| Message ID | 20230926114343.1061739-2-twuufnxlz@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | riscv: fix out of bounds in walk_stackframe | expand |
Hi Edward, On 26/09/2023 13:43, Edward AD wrote: > Increase the check on the frame after assigning its value. This is to prevent > frame access from crossing boundaries. > > Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/ > Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") > Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com > Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/ > Signed-off-by: Edward AD <twuufnxlz@gmail.com> > --- > arch/riscv/kernel/stacktrace.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c > index 64a9c093aef9..53bd18672329 100644 > --- a/arch/riscv/kernel/stacktrace.c > +++ b/arch/riscv/kernel/stacktrace.c > @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, > break; > /* Unwind stack frame */ > frame = (struct stackframe *)fp - 1; > + if (!virt_addr_valid(frame)) > + break; > sp = fp; > if (regs && (regs->epc == pc) && (frame->fp & 0x7)) { > fp = frame->ra; virt_addr_valid() works on kernel linear addresses, not on vmalloc addresses, which is the case here (0xff20000006d37c38 belongs to the vmalloc region: see https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125). So this fix can't work. I'm a bit surprised though of this out-of-bounds access since CONFIG_FRAME_POINTER is enabled, so there may be a real issue here (the console output is horrible, lots of backtraces, which is weird), so it may be worth digging into that. Thanks, Alex
Oh and BTW, any idea why linux-riscv was not in CC for the initial report? On 28/09/2023 10:02, Alexandre Ghiti wrote: > Hi Edward, > > On 26/09/2023 13:43, Edward AD wrote: >> Increase the check on the frame after assigning its value. This is to >> prevent >> frame access from crossing boundaries. >> >> Closes: >> https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/ >> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") >> Reported-and-tested-by: >> syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com >> Link: >> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/ >> Signed-off-by: Edward AD <twuufnxlz@gmail.com> >> --- >> arch/riscv/kernel/stacktrace.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/arch/riscv/kernel/stacktrace.c >> b/arch/riscv/kernel/stacktrace.c >> index 64a9c093aef9..53bd18672329 100644 >> --- a/arch/riscv/kernel/stacktrace.c >> +++ b/arch/riscv/kernel/stacktrace.c >> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct >> *task, struct pt_regs *regs, >> break; >> /* Unwind stack frame */ >> frame = (struct stackframe *)fp - 1; >> + if (!virt_addr_valid(frame)) >> + break; >> sp = fp; >> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) { >> fp = frame->ra; > > > virt_addr_valid() works on kernel linear addresses, not on vmalloc > addresses, which is the case here (0xff20000006d37c38 belongs to the > vmalloc region: see > https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125). > So this fix can't work. > > I'm a bit surprised though of this out-of-bounds access since > CONFIG_FRAME_POINTER is enabled, so there may be a real issue here > (the console output is horrible, lots of backtraces, which is weird), > so it may be worth digging into that. > > Thanks, > > Alex > > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c index 64a9c093aef9..53bd18672329 100644 --- a/arch/riscv/kernel/stacktrace.c +++ b/arch/riscv/kernel/stacktrace.c @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, break; /* Unwind stack frame */ frame = (struct stackframe *)fp - 1; + if (!virt_addr_valid(frame)) + break; sp = fp; if (regs && (regs->epc == pc) && (frame->fp & 0x7)) { fp = frame->ra;
Increase the check on the frame after assigning its value. This is to prevent frame access from crossing boundaries. Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/ Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/ Signed-off-by: Edward AD <twuufnxlz@gmail.com> --- arch/riscv/kernel/stacktrace.c | 2 ++ 1 file changed, 2 insertions(+)