lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260112164001.GQ830755@noisy.programming.kicks-ass.net>
Date: Mon, 12 Jan 2026 17:40:01 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Oleg Nesterov <oleg@...hat.com>
Cc: Andrii Nakryiko <andrii@...nel.org>, Borislav Petkov <bp@...en8.de>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	David Hildenbrand <david@...nel.org>,
	"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
	Jiri Olsa <jolsa@...nel.org>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	Paulo Andrade <pandrade@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>, linux-kernel@...r.kernel.org,
	x86@...nel.org
Subject: Re: [PATCH] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

On Sun, Jan 11, 2026 at 04:00:37PM +0100, Oleg Nesterov wrote:
> This script
> 
> 	#!/usr/bin/bash
> 
> 	echo 0 > /proc/sys/kernel/randomize_va_space
> 
> 	echo 'void main(void) {}' > TEST.c
> 
> 	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
> 	gcc -m32 -fcf-protection=branch TEST.c -o test
> 
> 	bpftrace -e 'uprobe:./test:main {}' -c ./test
> 
> "hangs", the probed ./test task enters an endless loop.
> 
> The problem is that with randomize_va_space == 0
> get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
> just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
> by the stack vma.
> 
> arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
> in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
> vm_unmapped_area() happily returns the high address > TASK_SIZE and then
> get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
> check.
> 
> handle_swbp() doesn't report this failure (probably it should) and silently
> restarts the probed insn. Endless loop.
> 
> I think that the right fix should change the x86 get_unmapped_area() paths
> to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
> CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
> because ->orig_ax = -1.
> 
> But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
> the probed task is 32-bit to make in_ia32_syscall() true.
> 
> Cc: stable@...r.kernel.org
> Reported-by: Paulo Andrade <pandrade@...hat.com>
> Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
> Signed-off-by: Oleg Nesterov <oleg@...hat.com>

Does this want a Fixes tag? Or has this been busted like forever?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ