lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230403044340.1312-2-chang.seok.bae@intel.com>
Date:   Sun,  2 Apr 2023 21:43:37 -0700
From:   "Chang S. Bae" <chang.seok.bae@...el.com>
To:     linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     shuah@...nel.org, luto@...nel.org, dave.hansen@...el.com,
        tglx@...utronix.de, bp@...e.de, jun.miao@...driver.com,
        chang.seok.bae@...el.com
Subject: [PATCH v1 1/4] selftests/x86: Fix the altstack free

Some altstacks are freed up too early even before the test signal
delivery. Move the memory cleanup after a signal return.

Fixes: a051b2e56f2a ("selftests/x86: Fix error: variably modified 'altstack_data' at file scope")
Signed-off-by: Chang S. Bae <chang.seok.bae@...el.com>
Cc: Shuah Khan <shuah@...nel.org>
Cc: Jun Miao <jun.miao@...driver.com>
Cc: linux-kselftest@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
---
The issue was discovered by the altstack refactoring in this series
that replaces malloc()/free() with mmap()/munmap().
---
 tools/testing/selftests/x86/mov_ss_trap.c       | 17 ++++++++++-------
 .../testing/selftests/x86/single_step_syscall.c | 17 ++++++++++-------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/tools/testing/selftests/x86/mov_ss_trap.c b/tools/testing/selftests/x86/mov_ss_trap.c
index cc3de6ff9fba..6b9bf8dc3b60 100644
--- a/tools/testing/selftests/x86/mov_ss_trap.c
+++ b/tools/testing/selftests/x86/mov_ss_trap.c
@@ -142,8 +142,17 @@ static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void)
 
 int main()
 {
+	stack_t stack = { };
 	unsigned long nr;
 
+	stack.ss_size = SIGSTKSZ;
+	stack.ss_sp = malloc(sizeof(char) * SIGSTKSZ);
+	if (!stack.ss_sp)
+		err(1, "malloc()");
+
+	if (sigaltstack(&stack, NULL) != 0)
+		err(1, "sigaltstack()");
+
 	asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss));
 	printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss);
 
@@ -248,15 +257,8 @@ int main()
 	 */
 	if (sigsetjmp(jmpbuf, 1) == 0) {
 		printf("[RUN]\tMOV SS; SYSENTER\n");
-		stack_t stack = {
-			.ss_sp = malloc(sizeof(char) * SIGSTKSZ),
-			.ss_size = SIGSTKSZ,
-		};
-		if (sigaltstack(&stack, NULL) != 0)
-			err(1, "sigaltstack");
 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK);
 		nr = SYS_getpid;
-		free(stack.ss_sp);
 		/* Clear EBP first to make sure we segfault cleanly. */
 		asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr)
 			      : [ss] "m" (ss) : "flags", "rcx"
@@ -281,6 +283,7 @@ int main()
 			);
 	}
 
+	free(stack.ss_sp);
 	printf("[OK]\tI aten't dead\n");
 	return 0;
 }
diff --git a/tools/testing/selftests/x86/single_step_syscall.c b/tools/testing/selftests/x86/single_step_syscall.c
index 9a30f443e928..2d8e0edca23f 100644
--- a/tools/testing/selftests/x86/single_step_syscall.c
+++ b/tools/testing/selftests/x86/single_step_syscall.c
@@ -144,10 +144,19 @@ static void fast_syscall_no_tf(void)
 
 int main()
 {
+	stack_t stack = { };
 #ifdef CAN_BUILD_32
 	int tmp;
 #endif
 
+	stack.ss_size = SIGSTKSZ;
+	stack.ss_sp = malloc(sizeof(char) * SIGSTKSZ);
+	if (!stack.ss_sp)
+		err(1, "malloc()");
+
+	if (sigaltstack(&stack, NULL) != 0)
+		err(1, "sigaltstack()");
+
 	sethandler(SIGTRAP, sigtrap, 0);
 
 	printf("[RUN]\tSet TF and check nop\n");
@@ -208,17 +217,10 @@ int main()
 	if (sigsetjmp(jmpbuf, 1) == 0) {
 		unsigned long nr = SYS_getpid;
 		printf("[RUN]\tSet TF and check SYSENTER\n");
-		stack_t stack = {
-			.ss_sp = malloc(sizeof(char) * SIGSTKSZ),
-			.ss_size = SIGSTKSZ,
-		};
-		if (sigaltstack(&stack, NULL) != 0)
-			err(1, "sigaltstack");
 		sethandler(SIGSEGV, print_and_longjmp,
 			   SA_RESETHAND | SA_ONSTACK);
 		sethandler(SIGILL, print_and_longjmp, SA_RESETHAND);
 		set_eflags(get_eflags() | X86_EFLAGS_TF);
-		free(stack.ss_sp);
 		/* Clear EBP first to make sure we segfault cleanly. */
 		asm volatile ("xorl %%ebp, %%ebp; SYSENTER" : "+a" (nr) :: "flags", "rcx"
 #ifdef __x86_64__
@@ -238,5 +240,6 @@ int main()
 	/* Now make sure that another fast syscall doesn't set TF again. */
 	fast_syscall_no_tf();
 
+	free(stack.ss_sp);
 	return 0;
 }
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ