the system call
fail in a different way. Does this cause the same crash?

I see that the previous vdso implementation (added in
180902e08f05, fixed in b399ee28c29c07, removed in
90800281e761) had an issue with the clobber list originally,
but the current version looks identical to the version after
the fix.

        Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ