[5.4,010/320] tools/nolibc: x86-64: Fix startup code bug

Message ID	20220124183954.113119436@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Bedirhan KURT <windowz414@gnuweeb.org>, Louvian Lyndal <louvianlyndal@gmail.com>, Peter Cordes <peter@cordes.ca>, Ammar Faizi <ammar.faizi@students.amikom.ac.id>, Willy Tarreau <w@1wt.eu>, "Paul E. McKenney" <paulmck@kernel.org> Subject: [PATCH 5.4 010/320] tools/nolibc: x86-64: Fix startup code bug Date: Mon, 24 Jan 2022 19:39:54 +0100 Message-Id: <20220124183954.113119436@linuxfoundation.org> In-Reply-To: <20220124183953.750177707@linuxfoundation.org> References: <20220124183953.750177707@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.4,003/320] HID: wacom: Ignore the confidence flag when a touch is removed [5.4,005/320] f2fs: fix to do sanity check in is_alive() [5.4,006/320] nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() [5.4,007/320] mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings [5.4,008/320] mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 [5.4,010/320] tools/nolibc: x86-64: Fix startup code bug [5.4,014/320] media: v4l2-ioctl.c: readbuffers depends on V4L2_CAP_READWRITE [5.4,016/320] media: mceusb: fix control-message timeouts [5.4,017/320] media: em28xx: fix control-message timeouts [5.4,019/320] media: s2255: fix control-message timeouts [5.4,021/320] media: redrat3: fix control-message timeouts [5.4,024/320] can: softing_cs: softingcs_probe(): fix memleak on registration failure [5.4,025/320] lkdtm: Fix content of section containing lkdtm_rodata_do_nothing() [5.4,027/320] dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled() [5.4,030/320] mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages [5.4,034/320] drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure [5.4,035/320] drm/panel: innolux-p079zca: Delete panel on attach() failure [5.4,036/320] drm/rockchip: dsi: Fix unbalanced clock on probe error [5.4,038/320] clk: bcm-2835: Pick the closest clock rate [5.4,039/320] clk: bcm-2835: Remove rounding up the dividers [5.4,042/320] media: videobuf2: Fix the size printk format [5.4,045/320] media: aspeed: Update signal status immediately to ensure sane hw state [5.4,046/320] arm64: dts: meson-gxbb-wetek: fix HDMI in early boot [5.4,050/320] media: dmxdev: fix UAF when dvb_register_device() fails [5.4,052/320] arm64: dts: ti: k3-j721e: correct cache-sets info [5.4,053/320] tty: serial: atmel: Check return code of dmaengine_submit() [5.4,054/320] tty: serial: atmel: Call dma_async_issue_pending() [5.4,057/320] media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() [5.4,058/320] media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released [5.4,061/320] arm64: dts: qcom: msm8916: fix MMC controller aliases [5.4,063/320] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() [5.4,064/320] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() [5.4,070/320] staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib() [5.4,071/320] Bluetooth: btmtksdio: fix resume failure [5.4,075/320] sched/rt: Try to restart rt period timer when rt runtime exceeded [5.4,077/320] mwifiex: Fix possible ABBA deadlock [5.4,080/320] crypto: stm32/cryp - fix double pm exit [5.4,083/320] media: dw2102: Fix use after free [5.4,085/320] media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes [5.4,086/320] drm/msm/dpu: fix safe status debugfs file [5.4,088/320] media: hantro: Fix probe func error path [5.4,089/320] xfrm: interface with if_id 0 should return error [5.4,090/320] xfrm: state and policy should fail if XFRMA_IF_ID 0 [5.4,092/320] usb: ftdi-elan: fix memory leak on device disconnect [5.4,095/320] selinux: fix potential memleak in selinux_add_opt() [5.4,097/320] x86/mce/inject: Avoid out-of-bounds write when setting flags [5.4,098/320] ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes [5.4,099/320] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() [5.4,100/320] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() [5.4,105/320] staging: greybus: audio: Check null pointer [5.4,106/320] fsl/fman: Check for null pointer after calling devm_ioremap [5.4,109/320] HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc [5.4,112/320] debugfs: lockdown: Allow reading debugfs files that are not world readable [5.4,113/320] net/mlx5e: Dont block routes with nexthop objects in SW [5.4,115/320] net/mlx5: Set command entry semaphore up once got index free [5.4,118/320] can: softing: softing_startstop(): fix set but not used variable warning [5.4,119/320] can: xilinx_can: xcan_probe(): check for error irq [5.4,120/320] pcmcia: fix setting of kthread task states [5.4,121/320] net: mcs7830: handle usb read errors properly [5.4,122/320] ext4: avoid trim error on fs with small groups [5.4,125/320] ALSA: hda: Add missing rwsem around snd_ctl_remove() calls [5.4,127/320] clk: imx8mn: Fix imx8mn_clko1_sels [5.4,129/320] ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA [5.4,130/320] ALSA: oss: fix compile error when OSS_DEBUG is enabled [5.4,136/320] PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() [5.4,139/320] RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry [5.4,140/320] ASoC: rt5663: Handle device_property_read_u32_array error codes [5.4,142/320] dmaengine: pxa/mmp: stop referencing config->slave_id [5.4,145/320] ASoC: mediatek: Check for error clk pointer [5.4,148/320] mips: lantiq: add support for clk_set_parent() [5.4,149/320] mips: bcm63xx: add support for clk_set_parent() [5.4,152/320] Bluetooth: Fix debugfs entry leak in hci_register_dev() [5.4,155/320] drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y [5.4,157/320] drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR [5.4,158/320] ARM: shmobile: rcar-gen2: Add missing of_node_put() [5.4,162/320] HID: apple: Do not reset quirks when the Fn key is not found [5.4,164/320] EDAC/synopsys: Use the quirk for version instead of ddr version [5.4,166/320] mlxsw: pci: Add shutdown method in PCI driver [5.4,167/320] drm/bridge: megachips: Ensure both bridges are probed before registration [5.4,168/320] gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use [5.4,170/320] mwifiex: Fix skb_over_panic in mwifiex_usb_recv() [5.4,171/320] rsi: Fix use-after-free in rsi_rx_done_handler() [5.4,176/320] media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds. [5.4,177/320] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() [5.4,178/320] media: m920x: dont use stack on USB reads [5.4,179/320] iwlwifi: mvm: synchronize with FW after multicast commands [5.4,184/320] x86/mce: Mark mce_panic() noinstr [5.4,185/320] x86/mce: Mark mce_end() noinstr [5.4,187/320] net: bonding: debug: avoid printing debug logs when bond is not notifying peers [5.4,188/320] bpf: Do not WARN in bpf_warn_invalid_xdp_action() [5.4,191/320] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() [5.4,195/320] arm64: tegra: Adjust length of CCPLEX cluster MMIO region [5.4,198/320] ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream [5.4,199/320] iwlwifi: fix leaks/bad data after failed firmware load [5.4,200/320] iwlwifi: remove module loading failure message [5.4,203/320] jffs2: GC deadlock reading a page that is used in jffs2_write_begin() [5.4,204/320] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions [5.4,205/320] ACPICA: Utilities: Avoid deleting the same object twice in a row [5.4,206/320] ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() [5.4,207/320] ACPICA: Fix wrong interpretation of PCC address [5.4,208/320] ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 [5.4,213/320] net: mdio: Demote probed message to debug print [5.4,214/320] mac80211: allow non-standard VHT MCS-10/11 [5.4,216/320] dm space map common: add bounds check to sm_ll_lookup_bitmap() [5.4,217/320] net: phy: marvell: configure RGMII delays for 88E1118 [5.4,218/320] net: gemini: allow any RGMII interface mode [5.4,223/320] parisc: Avoid calling faulthandler_disabled() twice [5.4,224/320] powerpc/6xx: add missing of_node_put [5.4,225/320] powerpc/powernv: add missing of_node_put [5.4,227/320] powerpc/btext: add missing of_node_put [5.4,229/320] i2c: i801: Dont silently correct invalid transfer size [5.4,232/320] clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB [5.4,234/320] KVM: PPC: Book3S: Suppress failed alloc warning in H_COPY_TOFROM_GUEST [5.4,236/320] scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup [5.4,237/320] ALSA: seq: Set upper limit of processed events [5.4,238/320] powerpc: handle kdump appropriately with crash_kexec_post_notifiers option [5.4,239/320] MIPS: OCTEON: add put_device() after of_find_device_by_node() [5.4,241/320] MIPS: Octeon: Fix build errors using clang [5.4,242/320] scsi: sr: Dont use GFP_DMA [5.4,246/320] crypto: omap-aes - Fix broken pm_runtime_and_get() usage [5.4,251/320] serial: Fix incorrect rs485 polarity on uart open [5.4,252/320] cputime, cpuacct: Include guest time in user time in cpuacct.stat [5.4,253/320] tracing/kprobes: nmissed not showed correctly for kretprobe [5.4,254/320] iwlwifi: mvm: Increase the scan timeout guard to 30 seconds [5.4,256/320] drm/etnaviv: limit submit sizes [5.4,257/320] drm/nouveau/kms/nv04: use vzalloc for nv04_display [5.4,258/320] drm/bridge: analogix_dp: Make PSR-exit block less [5.4,262/320] PCI: pci-bridge-emul: Correctly set PCIe capabilities [5.4,267/320] btrfs: respect the max size in the header when activating swap file [5.4,268/320] ext4: make sure to reset inode lockdep class when quota enabling fails [5.4,269/320] ext4: make sure quota gets properly shutdown on error [5.4,271/320] ext4: Fix BUG_ON in ext4_bread when write quota data [5.4,274/320] of: base: Improve argument length mismatch error [5.4,276/320] media: rcar-csi2: Optimize the selection PHTW register [5.4,279/320] Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization [5.4,282/320] RDMA/hns: Modify the mapping attribute of doorbell to device [5.4,286/320] powerpc/cell: Fix clang -Wimplicit-fallthrough warning [5.4,287/320] powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses [5.4,290/320] net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module [5.4,295/320] net: axienet: limit minimum TX ring size [5.4,299/320] inet: frags: annotate races around fqdir->dead and fqdir->high_thresh [5.4,301/320] xfrm: Dont accidentally set RTO_ONLINK in decode_session4() [5.4,303/320] libcxgb: Dont accidentally set RTO_ONLINK in cxgb_find_route() [5.4,307/320] dmaengine: at_xdmac: Fix concurrency over xfers_list [5.4,308/320] dmaengine: at_xdmac: Fix lld view setting [5.4,310/320] arm64: dts: qcom: msm8996: drop not documented adreno properties [5.4,314/320] dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property [5.4,316/320] scripts/dtc: dtx_diff: remove broken example from help text [5.4,317/320] lib82596: Fix IRQ check in sni_82596_probe [5.4,319/320] mtd: nand: bbt: Fix corner case in bad block table handling

Message ID

20220124183954.113119436@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Bedirhan KURT <windowz414@gnuweeb.org>,
        Louvian Lyndal <louvianlyndal@gmail.com>,
        Peter Cordes <peter@cordes.ca>,
        Ammar Faizi <ammar.faizi@students.amikom.ac.id>,
        Willy Tarreau <w@1wt.eu>,
        "Paul E. McKenney" <paulmck@kernel.org>
Subject: [PATCH 5.4 010/320] tools/nolibc: x86-64: Fix startup code bug
Date: Mon, 24 Jan 2022 19:39:54 +0100
Message-Id: <20220124183954.113119436@linuxfoundation.org>
In-Reply-To: <20220124183953.750177707@linuxfoundation.org>
References: <20220124183953.750177707@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg KH Jan. 24, 2022, 6:39 p.m. UTC

From: Ammar Faizi <ammar.faizi@students.amikom.ac.id>

commit 937ed91c712273131de6d2a02caafd3ee84e0c72 upstream.

Before this patch, the `_start` function looks like this:
```
0000000000001170 <_start>:
    1170:	pop    %rdi
    1171:	mov    %rsp,%rsi
    1174:	lea    0x8(%rsi,%rdi,8),%rdx
    1179:	and    $0xfffffffffffffff0,%rsp
    117d:	sub    $0x8,%rsp
    1181:	call   1000 <main>
    1186:	movzbq %al,%rdi
    118a:	mov    $0x3c,%rax
    1191:	syscall
    1193:	hlt
    1194:	data16 cs nopw 0x0(%rax,%rax,1)
    119f:	nop
```
Note the "and" to %rsp with $-16, it makes the %rsp be 16-byte aligned,
but then there is a "sub" with $0x8 which makes the %rsp no longer
16-byte aligned, then it calls main. That's the bug!

What actually the x86-64 System V ABI mandates is that right before the
"call", the %rsp must be 16-byte aligned, not after the "call". So the
"sub" with $0x8 here breaks the alignment. Remove it.

An example where this rule matters is when the callee needs to align
its stack at 16-byte for aligned move instruction, like `movdqa` and
`movaps`. If the callee can't align its stack properly, it will result
in segmentation fault.

x86-64 System V ABI also mandates the deepest stack frame should be
zero. Just to be safe, let's zero the %rbp on startup as the content
of %rbp may be unspecified when the program starts. Now it looks like
this:
```
0000000000001170 <_start>:
    1170:	pop    %rdi
    1171:	mov    %rsp,%rsi
    1174:	lea    0x8(%rsi,%rdi,8),%rdx
    1179:	xor    %ebp,%ebp                # zero the %rbp
    117b:	and    $0xfffffffffffffff0,%rsp # align the %rsp
    117f:	call   1000 <main>
    1184:	movzbq %al,%rdi
    1188:	mov    $0x3c,%rax
    118f:	syscall
    1191:	hlt
    1192:	data16 cs nopw 0x0(%rax,%rax,1)
    119d:	nopl   (%rax)
```

Cc: Bedirhan KURT <windowz414@gnuweeb.org>
Cc: Louvian Lyndal <louvianlyndal@gmail.com>
Reported-by: Peter Cordes <peter@cordes.ca>
Signed-off-by: Ammar Faizi <ammar.faizi@students.amikom.ac.id>
[wt: I did this on purpose due to a misunderstanding of the spec, other
     archs will thus have to be rechecked, particularly i386]
Cc: stable@vger.kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/include/nolibc/nolibc.h |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/tools/include/nolibc/nolibc.h
+++ b/tools/include/nolibc/nolibc.h
@@ -422,14 +422,20 @@  struct stat {
 })
 
 /* startup code */
+/*
+ * x86-64 System V ABI mandates:
+ * 1) %rsp must be 16-byte aligned right before the function call.
+ * 2) The deepest stack frame should be zero (the %rbp).
+ *
+ */
 asm(".section .text\n"
     ".global _start\n"
     "_start:\n"
     "pop %rdi\n"                // argc   (first arg, %rdi)
     "mov %rsp, %rsi\n"          // argv[] (second arg, %rsi)
     "lea 8(%rsi,%rdi,8),%rdx\n" // then a NULL then envp (third arg, %rdx)
-    "and $-16, %rsp\n"          // x86 ABI : esp must be 16-byte aligned when
-    "sub $8, %rsp\n"            // entering the callee
+    "xor %ebp, %ebp\n"          // zero the stack frame
+    "and $-16, %rsp\n"          // x86 ABI : esp must be 16-byte aligned before call
     "call main\n"               // main() returns the status code, we'll exit with it.
     "movzb %al, %rdi\n"         // retrieve exit code from 8 lower bits
     "mov $60, %rax\n"           // NR_exit == 60

[5.4,010/320] tools/nolibc: x86-64: Fix startup code bug

Commit Message

Patch