From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A164CC4363A for ; Thu, 29 Oct 2020 00:18:39 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2333520780 for ; Thu, 29 Oct 2020 00:18:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="xYa12Fup"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="uUQDgSD/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2333520780 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=D3x156/G8VCcLcSPpUutNw/MdugCPtLeko3zc9sFZZI=; b=xYa12FupFC5hm3D3a3PsyKe/2k +y8/PQzcHrjlQxkJwQv6zg+0tLPtlBdAVrcVsNhN7dQzz1I1/avZW3wmFx92Zq+Ke1Eytc0WUIIv+ TyI61Q2T9EYzVMlXooKtgksQfprdmUpc9g6sJKFdlDaco1CvSlSf53QE43AcLNx8j+Fi0lCgOQEJ/ eQOq0EepUqjBIlE2yCFNJ7bMufHXUn6M3A3HL7yk2G6p9W9DWENKRCNSBUpalAfdO+vSGdPS4Dlsf w4VB2oyUA3qrErIjjNBIhcnwtYN8v2UFNlZCWDuAWUREEEaD8wOh6M0xhH26EAVXCaZ5zwucOvgKF sEpV6UsA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kXvdj-000652-CE; Thu, 29 Oct 2020 00:18:03 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kXvdg-00064d-Vl for linux-arm-kernel@lists.infradead.org; Thu, 29 Oct 2020 00:18:01 +0000 Received: from e123331-lin.nice.arm.com (lfbn-nic-1-188-42.w2-15.abo.wanadoo.fr [2.15.37.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD17C20782; Thu, 29 Oct 2020 00:17:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603930679; bh=1sptF8+93O6K0gLziLXWe2At4ldUm2RjoyBOX2edR58=; h=From:To:Cc:Subject:Date:From; b=uUQDgSD/O6RnsbeXrw7C8FiBJHdmzvG/iUKY0UTREv8/fzP1jMgHwt8PjE9crU4xH LVQXoQFDG4DhSkmoDw1EtY5rIBjP2Rr8S9k5QDEUq1nbWMa3T1CveZpUnOGnLoTaTD JtOdIQEcev6VGwHp6vd9gp8EAJOIrvMaMVXym3GI= From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Subject: [PATCH] ARM: stacktrace: disregard .entry.text when looking for exception frames Date: Thu, 29 Oct 2020 01:17:53 +0100 Message-Id: <20201029001753.717-1-ardb@kernel.org> X-Mailer: git-send-email 2.17.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201028_201801_193463_7A134AF4 X-CRM114-Status: GOOD ( 20.72 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linus.walleij@linaro.org, linux@armlinux.org.uk, Ard Biesheuvel MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Commit c608906165355089 ("ARM: probes: avoid adding kprobes to sensitive kernel-entry/exit code") reorganized the section layout to prevent entry code from being instrumented by kprobes. This resulted in stack frames referring to back to entry code to be misidentified as exception frames, resulting in splats like the below when KASAN is enabled: ================================================================== BUG: KASAN: stack-out-of-bounds in save_trace+0xc1/0xf8 Read of size 4 at addr df01f89c by task bash/3421 CPU: 12 PID: 3421 Comm: bash Not tainted 5.10.0-rc1-kasan+ #219 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [] (unwind_backtrace) from [] (show_stack+0xb/0xc) [] (show_stack) from [] (dump_stack+0x8d/0xa0) [] (dump_stack) from [] (print_address_description.constprop.3+0x2b/0x368) [] (print_address_description.constprop.3) from [] (kasan_report+0xfd/0x114) [] (kasan_report) from [] (save_trace+0xc1/0xf8) [] (save_trace) from [] (walk_stackframe+0x1b/0x20) [] (walk_stackframe) from [] (__save_stack_trace+0xf9/0x100) [] (__save_stack_trace) from [] (stack_trace_save+0x71/0x88) [] (stack_trace_save) from [] (kasan_save_stack+0x11/0x28) [] (kasan_save_stack) from [] (kasan_set_track+0x1d/0x20) [] (kasan_set_track) from [] (kasan_set_free_info+0x19/0x20) [] (kasan_set_free_info) from [] (__kasan_slab_free+0xa7/0xcc) [] (__kasan_slab_free) from [] (kmem_cache_free+0x59/0x21c) [] (kmem_cache_free) from [] (rcu_core+0x2d7/0x988) [] (rcu_core) from [] (__do_softirq+0x133/0x41c) [] (__do_softirq) from [] (irq_exit+0xb5/0xcc) [] (irq_exit) from [] (__handle_domain_irq+0x5f/0xa8) [] (__handle_domain_irq) from [] (gic_handle_irq+0x3d/0x8c) [] (gic_handle_irq) from [] (__irq_svc+0x51/0x7c) Exception stack(0xdf01f7f8 to 0xdf01f840) f7e0: df01f8e0 df01f8a0 f800: 00000008 df01fc7c 000000ad df01f960 df01f8e0 00000008 bae03f10 df01fc58 f820: df01f8a0 0000000a c040b660 df01f848 c04114eb c04110b8 20000033 ffffffff [] (__irq_svc) from [] (unwind_pop_register+0x0/0x58) [] (unwind_pop_register) from [] (ret_fast_syscall+0x1/0x5a) Exception stack(0xdf01f860 to 0xdf01f8a8) f860: 41b58ab3 c1f939e0 c04111ec 00000000 d129e800 c0411311 df01fa44 df01fa4c f880: 41b58ab3 c1f939e0 c04111ec 00000001 00000003 c040b569 df01f8c0 df01c000 f8a0: df01fc7c df01ffa8 ... addr df01f89c is located in stack of task bash/3421 at offset 28 in frame: unwind_frame+0x0/0x578 Here, the last entry represents a call to unwind_pop_register frame() with the return address set to ret_fast_syscall, and since in_entry_text() returns true for that return address, save_trace() treats it as an exception frame, and attempts to dereference the struct pt_regs pointer to access the ARM_pc value. With KASAN instrumentation enabled, this results in a read from an address which is annotated as out of bounds, resulting in the splat. (Note that the KASAN response is triggered inside the KASAN machinery itself, which records stack traces for memory allocation and free actions. While recording such a stack trace, the out of bounds access triggered the response above, resulting in yet another walk of the call stack, but this time KASAN was no longer mediating the memory accesses. The same stack frame is misidentified a second time, which is why the trace above contains 'Exception stack(0xdf01f860 to 0xdf01f8a8)' which is not really an exception stack at all.) So the correct thing to do here is to disregard .entry.text, and only take true exception frames into account. So we need to use __in_irqentry_text() instead, in two places: in save_trace(), which KASAN uses to record the stack traces, and in dump_backtrace_entry(), which prints the exception stack to the kernel log like above. Fixes: c608906165355089 ("ARM: probes: avoid adding kprobes to sensitive ...") Signed-off-by: Ard Biesheuvel --- arch/arm/kernel/stacktrace.c | 2 +- arch/arm/kernel/traps.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c index 76ea4178a55c..56a7abdc1b96 100644 --- a/arch/arm/kernel/stacktrace.c +++ b/arch/arm/kernel/stacktrace.c @@ -112,7 +112,7 @@ static int save_trace(struct stackframe *frame, void *d) if (trace->nr_entries >= trace->max_entries) return 1; - if (!in_entry_text(frame->pc)) + if (!__in_irqentry_text(frame->pc)) return 0; regs = (struct pt_regs *)frame->sp; diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c index 17d5a785df28..30628daa80b4 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -75,7 +75,7 @@ void dump_backtrace_entry(unsigned long where, unsigned long from, loglvl, where, from); #endif - if (in_entry_text(from) && end <= ALIGN(frame, THREAD_SIZE)) + if (__in_irqentry_text(from) && end <= ALIGN(frame, THREAD_SIZE)) dump_mem(loglvl, "Exception stack", frame + 4, end); } -- 2.17.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel