lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230412024406.62187-1-haibo.li@mediatek.com>
Date:   Wed, 12 Apr 2023 10:44:06 +0800
From:   Haibo Li <haibo.li@...iatek.com>
To:     <linus.walleij@...aro.org>
CC:     <a.anurag@...sung.com>, <alexander.sverdlin@...ia.com>,
        <angelogioacchino.delregno@...labora.com>, <ardb@...nel.org>,
        <catalin.marinas@....com>, <haibo.li@...iatek.com>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-mediatek@...ts.infradead.org>, <linux@...linux.org.uk>,
        <matthias.bgg@...il.com>, <rmk+kernel@...linux.org.uk>,
        <xiaoming.yu@...iatek.com>
Subject: Re: [PATCH] ARM:unwind:fix unwind abort for uleb128 case

> On Fri, Apr 7, 2023 at 5:33 AM Haibo Li <haibo.li@...iatek.com> wrote:
> 
> > When unwind instruction is 0xb2,the subsequent instructions
> > are uleb128 bytes.
> > For now,it uses only the first uleb128 byte in code.
> >
> > For vsp increments of 0x204~0x400,use one uleb128 byte like below:
> > 0xc06a00e4 <unwind_test_work>: 0x80b27fac
> >   Compact model index: 0
> >   0xb2 0x7f vsp = vsp + 1024
> >   0xac      pop {r4, r5, r6, r7, r8, r14}
> >
> > For vsp increments larger than 0x400,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> >   Compact model index: 1
> >   0xb2 0x81 0x01 vsp = vsp + 1032
> >   0xac      pop {r4, r5, r6, r7, r8, r14}
> > The unwind works well since the decoded uleb128 byte is also 0x81.
> >
> > For vsp increments larger than 0x600,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> >   Compact model index: 1
> >   0xb2 0x81 0x02 vsp = vsp + 1544
> >   0xac      pop {r4, r5, r6, r7, r8, r14}
> > In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)).
> > While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)).
> > The unwind aborts at this frame since it gets incorrect vsp.
> >
> > To fix this,add uleb128 decode to cover all the above case.
> >
> > Signed-off-by: Haibo Li <haibo.li@...iatek.com>
> 
> [Added people such as Catalin, Ard and Anurag who wrote the lion's
> share of actual algorithms in this file]
> 
> I would just link the wikipedia in the patch commit log actually:
> 
> Link:https://en.wikipedia.org/wiki/LEB128
> 
> for poor souls like me who need a primer on this encoding.
> 
> It's great if you also have a reference to the spec where you
> found this, but I take your word for that this appears in code.
> Did compilers always emit this? Then we should have a Cc stable
> to this patch. Unfortunately the link in the top of the file is dead.
Yes.I also study uleb128 enc/dec format from this link.
In experiment,Both Clang and GCC produces unwind instructions using ULEB128
> 
> > +static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block
> *ctrl)
> 
> So this decodes max an unsigned long? Are we sure that will always
> suffice?
For now,the maximum thread size of arm is 16KB(KASAN on).
>From below experiment(worse case while impossible),two uleb128 bytes is sufficent for 16KB stack.
0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
  Compact model index: 1
  0xb2 0xff 0x1e vsp = vsp + 16384
  0xac      pop {r4, r5, r6, r7, r8, r14}
>From below experiment,the code picks maximum 4 uleb128 encoded bytes,
correspoding to vsp increments of 1073742336,the unwind_decode_uleb128 returns 0xFFFFFFF.
So unsigned long is suffice.
0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
  Compact model index: 1
  0xb2 0xff 0xff 0xff 0x7f vsp = vsp + 1073742336
  0xac      pop {r4, r5, r6, r7, r8, r14}
> 
> > +{
> > +       unsigned long result = 0;
> > +       unsigned long insn;
> > +       unsigned long bytes = 0;
> > +
> > +       do {
> > +               insn = unwind_get_byte(ctrl);
> > +               result |= (insn & 0x7f) << (bytes * 7);
> > +               bytes++;
> > +               if (bytes == sizeof(result))
> > +                       break;
> > +       } while (!!(insn & 0x80));
> 
> I suppose the documentation is in the commit message, but something terse
> and nice that make us understand this code would be needed here as well.
> Could you fold in a comment of how the do {} while-loop works and th expected
> outcome? Something like:
> 
> "unwind_get_byte() will advance ctrl one instruction at a time, we loop
> until we get an instruction byte where bit 7 is not set."
> 
I will add a comment in later patch.
> Is there a risk that this will loop forever or way too long if it happens
> to point at some corrupted memory containing say 0xff 0xff 0xff ...?
> 
> Since we're decoding a 32 bit unsigned long maybe break the loop after max
> 5 bytes (35 bits)? Or are we sure this will not happen?
in case of some corrupted memory containing say 0xff 0xff 0xff ...,the loop breaks after 
max 4 bytes(decode as max 28 bits)
> 
> > @@ -361,7 +376,7 @@ static int unwind_exec_insn(struct
> unwind_ctrl_block *ctrl)
> >                 if (ret)
> >                         goto error;
> >         } else if (insn == 0xb2) {
> > -               unsigned long uleb128 = unwind_get_byte(ctrl);
> > +               unsigned long uleb128 = unwind_decode_uleb128(ctrl);
> 
> Is unsigned long always enough? We are sure?
For the patch,it can cover single frame up to 1073742336 Bytes.So it is enough.
>
> Yours,
> Linus Walleij

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ