| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Sep 2021 11:35:43 +0100
From: Mark Rutland <mark.rutland@....com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: syzbot <syzbot+488ddf8087564d6de6e2@...kaller.appspotmail.com>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
will@...nel.org
Subject: Re: [syzbot] upstream test error: KASAN: invalid-access Read in
__entry_tramp_text_end
On Tue, Sep 28, 2021 at 12:19:23PM +0200, Dmitry Vyukov wrote:
> On Mon, 27 Sept 2021 at 19:18, Mark Rutland <mark.rutland@....com> wrote:
> > What's happened here is that __d_lookup() (via a few layers of inlining) called
> > load_unaligned_zeropad(). The `LDR` at the start of the asm faulted (I suspect
> > due to a tag check fault), and so the exception handler replaced the PC with
> > the (anonymous) fixup function. This is akin to a tail or sibling call, and so
> > the fixup function entirely replaces __d_lookup() in the trace.
> >
> > The fixup function itself has an `LDR` which faulted (because it's
> > designed to fixup page alignment problems, not tag check faults), and
> > that is what's reported here.
> >
> > As the fixup function is anonymous, and the nearest prior symbol in .text is
> > __entry_tramp_text_end, it gets symbolized as an offset from that.
> >
> > We can make the unwinds a bit nicer by adding some markers (e.g. patch
> > below), but actually fixing this case will require some more thought.
> >
> > Thanks,
> > Mark.
> >
> > ---->8----
> > diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> > index 709d2c433c5e..127096a0faea 100644
> > --- a/arch/arm64/kernel/vmlinux.lds.S
> > +++ b/arch/arm64/kernel/vmlinux.lds.S
> > @@ -111,6 +111,11 @@ jiffies = jiffies_64;
> > #define TRAMP_TEXT
> > #endif
> >
> > +#define FIXUP_TEXT \
> > + __fixup_text_start = .; \
> > + *(.fixup); \
> > + __fixup_text_end = .;
> > +
> > /*
> > * The size of the PE/COFF section that covers the kernel image, which
> > * runs from _stext to _edata, must be a round multiple of the PE/COFF
> > @@ -161,7 +166,7 @@ SECTIONS
> > IDMAP_TEXT
> > HIBERNATE_TEXT
> > TRAMP_TEXT
> > - *(.fixup)
> > + FIXUP_TEXT
> > *(.gnu.warning)
> > . = ALIGN(16);
> > *(.got) /* Global offset table */
>
>
> Oh, good it's very local to the .fixup thing rather than a common
> issue that affects all unwinds.
Yes, though the other issue I mentioned *does* exist, and can occur
separately, even if we're getting lucky and not hitting it often enough
to notice.
> In the other x86 thread Josh Poimboeuf suggested to use asm goto to a
> cold part of the function instead of .fixup:
> https://lore.kernel.org/lkml/20210927234543.6waods7rraxseind@treble/
> This sounds like a more reliable solution that will cause less
> maintenance burden. Would it work for arm64 as well?
Maybe we can use that when CC_HAS_ASM_GOTO_OUTPUT is avaiable, but in
general we can't rely on asm goto supporting output arguments (and IIRC
GCC doesn't support that at all), so we'd still have to support the
current fixup scheme.
Thanks,
Mark.
Powered by blists - more mailing lists