[RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicholas Piggin <npiggin@gmail.com>
To: linuxppc-dev@lists.ozlabs.org
Cc: Nicholas Piggin <npiggin@gmail.com>
Subject: [RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds
Date: Mon, 31 Oct 2022 15:54:22 +1000	[thread overview]
Message-ID: <20221031055440.3594315-2-npiggin@gmail.com> (raw)
In-Reply-To: <20221031055440.3594315-1-npiggin@gmail.com>

The interrupt frame detection and loads from the hypothetical pt_regs
are not bounds-checked. The next-frame validation only bounds-checks
STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another
test for this.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---

Could the user set r1 to be equal to the address matching the first
interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
due to the kernel redzone, and induce the kernel to load the marker from
there? Possibly it could cause a crash at least.

It also seems a bit rude to put a fancy next-frame-validation out in
perf/ rather than with the rest of the frame validation code.

Thanks,
Nick

 arch/powerpc/perf/callchain.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
index 082f6d0308a4..8718289c051d 100644
--- a/arch/powerpc/perf/callchain.c
+++ b/arch/powerpc/perf/callchain.c
@@ -61,6 +61,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re
 		next_sp = fp[0];

 		if (next_sp == sp + STACK_INT_FRAME_SIZE &&
+		    validate_sp(sp, current, STACK_INT_FRAME_SIZE) &&
 		    fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) {
 			/*
 			 * This looks like an interrupt frame for an
-- 
2.37.2

next prev parent reply	other threads:[~2022-10-31  5:55 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-31  5:54 [RFC PATCH 00/19] Remove STACK_FRAME_OVERHEAD Nicholas Piggin
2022-10-31  5:54 ` Nicholas Piggin [this message]
2022-11-04 13:10   ` [RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds Segher Boessenkool
2022-10-31  5:54 ` [RFC PATCH 02/19] powerpc: Rearrange copy_thread child stack creation Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 03/19] powerpc/64: Remove asm interrupt tracing call helpers Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 04/19] powerpc/pseries: hvcall stack frame overhead Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 05/19] powerpc/32: Use load and store multiple in GPR save/restore macros Nicholas Piggin
2022-11-03  8:26   ` Christophe Leroy
2022-11-07 12:45     ` Nicholas Piggin
2022-11-07 12:51       ` Christophe Leroy
2022-10-31  5:54 ` [RFC PATCH 06/19] powerpc: simplify ppc_save_regs Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 07/19] powerpc: add definition for pt_regs offset within an interrupt frame Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 08/19] powerpc: add a definition for the marker offset within the " Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 09/19] powerpc: Rename STACK_FRAME_MARKER and derive it from frame offset Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 10/19] powerpc: add a define for the user interrupt frame size Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 11/19] powerpc: add a define for the switch frame size and regs offset Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 12/19] powerpc: copy_thread fill in interrupt frame marker and back chain Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 13/19] powerpc: copy_thread add a back chain to the switch stack frame Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 14/19] powerpc: split validate_sp into two functions Nicholas Piggin
2022-11-07  0:58   ` Russell Currey
2022-11-07 12:29     ` Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 15/19] powerpc: allow minimum sized kernel stack frames Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 16/19] powerpc/64: ELFv2 use minimal stack frames in int and switch frame sizes Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 17/19] powerpc: remove STACK_FRAME_OVERHEAD Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 18/19] powerpc: change stack marker memory operations to 32-bit Nicholas Piggin
2022-10-31  5:54 ` [RFC PATCH 19/19] powerpc/64: ELFv2 use reserved word in the stack frame for the regs marker Nicholas Piggin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:082f6d0308a dfblob:8718289c051 )
 OR (
bs:"[RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221031055440.3594315-2-npiggin@gmail.com \
    --to=npiggin@gmail.com \
    --cc=linuxppc-dev@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.