lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230423012744.24320-1-chenzhongjin@huawei.com>
Date:   Sun, 23 Apr 2023 09:27:44 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <linux-kernel@...r.kernel.org>
CC:     <tglx@...utronix.de>, <mingo@...hat.com>, <bp@...en8.de>,
        <dave.hansen@...ux.intel.com>, <x86@...nel.org>, <hpa@...or.com>,
        <chenzhongjin@...wei.com>, <ak@...ux.intel.com>,
        <David.Laight@...LAB.COM>, <jpoimboe@...nel.org>
Subject: [PATCH v3] x86: profiling: remove lock functions profiling in profile_pc

Syzbot has been reporting the problem of stack-out-of-bounds in
profile_pc for a long time:
https://syzkaller.appspot.com/bug?extid=84fe685c02cd112a2ac3

profile_pc will get return address for caller if current function
is lock function. For !CONFIG_FRAME_POINTER it uses a hack way to get
the caller by directly reading sp[0] or sp [1].
It not works when KASAN is enabled because KASAN pushes data on stack
which makes sp[0/1] become KASAN red zone. Then profile_pc reads wrong
memory and triggers KASAN warning frequently.

This hack might be ok when first added at 2006 but now it's different:

1. There are some lock functions which have frame longer than two stack
slots. For these functions sp[0/1] is not a legal return address even
KASAN is not enabled.
2. !CONFIG_FRAME_POINTER is more used today because UNWINDER_ORC.
3. Lock function caller information can be prfiled by perf better.

Since profile as a low level facility it's not proper to depend on
complex generic unwinder to get the next frame. As lock profiling is
no longer useful, it's fine to remove it.

Fixes: 0cb91a229364 ("[PATCH] i386: Account spinlocks to the caller during profiling for !FP kernels")
Suggested-by: Andi Kleen <ak@...ux.intel.com>
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
v1->v2:
Make a more detailed commit log.

v2->v3:
Also remove if for FRAME_POINTER case; slightly fix the commit log.
---
arch/x86/kernel/time.c | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
index e42faa792c07..52e1f3f0b361 100644
--- a/arch/x86/kernel/time.c
+++ b/arch/x86/kernel/time.c
@@ -27,25 +27,7 @@
 
 unsigned long profile_pc(struct pt_regs *regs)
 {
-	unsigned long pc = instruction_pointer(regs);
-
-	if (!user_mode(regs) && in_lock_functions(pc)) {
-#ifdef CONFIG_FRAME_POINTER
-		return *(unsigned long *)(regs->bp + sizeof(long));
-#else
-		unsigned long *sp = (unsigned long *)regs->sp;
-		/*
-		 * Return address is either directly at stack pointer
-		 * or above a saved flags. Eflags has bits 22-31 zero,
-		 * kernel addresses don't.
-		 */
-		if (sp[0] >> 22)
-			return sp[0];
-		if (sp[1] >> 22)
-			return sp[1];
-#endif
-	}
-	return pc;
+	return instruction_pointer(regs);
 }
 EXPORT_SYMBOL(profile_pc);
 
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ