lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <14e09781-6ffd-0834-fba4-427e5030f2be@gmail.com>
Date:   Tue, 23 May 2023 13:11:46 +1200
From:   Michael Schmitz <schmitzmic@...il.com>
To:     Geert Uytterhoeven <geert@...ux-m68k.org>,
        Finn Thain <fthain@...ux-m68k.org>
Cc:     Andreas Schwab <schwab@...ux-m68k.org>, stable@...r.kernel.org,
        linux-m68k@...ts.linux-m68k.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 1/1] m68k: Move signal frame following exception on
 68020/030

Hi Geert,

On 22/05/23 23:41, Geert Uytterhoeven wrote:
> On Sat, May 6, 2023 at 11:36 AM Finn Thain <fthain@...ux-m68k.org> wrote:
>> On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause
>> a stack page fault during instruction execution (i.e. not at an
>> instruction boundary) and produce a format 0xB exception frame.
>>
>> In this situation, the value of USP will be unreliable. If a signal is to
>> be delivered following the exception, this USP value is used to calculate
>> the location for a signal frame. This can result in a corrupted user
>> stack.
>>
>> The corruption was detected in dash (actually in glibc) where it showed
>> up as an intermittent "stack smashing detected" message and crash
>> following signal delivery for SIGCHLD.
>>
>> It was hard to reproduce that failure because delivery of the signal
>> raced with the page fault and because the kernel places an unpredictable
>> gap of up to 7 bytes between the USP and the signal frame.
>>
>> A format 0xB exception frame can be produced by a bus error or an address
>> error. The 68030 Users Manual says that address errors occur immediately
>> upon detection during instruction prefetch. The instruction pipeline
>> allows prefetch to overlap with other instructions, which means an
>> address error can arise during the execution of a different instruction.
>> So it seems likely that this patch may help in the address error case also.
>>
>> Reported-and-tested-by: Stan Johnson <userm57@...oo.com>
>> Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/
>> Cc: Michael Schmitz <schmitzmic@...il.com>
>> Cc: Andreas Schwab <schwab@...ux-m68k.org>
>> Cc: stable@...r.kernel.org
>> Co-developed-by: Michael Schmitz <schmitzmic@...il.com>
>> Signed-off-by: Michael Schmitz <schmitzmic@...il.com>
>> Signed-off-by: Finn Thain <fthain@...ux-m68k.org>
> Reviewed-by: Geert Uytterhoeven <geert@...ux-m68k.org>
> i.e. will queue as a fix in the m68k for-v6.4 branch.
>
> I plan to send this upstream later this week, so any additional
> testing would be appreciated.

I've given this some lengthy stress testing, and haven't seen it fail once.

In contrast, various attempts of mine to improve on the concept (by only 
moving the signal frame away from the USP in case it's likely to clash) 
sometimes came up against a kernel bus error in setup_frame() when 
copying the signo to the signal frame. I must be making some incorrect 
assumptions still ...

Limiting the signal frame shift to bus fault exceptions that happen 
mid-instruction is not too much of an overhead even in low memory 
settings, and using 256 bytes (the largest possible operand size, i.e. 
the largest adjustment to USP that might occur on completion of the 
interrupted instruction) did not seem to cause any issues with stack 
growth either.

I can give this some more testing in ARAnyM (extending the stack shift 
to format 7 frames) but I'd say it's got as much testing on 030 hardware 
as we can do.

Cheers,

     Michael


>
> Thanks!
>
> Gr{oetje,eeting}s,
>
>                          Geert
>
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
>                                  -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ