* [PATCH] arm: fix text section corruption
@ 2017-09-22 3:15 Ji Zhang
2017-10-25 9:17 ` Ji.Zhang
0 siblings, 1 reply; 2+ messages in thread
From: Ji Zhang @ 2017-09-22 3:15 UTC (permalink / raw)
To: linux-arm-kernel
When CONFIG_CPU_SW_DOMAIN_PAN is enabled, there are 9 registers being
pushed into stack in save_regs, but in fixup it still consider there are
8 registers in stack, which is the case of CONFIG_CPU_SW_DOMAIN_PAN
disabled.
When fixup being executed, -EFAULT will be written to the text section.
In fixup:
mov r4, #-EFAULT
/*
* When CONFIG_CPU_SW_DOMAIN_PAN enabled, r5 will load the value stored by
* lr in save_regs, which is the address of instruction in text section.
*/
ldr r5, [sp,#8*4] @err_ptr
/*
* This will write -EFAULT(0xfffffff2) to r5, which points to text section
* now, and when function returns, it will use 0xfffffff2 as an
* instruction, then undefined instruction occurs.
*/
str r4, [r5]
Signed-off-by: Ji Zhang <ji.zhang@mediatek.com>
---
arch/arm/lib/csumpartialcopyuser.S | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
index 1712f13..b83fdc0 100644
--- a/arch/arm/lib/csumpartialcopyuser.S
+++ b/arch/arm/lib/csumpartialcopyuser.S
@@ -85,7 +85,11 @@
.pushsection .text.fixup,"ax"
.align 4
9001: mov r4, #-EFAULT
+#ifdef CONFIG_CPU_SW_DOMAIN_PAN
+ ldr r5, [sp, #9*4] @ *err_ptr
+#else
ldr r5, [sp, #8*4] @ *err_ptr
+#endif
str r4, [r5]
ldmia sp, {r1, r2} @ retrieve dst, len
add r2, r2, r1
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] arm: fix text section corruption
2017-09-22 3:15 [PATCH] arm: fix text section corruption Ji Zhang
@ 2017-10-25 9:17 ` Ji.Zhang
0 siblings, 0 replies; 2+ messages in thread
From: Ji.Zhang @ 2017-10-25 9:17 UTC (permalink / raw)
To: linux-arm-kernel
Dear All sirs,
Is there any suggestion for this patch?
Since we have found that this issue can be reproduced with high repeat
ratio by some fuzzer tests, we strongly suggest it can be fixed in next
kernel version.
Thanks a lot.
Ji
On Fri, 2017-09-22 at 11:15 +0800, Ji Zhang wrote:
> When CONFIG_CPU_SW_DOMAIN_PAN is enabled, there are 9 registers being
> pushed into stack in save_regs, but in fixup it still consider there are
> 8 registers in stack, which is the case of CONFIG_CPU_SW_DOMAIN_PAN
> disabled.
> When fixup being executed, -EFAULT will be written to the text section.
>
> In fixup:
> mov r4, #-EFAULT
> /*
> * When CONFIG_CPU_SW_DOMAIN_PAN enabled, r5 will load the value stored by
> * lr in save_regs, which is the address of instruction in text section.
> */
> ldr r5, [sp,#8*4] @err_ptr
> /*
> * This will write -EFAULT(0xfffffff2) to r5, which points to text section
> * now, and when function returns, it will use 0xfffffff2 as an
> * instruction, then undefined instruction occurs.
> */
> str r4, [r5]
>
> Signed-off-by: Ji Zhang <ji.zhang@mediatek.com>
> ---
> arch/arm/lib/csumpartialcopyuser.S | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
> index 1712f13..b83fdc0 100644
> --- a/arch/arm/lib/csumpartialcopyuser.S
> +++ b/arch/arm/lib/csumpartialcopyuser.S
> @@ -85,7 +85,11 @@
> .pushsection .text.fixup,"ax"
> .align 4
> 9001: mov r4, #-EFAULT
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> + ldr r5, [sp, #9*4] @ *err_ptr
> +#else
> ldr r5, [sp, #8*4] @ *err_ptr
> +#endif
> str r4, [r5]
> ldmia sp, {r1, r2} @ retrieve dst, len
> add r2, r2, r1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-25 9:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-22 3:15 [PATCH] arm: fix text section corruption Ji Zhang
2017-10-25 9:17 ` Ji.Zhang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox