| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aS8b9SeLDPF5n9UE@gmail.com>
Date: Tue, 2 Dec 2025 18:03:49 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Josh Poimboeuf <jpoimboe@...nel.org>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
Nathan Chancellor <nathan@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Alexandre Chartre <alexandre.chartre@...cle.com>,
David Laight <david.laight.linux@...il.com>
Subject: Re: [PATCH] objtool: Fix stack overflow in validate_branch()
* Josh Poimboeuf <jpoimboe@...nel.org> wrote:
> On Tue, Dec 02, 2025 at 05:20:22PM +0100, Ingo Molnar wrote:
> >
> > * Josh Poimboeuf <jpoimboe@...nel.org> wrote:
> >
> > > On an allmodconfig kernel compiled with Clang, objtool is segfaulting in
> > > drivers/scsi/qla2xxx/qla2xxx.o due to a stack overflow in
> > > validate_branch().
> > >
> > > Due in part to KASAN being enabled, the qla2xxx code has a large number
> > > of conditional jumps, causing objtool to go quite deep in its recursion.
> > >
> > > By far the biggest offender of stack usage is the recently added
> > > 'prev_state' stack variable in validate_insn(), coming in at 328 bytes.
> >
> > That's weird - how can a user-space tool run into stack
> > limits, are they set particularly conservatively?
>
> On my Fedora system, "ulimit -s" is 8MB. You'd think that would be
> enough :-)
>
> In this case, objtool had over 20,000 stack frames caused by recursively
> following over 7,000(!) conditional jumps in a single function.
Ouch ...
... which means that very likely we'll run into this problem again. :-/
Time to add stack overflow self-detection?
I've attached a simple proof-of-concept that uses
sigaltstacks based SIGSEGV handler to catch a stack
overflow:
starship:/s/stack-overflow> ./overflow
# Starting stack recursion:
# WARNING: SIGSEGV received: Possible stack overflow detected!
starship:/s/stack-overflow>
Could we add something like this to objtool, with
perhaps a look at the interrupted stack pointer from
SIGSEGV_handler(), to make sure the SIGSEGV was due to
a stack overflow?
Thanks,
Ingo
#
# Build with: gcc -Wall -o overflow overflow.c
#
======={ overflow.c }============>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/resource.h>
void SIGSEGV_handler(int sig)
{
/*
* From this point on we are running on the sigaltstack:
*/
fprintf(stderr, "\n# WARNING: SIGSEGV received: Possible stack overflow detected!\n");
_exit(EXIT_FAILURE);
}
void setup_SIGSEGV_handler(void)
{
struct sigaction sa;
stack_t ss;
ss.ss_sp = malloc(SIGSTKSZ);
if (ss.ss_sp == NULL) {
perror("FAIL: malloc");
exit(EXIT_FAILURE);
}
ss.ss_size = SIGSTKSZ;
ss.ss_flags = 0;
if (sigaltstack(&ss, NULL) == -1) {
perror("FAIL: sigaltstack");
exit(EXIT_FAILURE);
}
sa.sa_handler = SIGSEGV_handler;
sigemptyset(&sa.sa_mask);
/*
* SA_ONSTACK tells the kernel to use the sigaltstack
* for this handler:
*/
sa.sa_flags = SA_RESTART | SA_ONSTACK;
if (sigaction(SIGSEGV, &sa, NULL) == -1) {
perror("sigaction");
exit(EXIT_FAILURE);
}
}
// Example function to force a recursive stack overflow
void recurse_into_stack(int depth)
{
char buffer[1000];
(void)buffer;
if (depth < 0)
return;
recurse_into_stack(depth - 1);
}
int main(void)
{
setup_SIGSEGV_handler();
printf("# Starting stack recursion:\n");
recurse_into_stack(1000000);
return 0;
}
Powered by blists - more mailing lists