| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 May 2023 13:11:46 +1200
From: Michael Schmitz <schmitzmic@...il.com>
To: Geert Uytterhoeven <geert@...ux-m68k.org>,
Finn Thain <fthain@...ux-m68k.org>
Cc: Andreas Schwab <schwab@...ux-m68k.org>, stable@...r.kernel.org,
linux-m68k@...ts.linux-m68k.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 1/1] m68k: Move signal frame following exception on
68020/030
Hi Geert,
On 22/05/23 23:41, Geert Uytterhoeven wrote:
> On Sat, May 6, 2023 at 11:36 AM Finn Thain <fthain@...ux-m68k.org> wrote:
>> On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause
>> a stack page fault during instruction execution (i.e. not at an
>> instruction boundary) and produce a format 0xB exception frame.
>>
>> In this situation, the value of USP will be unreliable. If a signal is to
>> be delivered following the exception, this USP value is used to calculate
>> the location for a signal frame. This can result in a corrupted user
>> stack.
>>
>> The corruption was detected in dash (actually in glibc) where it showed
>> up as an intermittent "stack smashing detected" message and crash
>> following signal delivery for SIGCHLD.
>>
>> It was hard to reproduce that failure because delivery of the signal
>> raced with the page fault and because the kernel places an unpredictable
>> gap of up to 7 bytes between the USP and the signal frame.
>>
>> A format 0xB exception frame can be produced by a bus error or an address
>> error. The 68030 Users Manual says that address errors occur immediately
>> upon detection during instruction prefetch. The instruction pipeline
>> allows prefetch to overlap with other instructions, which means an
>> address error can arise during the execution of a different instruction.
>> So it seems likely that this patch may help in the address error case also.
>>
>> Reported-and-tested-by: Stan Johnson <userm57@...oo.com>
>> Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/
>> Cc: Michael Schmitz <schmitzmic@...il.com>
>> Cc: Andreas Schwab <schwab@...ux-m68k.org>
>> Cc: stable@...r.kernel.org
>> Co-developed-by: Michael Schmitz <schmitzmic@...il.com>
>> Signed-off-by: Michael Schmitz <schmitzmic@...il.com>
>> Signed-off-by: Finn Thain <fthain@...ux-m68k.org>
> Reviewed-by: Geert Uytterhoeven <geert@...ux-m68k.org>
> i.e. will queue as a fix in the m68k for-v6.4 branch.
>
> I plan to send this upstream later this week, so any additional
> testing would be appreciated.
I've given this some lengthy stress testing, and haven't seen it fail once.
In contrast, various attempts of mine to improve on the concept (by only
moving the signal frame away from the USP in case it's likely to clash)
sometimes came up against a kernel bus error in setup_frame() when
copying the signo to the signal frame. I must be making some incorrect
assumptions still ...
Limiting the signal frame shift to bus fault exceptions that happen
mid-instruction is not too much of an overhead even in low memory
settings, and using 256 bytes (the largest possible operand size, i.e.
the largest adjustment to USP that might occur on completion of the
interrupted instruction) did not seem to cause any issues with stack
growth either.
I can give this some more testing in ARAnyM (extending the stack shift
to format 7 frames) but I'd say it's got as much testing on 030 hardware
as we can do.
Cheers,
Michael
>
> Thanks!
>
> Gr{oetje,eeting}s,
>
> Geert
>
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
> -- Linus Torvalds
Powered by blists - more mailing lists