lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ca433beb-e3cd-8036-cc05-5f4cc1a735fa@loongson.cn>
Date: Tue, 30 Jul 2024 18:57:48 +0800
From: Jinyang He <hejinyang@...ngson.cn>
To: Tiezhu Yang <yangtiezhu@...ngson.cn>, Josh Poimboeuf
 <jpoimboe@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
 Huacai Chen <chenhuacai@...nel.org>
Cc: loongarch@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] objtool/LoongArch: Restrict stack operation
 instruction


On 2024-07-30 17:49, Tiezhu Yang wrote:
> On 07/30/2024 05:28 PM, Jinyang He wrote:
>> On 2024-07-30 14:19, Tiezhu Yang wrote:
>>
>>> After commit a0f7085f6a63 ("LoongArch: Add RANDOMIZE_KSTACK_OFFSET
>>> support"), the code flow of do_syscall() was changed when compiled
>>> with GCC due to the secondary stack of add_random_kstack_offset(),
>>> something like this:
>>>
>>>    addi.d          $sp, $sp, -32
>>>    st.d            $fp, $sp, 16
>>>    st.d            $ra, $sp, 24
>>>    addi.d          $fp, $sp, 32
>>>    ...
>>>    sub.d           $sp, $sp, $t1
>> Have you checked the ORC info whether is right or tried backtrace which
>> passed do_syscall? The "sub.d $sp, $sp, $t1" has modified the $sp so the
>> $sp cannot express CFA here. This patch just clear the warning but 
>> ignore
>> the validity of ORC info. The wrong ORC info may cause illegally access
>> memory when backtrace.
>
> I did testing many times before submitting, the call trace is
> expected when testing "echo l > /proc/sysrq-trigger".
Make sure the RANDOMIZE_KSTACK_OFFSET is enable. I tested it by
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y on qemu and it did
not show the frame about handle_syscall.

On the other hand,
$ ./tools/objtool/objtool --dump arch/loongarch/kernel/syscall.o
.noinstr.text+0:type:call sp:sp +   0 fp: (und)  ra: (und)  signal:0
.noinstr.text+4:type:call sp:sp +  32 fp: (und)  ra: (und)  signal:0
.noinstr.text+8:type:call sp:sp +  32 fp:prevsp + -16 ra: (und) signal:0
.noinstr.text+c:type:call sp:sp +  32 fp:prevsp + -16 ra:prevsp + -8 
signal:0
.noinstr.text+e4:type:call sp:sp +  32 fp:prevsp + -16 ra: (und) signal:0
.noinstr.text+e8:type:call sp:sp +  32 fp: (und)  ra: (und) signal:0
.noinstr.text+ec:type:call sp:sp +   0 fp: (und)  ra: (und) signal:0
.noinstr.text+f0:type:? sp: (und)  fp: (und)  ra: (und)  signal:0
.noinstr.text+100:type:call sp:sp +  32 fp:prevsp + -16 ra:prevsp + -8 
signal:0
.noinstr.text+118:type:? sp: (und)  fp: (und)  ra: (und)  signal:0
$ objdump -d arch/loongarch/kernel/syscall.o | grep "sub.*sp.*sp"
   70:    0011b463     sub.d           $sp, $sp, $t1
Obviously the ORC info is wrong.
(Assume the backtrace PC is 0x74, how to find the previous frame?)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ