| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251110163634.3686676-16-wangjinchao600@gmail.com>
Date: Tue, 11 Nov 2025 00:36:10 +0800
From: Jinchao Wang <wangjinchao600@...il.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
"Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
Marco Elver <elver@...gle.com>,
Mike Rapoport <rppt@...nel.org>,
Alexander Potapenko <glider@...gle.com>,
Adrian Hunter <adrian.hunter@...el.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Alice Ryhl <aliceryhl@...gle.com>,
Andrey Konovalov <andreyknvl@...il.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
Andrii Nakryiko <andrii@...nel.org>,
Ard Biesheuvel <ardb@...nel.org>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Ben Segall <bsegall@...gle.com>,
Bill Wendling <morbo@...gle.com>,
Borislav Petkov <bp@...en8.de>,
Catalin Marinas <catalin.marinas@....com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
David Hildenbrand <david@...hat.com>,
David Kaplan <david.kaplan@....com>,
"David S. Miller" <davem@...emloft.net>,
Dietmar Eggemann <dietmar.eggemann@....com>,
Dmitry Vyukov <dvyukov@...gle.com>,
"H. Peter Anvin" <hpa@...or.com>,
Ian Rogers <irogers@...gle.com>,
Ingo Molnar <mingo@...hat.com>,
James Clark <james.clark@...aro.org>,
Jinchao Wang <wangjinchao600@...il.com>,
Jinjie Ruan <ruanjinjie@...wei.com>,
Jiri Olsa <jolsa@...nel.org>,
Jonathan Corbet <corbet@....net>,
Juri Lelli <juri.lelli@...hat.com>,
Justin Stitt <justinstitt@...gle.com>,
kasan-dev@...glegroups.com,
Kees Cook <kees@...nel.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
"Liang Kan" <kan.liang@...ux.intel.com>,
Linus Walleij <linus.walleij@...aro.org>,
linux-arm-kernel@...ts.infradead.org,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-mm@...ck.org,
linux-perf-users@...r.kernel.org,
linux-trace-kernel@...r.kernel.org,
llvm@...ts.linux.dev,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Mark Rutland <mark.rutland@....com>,
Masahiro Yamada <masahiroy@...nel.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Mel Gorman <mgorman@...e.de>,
Michal Hocko <mhocko@...e.com>,
Miguel Ojeda <ojeda@...nel.org>,
Nam Cao <namcao@...utronix.de>,
Namhyung Kim <namhyung@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Naveen N Rao <naveen@...nel.org>,
Nick Desaulniers <nick.desaulniers+lkml@...il.com>,
Rong Xu <xur@...gle.com>,
Sami Tolvanen <samitolvanen@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Suren Baghdasaryan <surenb@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Thomas Weißschuh <thomas.weissschuh@...utronix.de>,
Valentin Schneider <vschneid@...hat.com>,
Vincent Guittot <vincent.guittot@...aro.org>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Vlastimil Babka <vbabka@...e.cz>,
Will Deacon <will@...nel.org>,
workflows@...r.kernel.org,
x86@...nel.org
Subject: [PATCH v8 15/27] mm/ksw: limit canary search to current stack frame
Use the compiler-provided frame pointer when CONFIG_FRAME_POINTER is
enabled to restrict the stack canary search range to the current
function frame. This prevents scanning beyond valid stack bounds and
improves reliability across architectures.
Also add explicit handling for missing CONFIG_STACKPROTECTOR and make
the failure message more visible.
Signed-off-by: Jinchao Wang <wangjinchao600@...il.com>
---
mm/kstackwatch/stack.c | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/mm/kstackwatch/stack.c b/mm/kstackwatch/stack.c
index 60371b292915..3455d1e70db9 100644
--- a/mm/kstackwatch/stack.c
+++ b/mm/kstackwatch/stack.c
@@ -64,15 +64,32 @@ static unsigned long ksw_find_stack_canary_addr(struct pt_regs *regs)
unsigned long *stack_ptr, *stack_end, *stack_base;
unsigned long expected_canary;
unsigned int i;
+#ifdef CONFIG_FRAME_POINTER
+ unsigned long *fp = NULL;
+#endif
stack_ptr = (unsigned long *)kernel_stack_pointer(regs);
-
stack_base = (unsigned long *)(current->stack);
- // TODO: limit it to the current frame
stack_end = (unsigned long *)((char *)current->stack + THREAD_SIZE);
+#ifdef CONFIG_FRAME_POINTER
+ /*
+ * Use the compiler-provided frame pointer.
+ * Limit the search to the current frame
+ * Works on any arch that keeps FP when CONFIG_FRAME_POINTER=y.
+ */
+ fp = __builtin_frame_address(0);
+ if (fp > stack_ptr && fp < stack_end)
+ stack_end = fp;
+#endif
+
+#ifdef CONFIG_STACKPROTECTOR
expected_canary = current->stack_canary;
+#else
+ pr_err("no canary without CONFIG_STACKPROTECTOR\n");
+ return 0;
+#endif
if (stack_ptr < stack_base || stack_ptr >= stack_end) {
pr_err("Stack pointer 0x%lx out of bounds [0x%lx, 0x%lx)\n",
@@ -85,15 +102,11 @@ static unsigned long ksw_find_stack_canary_addr(struct pt_regs *regs)
if (&stack_ptr[i] >= stack_end)
break;
- if (stack_ptr[i] == expected_canary) {
- pr_debug("canary found i:%d 0x%lx\n", i,
- (unsigned long)&stack_ptr[i]);
+ if (stack_ptr[i] == expected_canary)
return (unsigned long)&stack_ptr[i];
- }
}
- pr_debug("canary not found in first %d steps\n",
- MAX_CANARY_SEARCH_STEPS);
+ pr_err("canary not found in first %d steps\n", MAX_CANARY_SEARCH_STEPS);
return 0;
}
--
2.43.0
Powered by blists - more mailing lists