| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230413071925.42858-1-haibo.li@mediatek.com>
Date: Thu, 13 Apr 2023 15:19:25 +0800
From: Haibo Li <haibo.li@...iatek.com>
To: <amergnat@...libre.com>
CC: <alexander.sverdlin@...ia.com>,
<angelogioacchino.delregno@...labora.com>, <haibo.li@...iatek.com>,
<linus.walleij@...aro.org>, <linux-arm-kernel@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>,
<linux-mediatek@...ts.infradead.org>, <linux@...linux.org.uk>,
<matthias.bgg@...il.com>, <rmk+kernel@...linux.org.uk>,
<xiaoming.yu@...iatek.com>
Subject: Re: [PATCH] ARM:unwind:fix unwind abort for uleb128 case
> On 07/04/2023 05:33, Haibo Li wrote:
> > When unwind instruction is 0xb2,the subsequent instructions are
> > uleb128 bytes.
> > For now,it uses only the first uleb128 byte in code.
> >
> > For vsp increments of 0x204~0x400,use one uleb128 byte like below:
> > 0xc06a00e4 <unwind_test_work>: 0x80b27fac
> > Compact model index: 0
> > 0xb2 0x7f vsp = vsp + 1024
> > 0xac pop {r4, r5, r6, r7, r8, r14}
> >
> > For vsp increments larger than 0x400,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> > Compact model index: 1
> > 0xb2 0x81 0x01 vsp = vsp + 1032
> > 0xac pop {r4, r5, r6, r7, r8, r14}
> > The unwind works well since the decoded uleb128 byte is also 0x81.
> >
> > For vsp increments larger than 0x600,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> > Compact model index: 1
> > 0xb2 0x81 0x02 vsp = vsp + 1544
> > 0xac pop {r4, r5, r6, r7, r8, r14}
> > In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)).
> > While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)).
> > The unwind aborts at this frame since it gets incorrect vsp.
> >
> > To fix this,add uleb128 decode to cover all the above case.
> >
> > Signed-off-by: Haibo Li <haibo.li@...iatek.com>
> > ---
> > arch/arm/kernel/unwind.c | 19 +++++++++++++++++--
> > 1 file changed, 17 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c index
> > 53be7ea6181b..e5796a5acba1 100644
> > --- a/arch/arm/kernel/unwind.c
> > +++ b/arch/arm/kernel/unwind.c
> > @@ -20,7 +20,6 @@
> > #warning Change compiler or disable ARM_UNWIND option.
> > #endif
> > #endif /* __CHECKER__ */
> > -
>
> Why delete this line ?
It may be changed by mistake.I will restore it.
>
> > #include <linux/kernel.h>
> > #include <linux/init.h>
> > #include <linux/export.h>
> > @@ -308,6 +307,22 @@ static int
> unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl,
> > return URC_OK;
> > }
> >
> > +static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block
> > +*ctrl) {
> > + unsigned long result = 0;
> > + unsigned long insn;
> > + unsigned long bytes = 0;
>
> Alphabetical order please.
get it.
>
> > +
> > + do {
> > + insn = unwind_get_byte(ctrl);
> > + result |= (insn & 0x7f) << (bytes * 7);
> > + bytes++;
> > + if (bytes == sizeof(result))
> > + break;
> > + } while (!!(insn & 0x80));
> > +
> > + return result;
> > +}
>
> Please add a blank line for readability.
OK.
>
> > /*
> > * Execute the current unwind instruction.
> > */
> > @@ -361,7 +376,7 @@ static int unwind_exec_insn(struct
> unwind_ctrl_block *ctrl)
> > if (ret)
> > goto error;
> > } else if (insn == 0xb2) {
> > - unsigned long uleb128 = unwind_get_byte(ctrl);
> > + unsigned long uleb128 = unwind_decode_uleb128(ctrl);
> >
> > ctrl->vrs[SP] += 0x204 + (uleb128 << 2);
> > } else {
>
> Great job! I'm aligned with Linus Walleij's feedback about the need of few
> comments to explain the decode loop, even if your code is clear, light and
> robust.
Thanks for reviewing the patch.I will add the comment in later patch.
>
Powered by blists - more mailing lists