lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Feb 2020 08:55:16 -0800 From: sathyanarayanan.kuppuswamy@...ux.intel.com To: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org Cc: linux-kernel@...r.kernel.org, Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com> Subject: [PATCH v1 1/1] x86/apic/vector: Fix NULL pointer exception in irq_complete_move() From: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com> If an IRQ is scheduled using generic_handle_irq() function in a non IRQ path, the irq_regs per CPU variable will not be set. Hence calling irq_complete_move() function in this scenario leads to NULL pointer de-reference exception. One example for this issue is, triggering fake AER errors using PCIe aer_inject framework. So add addition check for irq_regs NULL pointer in irq_complete_move() function. [ 58.368226] aer 0000:00:1c.0:pcie002: aer_inject: Injecting errors 00000040/00000000 into device 0000:01:00.0 [ 58.368234] BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 [ 58.368235] #PF error: [normal kernel read fault] [ 58.368236] PGD 455bb6067 P4D 455bb6067 PUD 45cc18067 PMD 0 [ 58.368239] Oops: 0000 [#1] SMP NOPTI [ 58.368241] CPU: 7 PID: 22295 Comm: aer-inject Not tainted 5.0.0 #1 [ 58.368242] Hardware name: Intel Corporation CooperCity/CooperCity, BIOS WLYDCRB1.SYS.0014.D94.2001301835 01/30/2020 [ 58.368249] RIP: 0010:apic_ack_edge+0x1e/0x40 [ 58.368251] Code: 1b 01 e8 65 f8 11 00 eb e3 0f 1f 00 0f 1f 44 00 00 48 85 ff 53 48 89 fb 74 21 e8 3d ec ff ff 48 89 c7 65 48 8b 15 6a 40 fc 43 <48> 8b 72 78 f7 d6 e8 f7 ea ff ff 48 89 df 5b eb a1 31 ff eb e3 0f [ 58.368252] RSP: 0018:ffffb8d74705bd88 EFLAGS: 00010046 [ 58.368253] RAX: ffff996b6cda7540 RBX: ffff996b6cda7500 RCX: 0000000000000000 [ 58.368254] RDX: 0000000000000000 RSI: 0000000000000018 RDI: ffff996b6cda7540 [ 58.368255] RBP: ffff996b6a7c5118 R08: ffff996b6f000920 R09: ffff996b6f000a08 [ 58.368256] R10: 0000000000000000 R11: ffffffffbda660e0 R12: 0000000000000020 [ 58.368257] R13: ffff996b65e45200 R14: 0000000000000000 R15: ffff996b69e29000 [ 58.368258] FS: 00007f994cf74740(0000) GS:ffff996b6f9c0000(0000) knlGS:0000000000000000 [ 58.368259] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 58.368259] CR2: 0000000000000078 CR3: 0000000455576004 CR4: 00000000007606e0 [ 58.368260] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 58.368261] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 58.368261] PKRU: 55555554 [ 58.368262] Call Trace: [ 58.368269] handle_edge_irq+0x7d/0x1e0 [ 58.368272] generic_handle_irq+0x27/0x30 [ 58.368278] aer_inject_write+0x53a/0x720 [ 58.368283] __vfs_write+0x36/0x1b0 [ 58.368289] ? common_file_perm+0x47/0x130 [ 58.368293] ? security_file_permission+0x2e/0xf0 [ 58.368295] vfs_write+0xa5/0x180 [ 58.368296] ksys_write+0x52/0xc0 [ 58.368300] do_syscall_64+0x48/0x120 [ 58.368307] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.368309] RIP: 0033:0x7f994cb65680 [ 58.368310] Code: 89 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 83 3d 69 cd 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 4e fd ff ff 48 89 04 24 [ 58.368311] RSP: 002b:00007ffffcd356d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 58.368312] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f994cb65680 [ 58.368313] RDX: 0000000000000020 RSI: 00000000006063e0 RDI: 0000000000000004 [ 58.368314] RBP: 00007ffffcd35700 R08: 00007ffffcd355b0 R09: 00007f994cf74740 [ 58.368314] R10: 00007ffffcd34ae0 R11: 0000000000000246 R12: 0000000000400ef0 [ 58.368315] R13: 00007ffffcd36080 R14: 0000000000000000 R15: 0000000000000000 [ 58.368316] Modules linked in: fuse xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 xt_tcpudp tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl skx_edac nfit iTCO_wdt iTCO_vendor_support x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass intel_spi_pci intel_spi spi_nor i2c_i801 mtd mei_me mei ioatdma dca wmi acpi_power_meter joydev ip_tables x_tables crc32c_intel ast ttm [ 58.368335] CR2: 0000000000000078 [ 58.368336] ---[ end trace f0e610fab8685be7 ]--- [ 58.390416] RIP: 0010:apic_ack_edge+0x1e/0x40 [ 58.390421] Code: 1b 01 e8 65 f8 11 00 eb e3 0f 1f 00 0f 1f 44 00 00 48 85 ff 53 48 89 fb 74 21 e8 3d ec ff ff 48 89 c7 65 48 8b 15 6a 40 fc 43 <48> 8b 72 78 f7 d6 e8 f7 ea ff ff 48 89 df 5b eb a1 31 ff eb e3 0f [ 58.390423] RSP: 0018:ffffb8d74705bd88 EFLAGS: 00010046 [ 58.390424] RAX: ffff996b6cda7540 RBX: ffff996b6cda7500 RCX: 0000000000000000 [ 58.390425] RDX: 0000000000000000 RSI: 0000000000000018 RDI: ffff996b6cda7540 [ 58.390426] RBP: ffff996b6a7c5118 R08: ffff996b6f000920 R09: ffff996b6f000a08 [ 58.390427] R10: 0000000000000000 R11: ffffffffbda660e0 R12: 0000000000000020 [ 58.390428] R13: ffff996b65e45200 R14: 0000000000000000 R15: ffff996b69e29000 [ 58.390429] FS: 00007f994cf74740(0000) GS:ffff996b6f9c0000(0000) knlGS:0000000000000000 [ 58.390430] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 58.390431] CR2: 0000000000000078 CR3: 0000000455576004 CR4: 00000000007606e0 [ 58.390431] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 58.390432] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 58.390433] PKRU: 55555554 Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@...ux.intel.com> --- arch/x86/kernel/apic/vector.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c index 2c5676b0a6e7..5cf11dcf28d9 100644 --- a/arch/x86/kernel/apic/vector.c +++ b/arch/x86/kernel/apic/vector.c @@ -926,6 +926,10 @@ static void __irq_complete_move(struct irq_cfg *cfg, unsigned vector) void irq_complete_move(struct irq_cfg *cfg) { + /* if irq_regs per CPU variable is not set, just return */ + if (!get_irq_regs()) + return; + __irq_complete_move(cfg, ~get_irq_regs()->orig_ax); } -- 2.21.0
Powered by blists - more mailing lists