| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8ee8f1d2-feb6-4b96-af17-c3a690e01a46@vivo.com>
Date: Mon, 13 Oct 2025 08:19:36 +0000
From: 林芝驰 <zhichi.lin@...o.com>
To: Andrew Morton <akpm@...ux-foundation.org>
CC: "elver@...gle.com" <elver@...gle.com>, "will@...nel.org"
<will@...nel.org>, "andreyknvl@...il.com" <andreyknvl@...il.com>,
"samitolvanen@...gle.com" <samitolvanen@...gle.com>, "yee.lee@...iatek.com"
<yee.lee@...iatek.com>, "keescook@...omium.org" <keescook@...omium.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
谢纪元 <xiejiyuan@...o.com>
Subject: Re: [PATCH] scs: Fix a wrong parameter in __scs_magic
On 10/12/2025 1:11 AM, Andrew Morton wrote:
> On Sat, 11 Oct 2025 16:22:22 +0800 Zhichi Lin <zhichi.lin@...o.com> wrote:
>
>> __scs_magic() needs a 'void *' variable, but a 'struct task_struct *'
>> is given. 'task_scs(tsk)' is the starting address of the task's shadow
>> call stack, and '__scs_magic(task_scs(tsk))' is the end address of the
>> task's shadow call stack.
>> Here should be '__scs_magic(task_scs(tsk))'.
>
> What are the userspace-visible runtime effects of this bug? Please
> always describe this when fixing something.
>
The user-visible effect of this bug is that when
CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage
checking function (scs_check_usage) would scan an incorrect memory
range. This could lead to:
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may access
unmapped memory, potentially causing a kernel panic. However, this
scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are
actively debugging stack usage with this configuration enabled.
Additionally, this issue was discovered during code reading - our
project does not actually use this feature. For a more accurate
assessment of real-world impact and backporting necessity, I think Will
and Sami would be better positioned to evaluate, as they have deeper
knowledge of how this debugging feature is actually used.
>> Fixes: 5bbaf9d1fcb9 ("scs: Add support for stack usage debugging")
>
> This might need backporting into -stable kernels, that depends on the
> answer to the above question.
>
>> --- a/kernel/scs.c
>> +++ b/kernel/scs.c
>> @@ -135,7 +135,7 @@ static void scs_check_usage(struct task_struct *tsk)
>> if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE))
>> return;
>>
>> - for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) {
>> + for (p = task_scs(tsk); p < __scs_magic(task_scs(tsk)); ++p) {
>> if (!READ_ONCE_NOCHECK(*p))
>> break;
>> used += sizeof(*p);
>
> Thanks, I'll grab the patch for now, maybe Will would prefer to take it?
Powered by blists - more mailing lists