From: HAYASAKA Mitsuo <mitsuo.hayasaka.hu@hitachi.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Randy Dunlap <rdunlap@xenotime.net>,
x86@kernel.org, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, yrl.pp-manager.tt@hitachi.com
Subject: Re: [RFC PATCH 1/5] x86: add user_mode_vm check in stack_overflow_check
Date: Tue, 15 Nov 2011 14:47:25 +0900 [thread overview]
Message-ID: <4EC1FCED.5040908@hitachi.com> (raw)
In-Reply-To: <20111110195203.GA22646@phenom.dumpdata.com>
(2011/11/11 4:52), Konrad Rzeszutek Wilk wrote:
> On Mon, Nov 07, 2011 at 02:52:35PM +0900, Mitsuo Hayasaka wrote:
>> The kernel stack overflow is checked in stack_overflow_check(),
>> which may wrongly detect the overflow if the stack pointer
>> pointed to the kernel stack accidentally.
>
> I think you mean to say 'points'.
Yes. Thank you for your correction.
>
> How do we accidently point the stack pointer to the kernel stack?
I guess it may happen due to a kind of stack overflow, although
I've not succeeded to `accidentally' point the stack pointer to
the kernel stack yet...
At least, we can intentionally cause the overflow message, using the
following program in user space although the overflow does not occur.
=============================================
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
unsigned long long dummyRSP;
printf("PID:%d\n", getpid());
printf("Input dummyRSP address: ");
scanf("%Lx", &dummyRSP);
printf("DummyRSP address is %Lx\n", dummyRSP);
puts("Replace RSP with dummyRSP...");
__asm__ ("movq %0,%%rsp": : "r" (dummyRSP));
while(1) ;
}
=============================================
We need to give this program a dummy RSP address that must point to
an overflow address in kernel stack and can be gotten using tools such
as crash. These steps are summarized as follows.
(1) Execute this program and get the pid.
(2) Execute crash and put "task <pid>"
(3) Get the address indicated by stack field of task_struct
(4) Input the address to this program
The big problem is that user space program can directly control the
stack overflow checking in kernel space, regardless of intentional or
accidental operation. In other words, the kernel stack overflow is
never detected after execution of this program.
So, I would like to fix this problem.
>
>>
>> This patch adds user-mode-vm checking before it to avoid this
>> misdetection and bails out early if the user stack is used.
>>
>> Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@redhat.com>
>> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> ---
>>
>> arch/x86/kernel/irq_64.c | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
>> index acf8fbf..69bca46 100644
>> --- a/arch/x86/kernel/irq_64.c
>> +++ b/arch/x86/kernel/irq_64.c
>> @@ -38,6 +38,9 @@ static inline void stack_overflow_check(struct pt_regs *regs)
>> #ifdef CONFIG_DEBUG_STACKOVERFLOW
>> u64 curbase = (u64)task_stack_page(current);
>>
>> + if (user_mode_vm(regs))
>> + return;
>> +
>> WARN_ONCE(regs->sp >= curbase &&
>> regs->sp <= curbase + THREAD_SIZE &&
>> regs->sp < curbase + sizeof(struct thread_info) +
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>
next prev parent reply other threads:[~2011-11-15 5:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-07 5:51 [RFC PATCH 0/5] x86: check stack overflows more reliably Mitsuo Hayasaka
2011-11-07 5:52 ` [RFC PATCH 1/5] x86: add user_mode_vm check in stack_overflow_check Mitsuo Hayasaka
2011-11-10 19:52 ` Konrad Rzeszutek Wilk
2011-11-15 5:47 ` HAYASAKA Mitsuo [this message]
2011-11-07 5:52 ` [RFC PATCH 2/5] x86: check stack overflow in detail Mitsuo Hayasaka
2011-11-07 5:53 ` [RFC PATCH 3/5] x86: add a sysctl parameter to panic on stack overflow Mitsuo Hayasaka
2011-11-10 19:55 ` Konrad Rzeszutek Wilk
2011-11-15 5:51 ` HAYASAKA Mitsuo
2011-11-17 7:11 ` HAYASAKA Mitsuo
2011-11-17 16:00 ` Konrad Rzeszutek Wilk
2011-11-17 16:06 ` H. Peter Anvin
2011-11-07 5:53 ` [RFC PATCH 4/5] x86: panic on detection of " Mitsuo Hayasaka
2011-11-10 19:59 ` Konrad Rzeszutek Wilk
2011-11-15 5:53 ` HAYASAKA Mitsuo
2011-11-07 5:53 ` [RFC PATCH 5/5] x86: change range of stack overflow checking Mitsuo Hayasaka
2011-11-07 7:00 ` [RFC PATCH 0/5] x86: check stack overflows more reliably Pekka Enberg
2011-11-08 7:34 ` HAYASAKA Mitsuo
2011-11-17 16:59 ` Jason Baron
2011-11-23 8:55 ` HAYASAKA Mitsuo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EC1FCED.5040908@hitachi.com \
--to=mitsuo.hayasaka.hu@hitachi.com \
--cc=hpa@zytor.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yrl.pp-manager.tt@hitachi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).