From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, James Hogan <james.hogan@imgtec.com>,
Ralf Baechle <ralf@linux-mips.org>,
Gregory Fong <gregory.0xf0@gmail.com>,
linux-mips@linux-mips.org
Subject: [ 21/50] MIPS: stack protector: Fix per-task canary switch
Date: Wed, 16 Oct 2013 10:45:07 -0700 [thread overview]
Message-ID: <20131016174400.952627917@linuxfoundation.org> (raw)
In-Reply-To: <20131016174358.335646140@linuxfoundation.org>
3.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 8b3c569a3999a8fd5a819f892525ab5520777c92 upstream.
Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
per task) was merged in v3.11 and introduced assembly in the MIPS resume
functions to update the value of the current canary in
__stack_chk_guard. However it used PTR_L resulting in a load of the
canary value, instead of PTR_LA to construct its address. The value is
intended to be random but is then treated as an address in the
subsequent LONG_S (store).
This was observed to cause a fault and panic:
CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
Oops[#1]:
...
$24 : 139fea20 1e1f7cb6
...
Call Trace:
[<8000cc0c>] resume+0xac/0x118
[<8034f2a4>] __schedule+0x5f8/0x78c
[<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
[<80348eec>] rest_init+0x74/0x84
[<804dc990>] start_kernel+0x43c/0x454
Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
This can also be forced by modifying
arch/mips/include/asm/stackprotector.h so that the default
__stack_chk_guard value is more likely to be a bad (or unaligned)
pointer.
Fix it to use PTR_LA instead, to load the address of the canary value,
which the LONG_S can then use to write into it.
Reported-by: bobjones (via #mipslinux on IRC)
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Gregory Fong <gregory.0xf0@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/6026/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/octeon_switch.S | 2 +-
arch/mips/kernel/r2300_switch.S | 2 +-
arch/mips/kernel/r4k_switch.S | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/arch/mips/kernel/octeon_switch.S
+++ b/arch/mips/kernel/octeon_switch.S
@@ -73,7 +73,7 @@
3:
#if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
- PTR_L t8, __stack_chk_guard
+ PTR_LA t8, __stack_chk_guard
LONG_L t9, TASK_STACK_CANARY(a1)
LONG_S t9, 0(t8)
#endif
--- a/arch/mips/kernel/r2300_switch.S
+++ b/arch/mips/kernel/r2300_switch.S
@@ -67,7 +67,7 @@ LEAF(resume)
1:
#if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
- PTR_L t8, __stack_chk_guard
+ PTR_LA t8, __stack_chk_guard
LONG_L t9, TASK_STACK_CANARY(a1)
LONG_S t9, 0(t8)
#endif
--- a/arch/mips/kernel/r4k_switch.S
+++ b/arch/mips/kernel/r4k_switch.S
@@ -69,7 +69,7 @@
1:
#if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
- PTR_L t8, __stack_chk_guard
+ PTR_LA t8, __stack_chk_guard
LONG_L t9, TASK_STACK_CANARY(a1)
LONG_S t9, 0(t8)
#endif
next prev parent reply other threads:[~2013-10-16 17:45 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-16 17:44 [ 00/50] 3.11.6-stable review Greg Kroah-Hartman
2013-10-16 17:44 ` [ 01/50] ALSA: snd-usb-usx2y: remove bogus frame checks Greg Kroah-Hartman
2013-10-16 17:44 ` [ 02/50] ALSA: hda - hdmi: Fix channel map switch not taking effect Greg Kroah-Hartman
2013-10-16 17:44 ` [ 03/50] ALSA: hda - Add fixup for ASUS N56VZ Greg Kroah-Hartman
2013-10-16 17:44 ` [ 04/50] ALSA: hda - Fix microphone for Sony VAIO Pro 13 (Haswell model) Greg Kroah-Hartman
2013-10-16 17:44 ` [ 05/50] random: run random_int_secret_init() run after all late_initcalls Greg Kroah-Hartman
2013-10-16 17:44 ` [ 06/50] vfs: allow O_PATH file descriptors for fstatfs() Greg Kroah-Hartman
2013-10-16 17:44 ` [ 07/50] i2c: omap: Clear ARDY bit twice Greg Kroah-Hartman
2013-10-16 17:44 ` [ 08/50] hwmon: (applesmc) Always read until end of data Greg Kroah-Hartman
2013-10-16 17:44 ` [ 09/50] Btrfs: use right root when checking for hash collision Greg Kroah-Hartman
2013-10-16 17:44 ` [ 10/50] ext4: fix memory leak in xattr Greg Kroah-Hartman
2013-10-16 17:44 ` [ 11/50] KVM: PPC: Book3S HV: Fix typo in saving DSCR Greg Kroah-Hartman
2013-10-16 17:44 ` [ 12/50] parisc: fix interruption handler to respect pagefault_disable() Greg Kroah-Hartman
2013-10-16 17:44 ` [ 13/50] ARC: Fix __udelay calculation Greg Kroah-Hartman
2013-10-16 17:45 ` [ 14/50] ARC: Handle zero-overhead-loop in unaligned access handler Greg Kroah-Hartman
2013-10-16 17:45 ` [ 15/50] ARC: Fix 32-bit wrap around in access_ok() Greg Kroah-Hartman
2013-10-16 17:45 ` [ 16/50] ARC: Workaround spinlock livelock in SMP SystemC simulation Greg Kroah-Hartman
2013-10-16 17:45 ` [ 17/50] ARC: Fix signal frame management for SA_SIGINFO Greg Kroah-Hartman
2013-10-16 17:45 ` [ 18/50] ARC: Ignore ptrace SETREGSET request for synthetic register "stop_pc" Greg Kroah-Hartman
2013-10-16 17:45 ` [ 19/50] watchdog: ts72xx_wdt: locking bug in ioctl Greg Kroah-Hartman
2013-10-16 17:45 ` [ 20/50] watchdog: kempld_wdt: Fix bit mask definition Greg Kroah-Hartman
2013-10-16 17:45 ` Greg Kroah-Hartman [this message]
2013-10-16 17:45 ` [ 22/50] drm/radeon/dpm/btc: off by one in btc_set_mc_special_registers() Greg Kroah-Hartman
2013-10-16 17:45 ` [ 23/50] compiler/gcc4: Add quirk for asm goto miscompilation bug Greg Kroah-Hartman
2013-10-16 17:45 ` [ 24/50] ALSA: hda - Fix mono speakers and headset mic on Dell Vostro 5470 Greg Kroah-Hartman
2013-10-16 17:45 ` [ 25/50] drm/i915/hsw: Disable L3 caching of atomic memory operations Greg Kroah-Hartman
2013-10-16 17:45 ` [ 26/50] drm/i915: Only apply DPMS to the encoder if enabled Greg Kroah-Hartman
2013-10-16 17:45 ` [ 27/50] drm/i915: fix rps.vlv_work initialization Greg Kroah-Hartman
2013-10-16 17:45 ` [ 28/50] drm/radeon/dpm: off by one in si_set_mc_special_registers() Greg Kroah-Hartman
2013-10-16 17:45 ` [ 29/50] drm/radeon: forever loop on error in radeon_do_test_moves() Greg Kroah-Hartman
2013-10-16 17:45 ` [ 30/50] drm/radeon: fix typo in CP DMA register headers Greg Kroah-Hartman
2013-10-16 17:45 ` [ 31/50] drm/radeon: fix hw contexts for SUMO2 asics Greg Kroah-Hartman
2013-10-16 17:45 ` [ 32/50] ipc,shm: introduce lockless functions to obtain the ipc object Greg Kroah-Hartman
2013-10-16 17:45 ` [ 33/50] ipc,shm: shorten critical region in shmctl_down Greg Kroah-Hartman
2013-10-16 17:45 ` [ 34/50] ipc: drop ipcctl_pre_down Greg Kroah-Hartman
2013-10-16 17:45 ` [ 35/50] ipc,shm: introduce shmctl_nolock Greg Kroah-Hartman
2013-10-16 17:45 ` [ 36/50] ipc,shm: make shmctl_nolock lockless Greg Kroah-Hartman
2013-10-16 17:45 ` [ 37/50] ipc,shm: shorten critical region for shmctl Greg Kroah-Hartman
2013-10-16 17:45 ` [ 38/50] ipc,shm: cleanup do_shmat pasta Greg Kroah-Hartman
2013-10-16 17:45 ` [ 39/50] ipc,shm: shorten critical region for shmat Greg Kroah-Hartman
2013-10-16 17:45 ` [ 40/50] ipc: rename ids->rw_mutex Greg Kroah-Hartman
2013-10-16 17:45 ` [ 41/50] ipc,msg: drop msg_unlock Greg Kroah-Hartman
2013-10-16 17:45 ` [ 42/50] ipc: document general ipc locking scheme Greg Kroah-Hartman
2013-10-16 17:45 ` [ 43/50] ipc, shm: guard against non-existant vma in shmdt(2) Greg Kroah-Hartman
2013-10-16 17:45 ` [ 44/50] ipc: drop ipc_lock_by_ptr Greg Kroah-Hartman
2013-10-16 17:45 ` [ 45/50] ipc, shm: drop shm_lock_check Greg Kroah-Hartman
2013-10-16 17:45 ` [ 46/50] ipc: drop ipc_lock_check Greg Kroah-Hartman
2013-10-16 17:45 ` [ 47/50] ipc/sem.c: optimize sem_lock() Greg Kroah-Hartman
2013-10-16 17:45 ` [ 48/50] ipc/sem.c: synchronize the proc interface Greg Kroah-Hartman
2013-10-16 17:45 ` [ 49/50] ipc/sem.c: update sem_otime for all operations Greg Kroah-Hartman
2013-10-16 17:45 ` [ 50/50] x86: avoid remapping data in parse_setup_data() Greg Kroah-Hartman
2013-10-16 22:14 ` [ 00/50] 3.11.6-stable review Guenter Roeck
2013-10-17 1:07 ` Greg Kroah-Hartman
2013-10-17 16:52 ` Shuah Khan
2013-10-17 17:08 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131016174400.952627917@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gregory.0xf0@gmail.com \
--cc=james.hogan@imgtec.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=ralf@linux-mips.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).