| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8c047b5f-f4c2-4795-8ceb-a556ac6647b2@gmail.com> Date: Fri, 12 Sep 2025 16:15:30 +0800 From: Jinchao Wang <wangjinchao600@...il.com> To: Alexander Potapenko <glider@...gle.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Masami Hiramatsu <mhiramat@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Mike Rapoport <rppt@...nel.org>, "Naveen N . Rao" <naveen@...nel.org>, Andrey Ryabinin <ryabinin.a.a@...il.com>, Andrey Konovalov <andreyknvl@...il.com>, Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>, kasan-dev@...glegroups.com, "David S. Miller" <davem@...emloft.net>, Steven Rostedt <rostedt@...dmis.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, Ingo Molnar <mingo@...hat.com>, Arnaldo Carvalho de Melo <acme@...nel.org>, Namhyung Kim <namhyung@...nel.org>, Mark Rutland <mark.rutland@....com>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Jiri Olsa <jolsa@...nel.org>, Ian Rogers <irogers@...gle.com>, Adrian Hunter <adrian.hunter@...el.com>, "Liang, Kan" <kan.liang@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, linux-mm@...ck.org, linux-trace-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v3 00/19] mm/ksw: Introduce real-time Kernel Stack Watch debugging tool On 9/12/25 14:41, Alexander Potapenko wrote: > On Fri, Sep 12, 2025 at 7:51 AM Jinchao Wang <wangjinchao600@...il.com> wrote: >> >> FYI: The current patchset contains lockdep issues due to the kprobe handler >> running in NMI context. Please do not spend time reviewing this version. >> Thanks. >> -- >> Jinchao > > Hi Jinchao, > > In the next version, could you please elaborate more on the user > workflow of this tool? > It occurs to me that in order to detect the corruption the user has to > know precisely in which function the corruption is happening, which is > usually the hardest part. > Hi Alexander, Thank you for the question. I agree with your observation about the challenge of detecting stack corruption. Stack corruption debugging typically involves three steps: 1. Detect the corruption 2. Find the root cause 3. Fix the issue Your question addresses step 1, which is indeed a challenging part. Currently, we have several approaches for detection: - Compile with CONFIG_STACKPROTECTOR_STRONG to add stack canaries and trigger __stack_chk_fail() on corruption - Manual detection when local variables are unexpectedly modified (though this is quite difficult in practice) However, KStackWatch is specifically designed for step 2 rather than step 1. Let me illustrate with a complex scenario: In one actual case, the corruption path was: - A calls B (the buggy function) through N1 call levels - B stores its stack variable L1's address in P (through a global variable or queue or list...) - C (the victim) called by A through N2 levels, unexpectedly has a canary or local variable L2 with the overlapping address with L1 - D uses P in a separate task (N3 call levels deep), which modifies the value of L1, and L2 is corrupted - C finds the corruption The only clue might be identifying function D first, which then leads us to B through P. Key advantages of KStackWatch: - Lightweight overhead that doesn't reduce reproduction probability - Real-time capability to identify corruption exactly when it happens - Precise location tracking of where corruptions occur KStackWatch helps identify function D directly, bypassing the complex call chains (N1, N2, N3) and intermediate functions. Once we locate D, we can trace back through the corruption path and resolve the issue. Does this clarify the tool's intended workflow? -- Jinchao
Powered by blists - more mailing lists