lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 13 Apr 2023 15:37:56 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <x86@...nel.org>, <linux-kernel@...r.kernel.org>
CC:     <tglx@...utronix.de>, <mingo@...hat.com>, <bp@...en8.de>,
        <dave.hansen@...ux.intel.com>, <hpa@...or.com>,
        <chenzhongjin@...wei.com>, <ak@...ux.intel.com>,
        <David.Laight@...LAB.COM>
Subject: [PATCH v2] x86: profiling: remove lock functions hack for !FRAME_POINTER

Syzbot has been reporting the problem of stack-out-of-bounds in
profile_pc for a long time:
https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3

profile_pc will get return address for caller if current function
is lock function. For !CONFIG_FRAME_POINTER it uses a hack way to get
the caller by directly reading sp[0] or sp [1].
It not works when KASAN is enabled because KASAN pushes data on stack
which makes sp[0/1] become KASAN red zone. Then profile_pc reads wrong
memory and triggers KASAN warning frequently.

This hack might be ok when first added at 2006 but now it's different:

1. There are some lock functions which have frame longer than two stack
slots. For these functions sp[0/1] is not a legal return address even
KASAN is not enabled.
2. !CONFIG_FRAME_POINTER is more used today because UNWINDER_ORC.
3. Lock function caller information can be prfiled by perf better.

Since profile as a low level facility it's better not to depend on
complex generic unwinder to get the next frame. So it's reasonable to
remove lock functions hack for !FRAME_POINTER kernel.

Fixes: 0cb91a229364 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels")
Suggested-by: Andi Kleen <ak@...ux.intel.com>
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
v1->v2:
Make a more detailed commit log.
---
 arch/x86/kernel/time.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
index e42faa792c07..e08fac7bb71e 100644
--- a/arch/x86/kernel/time.c
+++ b/arch/x86/kernel/time.c
@@ -29,22 +29,10 @@ unsigned long profile_pc(struct pt_regs *regs)
 {
 	unsigned long pc = instruction_pointer(regs);
 
-	if (!user_mode(regs) && in_lock_functions(pc)) {
 #ifdef CONFIG_FRAME_POINTER
+	if (!user_mode(regs) && in_lock_functions(pc))
 		return *(unsigned long *)(regs->bp + sizeof(long));
-#else
-		unsigned long *sp = (unsigned long *)regs->sp;
-		/*
-		 * Return address is either directly at stack pointer
-		 * or above a saved flags. Eflags has bits 22-31 zero,
-		 * kernel addresses don't.
-		 */
-		if (sp[0] >> 22)
-			return sp[0];
-		if (sp[1] >> 22)
-			return sp[1];
 #endif
-	}
 	return pc;
 }
 EXPORT_SYMBOL(profile_pc);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ