| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 |
- From bb0be747b5ee45f07f5514a214231c9061261b50 Mon Sep 17 00:00:00 2001
- From: Andy Lutomirski <[email protected]>
- Date: Mon, 4 Dec 2017 15:07:08 +0100
- Subject: [PATCH 138/232] x86/unwinder/orc: Dont bail on stack overflow
- MIME-Version: 1.0
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 8bit
- CVE-2017-5754
- If the stack overflows into a guard page and the ORC unwinder should work
- well: by construction, there can't be any meaningful data in the guard page
- because no writes to the guard page will have succeeded.
- But there is a bug that prevents unwinding from working correctly: if the
- starting register state has RSP pointing into a stack guard page, the ORC
- unwinder bails out immediately.
- Instead of bailing out immediately check whether the next page up is a
- valid check page and if so analyze that. As a result the ORC unwinder will
- start the unwind.
- Tested by intentionally overflowing the task stack. The result is an
- accurate call trace instead of a trace consisting purely of '?' entries.
- There are a few other bugs that are triggered if the unwinder encounters a
- stack overflow after the first step, but they are outside the scope of this
- fix.
- Signed-off-by: Andy Lutomirski <[email protected]>
- Signed-off-by: Thomas Gleixner <[email protected]>
- Cc: Boris Ostrovsky <[email protected]>
- Cc: Borislav Petkov <[email protected]>
- Cc: Borislav Petkov <[email protected]>
- Cc: Brian Gerst <[email protected]>
- Cc: Dave Hansen <[email protected]>
- Cc: Dave Hansen <[email protected]>
- Cc: David Laight <[email protected]>
- Cc: Denys Vlasenko <[email protected]>
- Cc: Eduardo Valentin <[email protected]>
- Cc: Greg KH <[email protected]>
- Cc: H. Peter Anvin <[email protected]>
- Cc: Josh Poimboeuf <[email protected]>
- Cc: Juergen Gross <[email protected]>
- Cc: Linus Torvalds <[email protected]>
- Cc: Peter Zijlstra <[email protected]>
- Cc: Rik van Riel <[email protected]>
- Cc: Will Deacon <[email protected]>
- Cc: [email protected]
- Cc: [email protected]
- Cc: [email protected]
- Cc: [email protected]
- Link: https://lkml.kernel.org/r/[email protected]
- Signed-off-by: Ingo Molnar <[email protected]>
- (cherry picked from commit d3a09104018cf2ad5973dfa8a9c138ef9f5015a3)
- Signed-off-by: Andy Whitcroft <[email protected]>
- Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
- (cherry picked from commit e5c3115ac69cddd384d6f7abc4a0ef030b247498)
- Signed-off-by: Fabian Grünbichler <[email protected]>
- ---
- arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
- diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
- index 570b70d3f604..cea85bfe93f7 100644
- --- a/arch/x86/kernel/unwind_orc.c
- +++ b/arch/x86/kernel/unwind_orc.c
- @@ -552,8 +552,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
- }
-
- if (get_stack_info((unsigned long *)state->sp, state->task,
- - &state->stack_info, &state->stack_mask))
- - return;
- + &state->stack_info, &state->stack_mask)) {
- + /*
- + * We weren't on a valid stack. It's possible that
- + * we overflowed a valid stack into a guard page.
- + * See if the next page up is valid so that we can
- + * generate some kind of backtrace if this happens.
- + */
- + void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
- + if (get_stack_info(next_page, state->task, &state->stack_info,
- + &state->stack_mask))
- + return;
- + }
-
- /*
- * The caller can provide the address of the first frame directly
- --
- 2.14.2
|
