From: Segher Boessenkool <segher@kernel.crashing.org>
To: Nicholas Piggin <npiggin@gmail.com>
Cc: linuxppc-dev@lists.ozlabs.org
Subject: Re: [RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds
Date: Fri, 4 Nov 2022 08:10:28 -0500 [thread overview]
Message-ID: <20221104131028.GN25951@gate.crashing.org> (raw)
In-Reply-To: <20221031055440.3594315-2-npiggin@gmail.com>
On Mon, Oct 31, 2022 at 03:54:22PM +1000, Nicholas Piggin wrote:
> Could the user set r1 to be equal to the address matching the first
> interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
> due to the kernel redzone, and induce the kernel to load the marker from
> there? Possibly it could cause a crash at least.
Yes, the user can set r1 to anything, it is just a general purpose
register. This isn't a valid thing to do of course, the ABI requires
r1 to point at a valid stack at all times, but it is an obvious attack
point if we do not harden against this :-)
Segher
next prev parent reply other threads:[~2022-11-04 13:13 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-31 5:54 [RFC PATCH 00/19] Remove STACK_FRAME_OVERHEAD Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds Nicholas Piggin
2022-11-04 13:10 ` Segher Boessenkool [this message]
2022-10-31 5:54 ` [RFC PATCH 02/19] powerpc: Rearrange copy_thread child stack creation Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 03/19] powerpc/64: Remove asm interrupt tracing call helpers Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 04/19] powerpc/pseries: hvcall stack frame overhead Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 05/19] powerpc/32: Use load and store multiple in GPR save/restore macros Nicholas Piggin
2022-11-03 8:26 ` Christophe Leroy
2022-11-07 12:45 ` Nicholas Piggin
2022-11-07 12:51 ` Christophe Leroy
2022-10-31 5:54 ` [RFC PATCH 06/19] powerpc: simplify ppc_save_regs Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 07/19] powerpc: add definition for pt_regs offset within an interrupt frame Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 08/19] powerpc: add a definition for the marker offset within the " Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 09/19] powerpc: Rename STACK_FRAME_MARKER and derive it from frame offset Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 10/19] powerpc: add a define for the user interrupt frame size Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 11/19] powerpc: add a define for the switch frame size and regs offset Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 12/19] powerpc: copy_thread fill in interrupt frame marker and back chain Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 13/19] powerpc: copy_thread add a back chain to the switch stack frame Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 14/19] powerpc: split validate_sp into two functions Nicholas Piggin
2022-11-07 0:58 ` Russell Currey
2022-11-07 12:29 ` Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 15/19] powerpc: allow minimum sized kernel stack frames Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 16/19] powerpc/64: ELFv2 use minimal stack frames in int and switch frame sizes Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 17/19] powerpc: remove STACK_FRAME_OVERHEAD Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 18/19] powerpc: change stack marker memory operations to 32-bit Nicholas Piggin
2022-10-31 5:54 ` [RFC PATCH 19/19] powerpc/64: ELFv2 use reserved word in the stack frame for the regs marker Nicholas Piggin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221104131028.GN25951@gate.crashing.org \
--to=segher@kernel.crashing.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.