lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210928103543.GF1924@C02TD0UTHF1T.local>
Date:   Tue, 28 Sep 2021 11:35:43 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot <syzbot+488ddf8087564d6de6e2@...kaller.appspotmail.com>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
        will@...nel.org
Subject: Re: [syzbot] upstream test error: KASAN: invalid-access Read in
 __entry_tramp_text_end

On Tue, Sep 28, 2021 at 12:19:23PM +0200, Dmitry Vyukov wrote:
>  On Mon, 27 Sept 2021 at 19:18, Mark Rutland <mark.rutland@....com> wrote:
> > What's happened here is that __d_lookup() (via a few layers of inlining) called
> > load_unaligned_zeropad(). The `LDR` at the start of the asm faulted (I suspect
> > due to a tag check fault), and so the exception handler replaced the PC with
> > the (anonymous) fixup function. This is akin to a tail or sibling call, and so
> > the fixup function entirely replaces __d_lookup() in the trace.
> >
> > The fixup function itself has an `LDR` which faulted (because it's
> > designed to fixup page alignment problems, not tag check faults), and
> > that is what's reported here.
> >
> > As the fixup function is anonymous, and the nearest prior symbol in .text is
> > __entry_tramp_text_end, it gets symbolized as an offset from that.
> >
> > We can make the unwinds a bit nicer by adding some markers (e.g. patch
> > below), but actually fixing this case will require some more thought.
> >
> > Thanks,
> > Mark.
> >
> > ---->8----
> > diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> > index 709d2c433c5e..127096a0faea 100644
> > --- a/arch/arm64/kernel/vmlinux.lds.S
> > +++ b/arch/arm64/kernel/vmlinux.lds.S
> > @@ -111,6 +111,11 @@ jiffies = jiffies_64;
> >  #define TRAMP_TEXT
> >  #endif
> >
> > +#define FIXUP_TEXT                                     \
> > +       __fixup_text_start = .;                         \
> > +       *(.fixup);                                      \
> > +       __fixup_text_end = .;
> > +
> >  /*
> >   * The size of the PE/COFF section that covers the kernel image, which
> >   * runs from _stext to _edata, must be a round multiple of the PE/COFF
> > @@ -161,7 +166,7 @@ SECTIONS
> >                         IDMAP_TEXT
> >                         HIBERNATE_TEXT
> >                         TRAMP_TEXT
> > -                       *(.fixup)
> > +                       FIXUP_TEXT
> >                         *(.gnu.warning)
> >                 . = ALIGN(16);
> >                 *(.got)                 /* Global offset table          */
> 
> 
> Oh, good it's very local to the .fixup thing rather than a common
> issue that affects all unwinds.

Yes, though the other issue I mentioned *does* exist, and can occur
separately, even if we're getting lucky and not hitting it often enough
to notice.

> In the other x86 thread Josh Poimboeuf suggested to use asm goto to a
> cold part of the function instead of .fixup:
> https://lore.kernel.org/lkml/20210927234543.6waods7rraxseind@treble/
> This sounds like a more reliable solution that will cause less
> maintenance burden. Would it work for arm64 as well?

Maybe we can use that when CC_HAS_ASM_GOTO_OUTPUT is avaiable, but in
general we can't rely on asm goto supporting output arguments (and IIRC
GCC doesn't support that at all), so we'd still have to support the
current fixup scheme.

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ