| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3be01877-cfcb-43e2-811d-e8751338dc9c@gaisler.com>
Date: Mon, 1 Sep 2025 21:05:23 +0200
From: Andreas Larsson <andreas@...sler.com>
To: Thomas Weißschuh <thomas.weissschuh@...utronix.de>
Cc: Andy Lutomirski <luto@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
Vincenzo Frascino <vincenzo.frascino@....com>, Arnd Bergmann
<arnd@...db.de>, "David S. Miller" <davem@...emloft.net>,
Nagarathnam Muthusamy <nagarathnam.muthusamy@...cle.com>,
Nick Alcock <nick.alcock@...cle.com>, John Stultz <jstultz@...gle.com>,
Stephen Boyd <sboyd@...nel.org>,
John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
linux-kernel@...r.kernel.org, sparclinux@...r.kernel.org
Subject: Re: [PATCH v2 08/13] sparc64: vdso: Switch to the generic vDSO
library
On 2025-09-01 16:59, Thomas Weißschuh wrote:
> So a NULL-pointer deref. Please also try the following, to get the trapping code.
>
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1299,6 +1299,14 @@ force_sig_info_to_task(struct kernel_siginfo *info, struct task_struct *t,
> struct k_sigaction *action;
> int sig = info->si_signo;
>
> + if (unlikely(is_global_init(t)) && sig == SIGSEGV) {
> + struct pt_regs *regs = task_pt_regs(t);
> +
> + panic("killing init, sig=%d errno=%d code=%d addr=%px vdso=%px pc=0x%lx vdsopc=0x%lx",
> + info->si_signo, info->si_errno, info->si_code, info->si_addr,
> + t->mm->context.vdso, regs->tpc, regs->tpc - (unsigned long)t->mm->context.vdso);
> + }
> +
> spin_lock_irqsave(&t->sighand->siglock, flags);
> action = &t->sighand->action[sig-1];
> ignored = action->sa.sa_handler == SIG_IGN;
>
>
> Please give me the disassembly for the address printed as "vdsopc" from
> arch/sparc/vdso/vdso64.so.dbg starting from its function entrypoint.
I get
[ 1.680341] Run /init as init process
[ 1.682256] Kernel panic - not syncing: killing init, sig=11 errno=0 code=1 addr=0000000000000000 vdso=fff800010081e000 pc=0xfff800010081e684 vdsopc=0x684
[ 1.682289] CPU: 2 UID: 0 PID: 1 Comm: init Not tainted 6.17.0-rc1-00011-g1f71a73bede3 #12 VOLUNTARY
[ 1.682313] Call Trace:
[ 1.682324] [<0000000000436524>] dump_stack+0x8/0x18
[ 1.682351] [<00000000004291f4>] vpanic+0xdc/0x320
[ 1.682373] [<000000000042945c>] panic+0x24/0x30
[ 1.682389] [<0000000000493258>] force_sig_info_to_task+0x218/0x240
[ 1.682412] [<0000000000493740>] force_sig_fault+0x40/0x60
[ 1.682430] [<0000000000439e28>] sun4v_data_access_exception+0xa8/0x140
[ 1.682449] [<00000000004066d4>] sun4v_dacc+0x28/0x34
[ 1.683232] Press Stop-A (L1-A) from sun keyboard or send break
[ 1.683232] twice on console to return to the boot prom
[ 1.683252] ---[ end Kernel panic - not syncing: killing init, sig=11 errno=0 code=1 addr=0000000000000000 vdso=fff800010081e000 pc=0xfff800010081e684 vdsopc=0x684 ]---
and we have
#if defined(CONFIG_SPARC64)
int __vdso_clock_gettime(clockid_t clock, struct __kernel_timespec *ts)
{
640: 9d e3 bf 50 save %sp, -176, %sp
__asm__ __volatile__(
644: 40 00 00 03 call 650 <__vdso_clock_gettime+0x10>
648: 01 00 00 00 nop
64c: ff ff 79 b4 unknown
650: 9e 03 e0 08 add %o7, 8, %o7
654: c6 43 c0 00 ldsw [ %o7 ], %g3
658: 86 00 c0 0f add %g3, %o7, %g3
if (!vdso_clockid_valid(clock))
65c: 80 a6 20 17 cmp %i0, 0x17
660: 18 40 00 3b bgu,pn %icc, 74c <__vdso_clock_gettime+0x10c>
664: 84 10 00 03 mov %g3, %g2
msk = 1U << clock;
668: 82 10 20 01 mov 1, %g1
66c: 83 28 40 18 sll %g1, %i0, %g1
if (likely(msk & VDSO_HRES))
670: 80 88 68 83 btst 0x883, %g1
674: 02 40 00 30 be,pn %icc, 734 <__vdso_clock_gettime+0xf4>
678: 80 88 60 60 btst 0x60, %g1
if (!__arch_vdso_hres_capable())
67c: 87 2e 30 04 sllx %i0, 4, %g3
680: 86 00 80 03 add %g2, %g3, %g3
while (unlikely((seq = READ_ONCE(vc->seq)) & 1)) {
684: fa 00 80 00 ld [ %g2 ], %i5 <-- this one
688: 80 8f 60 01 btst 1, %i5
68c: 12 60 00 39 bne,pn %xcc, 770 <__vdso_clock_gettime+0x130>
690: 01 00 00 00 nop
...
where the READ_ONCE that does the trapping load is the READ_ONCE(vc->seq)
in do_hres() in lib/vdso/gettimeofday.c. So we seem to have a NULL vc.
With patches 1-8 applied on v6.17-rc1, addr2line gives us:
0x640: arch/sparc/vdso/vclock_gettime.c:34
0x644: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x648: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x64c: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x650: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x654: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x658: arch/sparc/include/asm/vdso/gettimeofday.h:150
0x65c: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x660: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x664: lib/vdso/gettimeofday.c:321 (discriminator 1)
0x668: lib/vdso/gettimeofday.c:328
0x66c: lib/vdso/gettimeofday.c:328
0x670: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x674: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x678: lib/vdso/gettimeofday.c:329 (discriminator 1)
0x67c: lib/vdso/gettimeofday.c:175
0x680: lib/vdso/gettimeofday.c:175
0x684: lib/vdso/gettimeofday.c:190 (discriminator 2)
Cheers,
Andreas
Powered by blists - more mailing lists