lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3be01877-cfcb-43e2-811d-e8751338dc9c@gaisler.com>
Date: Mon, 1 Sep 2025 21:05:23 +0200
From: Andreas Larsson <andreas@...sler.com>
To: Thomas Weißschuh <thomas.weissschuh@...utronix.de>
Cc: Andy Lutomirski <luto@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
 Vincenzo Frascino <vincenzo.frascino@....com>, Arnd Bergmann
 <arnd@...db.de>, "David S. Miller" <davem@...emloft.net>,
 Nagarathnam Muthusamy <nagarathnam.muthusamy@...cle.com>,
 Nick Alcock <nick.alcock@...cle.com>, John Stultz <jstultz@...gle.com>,
 Stephen Boyd <sboyd@...nel.org>,
 John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
 linux-kernel@...r.kernel.org, sparclinux@...r.kernel.org
Subject: Re: [PATCH v2 08/13] sparc64: vdso: Switch to the generic vDSO
 library

On 2025-09-01 16:59, Thomas Weißschuh wrote:
> So a NULL-pointer deref. Please also try the following, to get the trapping code.
> 
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1299,6 +1299,14 @@ force_sig_info_to_task(struct kernel_siginfo *info, struct task_struct *t,
>         struct k_sigaction *action;
>         int sig = info->si_signo;
>  
> +       if (unlikely(is_global_init(t)) && sig == SIGSEGV) {
> +               struct pt_regs *regs = task_pt_regs(t);
> +
> +               panic("killing init, sig=%d errno=%d code=%d addr=%px vdso=%px pc=0x%lx vdsopc=0x%lx",
> +                     info->si_signo, info->si_errno, info->si_code, info->si_addr,
> +                     t->mm->context.vdso, regs->tpc, regs->tpc - (unsigned long)t->mm->context.vdso);
> +       }
> +
>         spin_lock_irqsave(&t->sighand->siglock, flags);
>         action = &t->sighand->action[sig-1];
>         ignored = action->sa.sa_handler == SIG_IGN;
> 
> 
> Please give me the disassembly for the address printed as "vdsopc" from
> arch/sparc/vdso/vdso64.so.dbg starting from its function entrypoint.

I get

[    1.680341] Run /init as init process
[    1.682256] Kernel panic - not syncing: killing init, sig=11 errno=0 code=1 addr=0000000000000000 vdso=fff800010081e000 pc=0xfff800010081e684 vdsopc=0x684
[    1.682289] CPU: 2 UID: 0 PID: 1 Comm: init Not tainted 6.17.0-rc1-00011-g1f71a73bede3 #12 VOLUNTARY
[    1.682313] Call Trace:
[    1.682324] [<0000000000436524>] dump_stack+0x8/0x18
[    1.682351] [<00000000004291f4>] vpanic+0xdc/0x320
[    1.682373] [<000000000042945c>] panic+0x24/0x30
[    1.682389] [<0000000000493258>] force_sig_info_to_task+0x218/0x240
[    1.682412] [<0000000000493740>] force_sig_fault+0x40/0x60
[    1.682430] [<0000000000439e28>] sun4v_data_access_exception+0xa8/0x140
[    1.682449] [<00000000004066d4>] sun4v_dacc+0x28/0x34
[    1.683232] Press Stop-A (L1-A) from sun keyboard or send break
[    1.683232] twice on console to return to the boot prom
[    1.683252] ---[ end Kernel panic - not syncing: killing init, sig=11 errno=0 code=1 addr=0000000000000000 vdso=fff800010081e000 pc=0xfff800010081e684 vdsopc=0x684 ]---

and we have

#if defined(CONFIG_SPARC64)
int __vdso_clock_gettime(clockid_t clock, struct __kernel_timespec *ts)
{
 640:   9d e3 bf 50     save  %sp, -176, %sp
        __asm__ __volatile__(
 644:   40 00 00 03     call  650 <__vdso_clock_gettime+0x10>
 648:   01 00 00 00     nop 
 64c:   ff ff 79 b4     unknown
 650:   9e 03 e0 08     add  %o7, 8, %o7
 654:   c6 43 c0 00     ldsw  [ %o7 ], %g3
 658:   86 00 c0 0f     add  %g3, %o7, %g3
        if (!vdso_clockid_valid(clock))
 65c:   80 a6 20 17     cmp  %i0, 0x17
 660:   18 40 00 3b     bgu,pn   %icc, 74c <__vdso_clock_gettime+0x10c>
 664:   84 10 00 03     mov  %g3, %g2
        msk = 1U << clock;
 668:   82 10 20 01     mov  1, %g1
 66c:   83 28 40 18     sll  %g1, %i0, %g1
        if (likely(msk & VDSO_HRES))
 670:   80 88 68 83     btst  0x883, %g1
 674:   02 40 00 30     be,pn   %icc, 734 <__vdso_clock_gettime+0xf4>
 678:   80 88 60 60     btst  0x60, %g1
        if (!__arch_vdso_hres_capable())
 67c:   87 2e 30 04     sllx  %i0, 4, %g3
 680:   86 00 80 03     add  %g2, %g3, %g3
                while (unlikely((seq = READ_ONCE(vc->seq)) & 1)) {
 684:   fa 00 80 00     ld  [ %g2 ], %i5                          <-- this one
 688:   80 8f 60 01     btst  1, %i5
 68c:   12 60 00 39     bne,pn   %xcc, 770 <__vdso_clock_gettime+0x130>
 690:   01 00 00 00     nop 
 ...

where the READ_ONCE that does the trapping load is the READ_ONCE(vc->seq)
in do_hres() in lib/vdso/gettimeofday.c. So we seem to  have a NULL vc.

With patches 1-8 applied on v6.17-rc1, addr2line gives us:

0x640: arch/sparc/vdso/vclock_gettime.c:34
0x644: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x648: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x64c: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x650: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x654: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x658: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x65c: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x660: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x664: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x668: lib/vdso/gettimeofday.c:328
0x66c: lib/vdso/gettimeofday.c:328
0x670: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x674: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x678: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x67c: lib/vdso/gettimeofday.c:175
0x680: lib/vdso/gettimeofday.c:175
0x684: lib/vdso/gettimeofday.c:190 (discriminator 2)


Cheers,
Andreas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ