lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZojxN5iOHhGAt3A5@shell.armlinux.org.uk>
Date: Sat, 6 Jul 2024 08:24:39 +0100
From: "Russell King (Oracle)" <linux@...linux.org.uk>
To: wanglinhui <wanglinhui@...wei.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <kees@...nel.org>,
	Kefeng Wang <wangkefeng.wang@...wei.com>,
	Suren Baghdasaryan <surenb@...gle.com>,
	Linus Walleij <linus.walleij@...aro.org>,
	Catalin Marinas <catalin.marinas@....com>,
	linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
	wangfangpeng1@...wei.com, zhangxun38@...wei.com,
	yangzhuohao1@...wei.com
Subject: Re: [PATCH] ARM: Fix "external abort on non-linefetch" kernel panic
 caused by userspace

On Sat, Jul 06, 2024 at 11:20:05AM +0800, wanglinhui wrote:
> 0x16800000 is a peripheral physical address that supports only
> 4-byte-aligned access.
> 
> Use /dev/mem to enable the user space to access 0x16800000. Then userspace
> unexpectedly tried to read four bytes from 0x16800001 (actually access
> its virtual address), which caused the kernel to trigger an
> "external abort on non-linefetch" panic:
> 
>   Unhandled fault: external abort on non-linefetch (0x1018) at 0x0100129b
>   [0100129b] *pgd=85038831, *pte=16801703, *ppte=16801e33
>   Internal error: : 1018 [#1] SMP ARM
>   ...
>   CPU: 2 PID: xxxx Comm: xxxx Tainted: G           O      5.10.0 #1
>   Hardware name: Hisilicon A9
>   PC is at do_alignment_ldrstr+0xb8/0x100
>   LR is at 0xc1f203fc
>   psr: 200f0313
>   sp : c7081ed4  ip : 00000008  fp : 00000011
>   r10: b42250c8  r9 : c7081f0c  r8 : c7081fb0
>   r7 : 0100129b  r6 : 00000004  r5 : 00000000  r4 : e5908000
>   r3 : 00000000  r2 : c7081f0c  r1 : 200f0210  r0 : 0100129b
>   Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
>   Control: 1ac5387d  Table: 82c3c04a  DAC: 55555555
>   Process LcnNCoreTask (pid: 4049, stack limit = 0x14066b0e)
>   Call trace:
>     do_alignment_ldrstr
>     --do_alignment
>     ----do_DataAbort
>     ------__dabt_usr
> 
> It triggers a data abort exception twice. The first time occurs when
> an unaligned address is accessed in user mode. The second time occurs
> when the peripheral address is actually accessed in kernel mode,
> and it crashes the kernel. However, the code location for the second
> data abort is as follows:
> 
>   ```
>   #define __get8_unaligned_check(ins, val, addr, err) \
>   	__asm__(\
>    ARM("1: "ins" %1, [%2], #1\n") \ <-- Second data abort is triggered here
>    THUMB("1: "ins" %1, [%2]\n") \
>    THUMB(" add %2, %2, #1\n") \
>   	"2:\n" \
>   	" .pushsection .text.fixup,\"ax\"\n" \
>   ```
> 
> It is an exception table entry that can be fixed up.
> 
> There is another test that indicates that
> "external abort on non-linefetch" needs to be fixed up.
> 
> Similarly, use /dev/mem to map 0x16800000 to the user space.
> Pass 0x16800001 (actually passes its virtual address) to the
> kernel via the write() system call and write 1 byte.
> It also causes the kernel to trigger an
> "external abort on non-linefetch" panic:
> 
>   Unhandled fault: external abort on non-linefetch (0x1018) at 0xb6f95000
>   [b6f95000] *pgd=83fb6831, *pte=16800783, *ppte=16800e33
>   Internal error: : 1018 [#1] SMP ARM
>   ...
>   CPU: 1 PID: xxxx Comm: xxxx Tainted: G           O      5.10.0 #1
>   Hardware name: Hisilicon A9
>   PC is at __get_user_1+0x14/0x20
>   LR is at iov_iter_fault_in_readable+0x7c/0x198
>   psr: 800b0213
>   sp : c195be18  ip : 00000001  fp : c35a2478
>   r10: c06b5260  r9 : 00000000  r8 : c356fee0
>   r7 : ffffe000  r6 : b6f95000  r5 : 00000001  r4 : c195bf10
>   r3 : b6f95000  r2 : f7f95000  r1 : beffffff  r0 : b6f95000
>   Call trace looks like:
>     __get_user_1
>     --iov_iter_fault_in_readable
>     ----generic_perform_write
>     ------__generic_file_write_iter
>     --------generic_file_write_iter
> 
> The location of the instruction that triggers the data abort
> is as follows:
>   ```
>   ENTRY(__get_user_1)
>   	check_uaccess r0, 1, r1, r2, __get_user_bad
>   1: TUSER(ldrb) r2, [r0] <-- Data abort is triggered here
>   	mov r0, #0
>   	ret lr
>   ENDPROC(__get_user_1)
>   _ASM_NOKPROBE(__get_user_1)
>   ```
> It is also an exception table entry that can be fixed up.
> 
> Address passed in from user space should not crash the kernel.
> Therefore, fixup_exception() is added to fix up such exception.

NAK because:

1) you're using /dev/mem which requires privileges - you're holding
   the gun, pointing it at your foot.

2) you're performing an unaligned access to a device which is
   architecturally not permitted - you're pulling the trigger.

It's not surprising that the result is you've shot yourself in the
foot!

If you access /dev/mem, then you need to know what you're doing and
you must access it according to the requirements of the memory space
you are accessing, otherwise undefined behaviour will occur - not
only architecturally, but also by the kernel.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ