lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 14 Apr 2023 13:57:04 +0800
From:   Haibo Li <haibo.li@...iatek.com>
To:     <angelogioacchino.delregno@...labora.com>
CC:     <a.anurag@...sung.com>, <alexander.sverdlin@...ia.com>,
        <amergnat@...libre.com>, <ardb@...nel.org>,
        <catalin.marinas@....com>, <haibo.li@...iatek.com>,
        <linus.walleij@...aro.org>, <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-mediatek@...ts.infradead.org>, <linux@...linux.org.uk>,
        <matthias.bgg@...il.com>, <rmk+kernel@...linux.org.uk>,
        <xiaoming.yu@...iatek.com>
Subject: Re: [PATCH v2] ARM:unwind:fix unwind abort for uleb128 case

> Il 13/04/23 09:34, Haibo Li ha scritto:
> > When unwind instruction is 0xb2,the subsequent instructions are
> > uleb128 bytes.
> > For now,it uses only the first uleb128 byte in code.
> >
> > For vsp increments of 0x204~0x400,use one uleb128 byte like below:
> > 0xc06a00e4 <unwind_test_work>: 0x80b27fac
> >    Compact model index: 0
> >    0xb2 0x7f vsp = vsp + 1024
> >    0xac      pop {r4, r5, r6, r7, r8, r14}
> >
> > For vsp increments larger than 0x400,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> >    Compact model index: 1
> >    0xb2 0x81 0x01 vsp = vsp + 1032
> >    0xac      pop {r4, r5, r6, r7, r8, r14}
> > The unwind works well since the decoded uleb128 byte is also 0x81.
> >
> > For vsp increments larger than 0x600,use two uleb128 bytes like below:
> > 0xc06a00e4 <unwind_test_work>: @0xc0cc9e0c
> >    Compact model index: 1
> >    0xb2 0x81 0x02 vsp = vsp + 1544
> >    0xac      pop {r4, r5, r6, r7, r8, r14}
> > In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)).
> > While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)).
> > The unwind aborts at this frame since it gets incorrect vsp.
> >
> > To fix this,add uleb128 decode to cover all the above case.
> >
> > Signed-off-by: Haibo Li <haibo.li@...iatek.com>
> > ---
> > v2:
> > - As Linus Walleij and Alexandre Mergnat suggested,add comments for
> > unwind_decode_uleb128
> > - As Alexandre Mergnat suggested,change variables declaration in
> > Alphabetical order
> > ---
> >   arch/arm/kernel/unwind.c | 25 ++++++++++++++++++++++++-
> >   1 file changed, 24 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c index
> > 53be7ea6181b..f37e55fcf81d 100644
> > --- a/arch/arm/kernel/unwind.c
> > +++ b/arch/arm/kernel/unwind.c
> > @@ -308,6 +308,29 @@ static int
> unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl,
> >       return URC_OK;
> >   }
> >
> > +static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block
> > +*ctrl) {
> > +     unsigned long bytes = 0;
> > +     unsigned long insn;
> > +     unsigned long result = 0;
> > +
> > +     /* unwind_get_byte() will advance ctrl one instruction at a time,
> > +      * we loop until we get an instruction byte where bit 7 is not set.
> > +      * Note:It decodes max 4 bytes to output 28bits data.
> > +      * 28bits data(0xfffffff) covers vsp increments of 1073742336.
> > +      * It is sufficent for unwinding stack.
> > +      */
> 
> /*
>   * unwind_get_byte() will advance `ctrl` one instruction at a time, so
>   * loop until we get an instruction byte where bit 7 is not set.
>   *
>   * Note: This decodes a maximum of 4 bytes to output 28 bits data where
>   * max is 0xfffffff: that will cover a vsp increment of 1073742336, hence
>   * it is sufficient for unwinding the stack.
>   */
Looks much better.Thanks.
> 
> > +     do {
> > +             insn = unwind_get_byte(ctrl);
> > +             result |= (insn & 0x7f) << (bytes * 7);
> > +             bytes++;
> 
> also, I would do ...
> 
>         } while (!!(insn & 0x80) && bytes != sizeof(result));
> 
> ...compressing the code and not creating any human readability concern.
> 
> after which, you can get my
> 
> Reviewed-by: AngeloGioacchino Del Regno
> <angelogioacchino.delregno@...labora.com>
get it.I will make a new patch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ