riscv: fix out of bounds in walk_stackframe

Message ID	20230926114343.1061739-2-twuufnxlz@gmail.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org> From: Edward AD <twuufnxlz@gmail.com> To: conor@kernel.org Cc: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com, gregkh@linuxfoundation.org, jirislaby@kernel.org, linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org, syzkaller-bugs@googlegroups.com, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, guoren@kernel.org, alexghiti@rivosinc.com, liushixin2@huawei.com, linux-riscv@lists.infradead.org Subject: [PATCH] riscv: fix out of bounds in walk_stackframe Date: Tue, 26 Sep 2023 19:43:44 +0800 Message-ID: <20230926114343.1061739-2-twuufnxlz@gmail.com> In-Reply-To: <0000000000000170df0605ccf91a@google.com> References: <0000000000000170df0605ccf91a@google.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org> Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org
Series	riscv: fix out of bounds in walk_stackframe \| expand riscv: fix out of bounds in walk_stackframe

Message ID

20230926114343.1061739-2-twuufnxlz@gmail.com (mailing list archive)

State

Superseded

Headers

From: Edward AD <twuufnxlz@gmail.com>
To: conor@kernel.org
Cc: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com,
	gregkh@linuxfoundation.org,
	jirislaby@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-serial@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	paul.walmsley@sifive.com,
	palmer@dabbelt.com,
	aou@eecs.berkeley.edu,
	guoren@kernel.org,
	alexghiti@rivosinc.com,
	liushixin2@huawei.com,
	linux-riscv@lists.infradead.org
Subject: [PATCH] riscv: fix out of bounds in walk_stackframe
Date: Tue, 26 Sep 2023 19:43:44 +0800
Message-ID: <20230926114343.1061739-2-twuufnxlz@gmail.com>
In-Reply-To: <0000000000000170df0605ccf91a@google.com>
References: <0000000000000170df0605ccf91a@google.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org>
Errors-To: 
 linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org

Series

riscv: fix out of bounds in walk_stackframe | expand

Context	Check	Description
conchuod/cover_letter	success	Single patches do not need cover letters
conchuod/tree_selection	success	Guessed tree name to be fixes at HEAD 9f564b92cf6d
conchuod/fixes_present	success	Fixes tag present in non-next series
conchuod/maintainers_pattern	success	MAINTAINERS pattern errors before the patch: 5 and now 5
conchuod/verify_signedoff	success	Signed-off-by tag matches author and committer
conchuod/kdoc	success	Errors and warnings before: 0 this patch: 0
conchuod/build_rv64_clang_allmodconfig	success	Errors and warnings before: 9 this patch: 9
conchuod/module_param	success	Was 0 now: 0
conchuod/build_rv64_gcc_allmodconfig	success	Errors and warnings before: 9 this patch: 9
conchuod/build_rv32_defconfig	success	Build OK
conchuod/dtb_warn_rv64	success	Errors and warnings before: 29 this patch: 29
conchuod/header_inline	success	No static functions without inline keyword in header files
conchuod/checkpatch	warning	WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
conchuod/build_rv64_nommu_k210_defconfig	success	Build OK
conchuod/verify_fixes	success	Fixes tag looks correct
conchuod/build_rv64_nommu_virt_defconfig	success	Build OK

Context

Check

Description

conchuod/cover_letter

success

Single patches do not need cover letters

conchuod/tree_selection

success

Guessed tree name to be fixes at HEAD 9f564b92cf6d

conchuod/fixes_present

success

Fixes tag present in non-next series

conchuod/maintainers_pattern

success

MAINTAINERS pattern errors before the patch: 5 and now 5

conchuod/verify_signedoff

success

Signed-off-by tag matches author and committer

conchuod/kdoc

success

Errors and warnings before: 0 this patch: 0

conchuod/build_rv64_clang_allmodconfig

success

Errors and warnings before: 9 this patch: 9

conchuod/module_param

success

Was 0 now: 0

conchuod/build_rv64_gcc_allmodconfig

success

Errors and warnings before: 9 this patch: 9

conchuod/build_rv32_defconfig

success

Build OK

conchuod/dtb_warn_rv64

success

Errors and warnings before: 29 this patch: 29

conchuod/header_inline

success

No static functions without inline keyword in header files

conchuod/checkpatch

warning

WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report

conchuod/build_rv64_nommu_k210_defconfig

success

Build OK

conchuod/verify_fixes

success

Fixes tag looks correct

conchuod/build_rv64_nommu_virt_defconfig

success

Build OK

Commit Message

Edward AD Sept. 26, 2023, 11:43 a.m. UTC

Increase the check on the frame after assigning its value. This is to prevent 
frame access from crossing boundaries.

Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
 arch/riscv/kernel/stacktrace.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Greg KH Sept. 26, 2023, 11:49 a.m. UTC | #1

On Tue, Sep 26, 2023 at 07:43:44PM +0800, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent 
> frame access from crossing boundaries.
> 
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
>  arch/riscv/kernel/stacktrace.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
>  			break;
>  		/* Unwind stack frame */
>  		frame = (struct stackframe *)fp - 1;
> +		if (!virt_addr_valid(frame))
> +			break;
>  		sp = fp;
>  		if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
>  			fp = frame->ra;
> -- 
> 2.25.1
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- You have marked a patch with a "Fixes:" tag for a commit that is in an
  older released kernel, yet you do not have a cc: stable line in the
  signed-off-by area at all, which means that the patch will not be
  applied to any older kernel releases.  To properly fix this, please
  follow the documented rules in the
  Documetnation/process/stable-kernel-rules.rst file for how to resolve
  this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Alexandre Ghiti Sept. 28, 2023, 8:02 a.m. UTC | #2

Hi Edward,

On 26/09/2023 13:43, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
>   arch/riscv/kernel/stacktrace.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
>   			break;
>   		/* Unwind stack frame */
>   		frame = (struct stackframe *)fp - 1;
> +		if (!virt_addr_valid(frame))
> +			break;
>   		sp = fp;
>   		if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
>   			fp = frame->ra;

virt_addr_valid() works on kernel linear addresses, not on vmalloc 
addresses, which is the case here  (0xff20000006d37c38 belongs to the 
vmalloc region: see 
https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125). 
So this fix can't work.

I'm a bit surprised though of this out-of-bounds access since 
CONFIG_FRAME_POINTER is enabled, so there may be a real issue here (the 
console output is horrible, lots of backtraces, which is weird), so it 
may be worth digging into that.

Thanks,

Alex

Alexandre Ghiti Sept. 28, 2023, 8:15 a.m. UTC | #3

Oh and BTW, any idea why linux-riscv was not in CC for the initial report?

On 28/09/2023 10:02, Alexandre Ghiti wrote:
> Hi Edward,
>
> On 26/09/2023 13:43, Edward AD wrote:
>> Increase the check on the frame after assigning its value. This is to 
>> prevent
>> frame access from crossing boundaries.
>>
>> Closes: 
>> https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Reported-and-tested-by: 
>> syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
>> Link: 
>> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
>> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
>> ---
>>   arch/riscv/kernel/stacktrace.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/arch/riscv/kernel/stacktrace.c 
>> b/arch/riscv/kernel/stacktrace.c
>> index 64a9c093aef9..53bd18672329 100644
>> --- a/arch/riscv/kernel/stacktrace.c
>> +++ b/arch/riscv/kernel/stacktrace.c
>> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct 
>> *task, struct pt_regs *regs,
>>               break;
>>           /* Unwind stack frame */
>>           frame = (struct stackframe *)fp - 1;
>> +        if (!virt_addr_valid(frame))
>> +            break;
>>           sp = fp;
>>           if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
>>               fp = frame->ra;
>
>
> virt_addr_valid() works on kernel linear addresses, not on vmalloc 
> addresses, which is the case here  (0xff20000006d37c38 belongs to the 
> vmalloc region: see 
> https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125). 
> So this fix can't work.
>
> I'm a bit surprised though of this out-of-bounds access since 
> CONFIG_FRAME_POINTER is enabled, so there may be a real issue here 
> (the console output is horrible, lots of backtraces, which is weird), 
> so it may be worth digging into that.
>
> Thanks,
>
> Alex
>
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv

diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..53bd18672329 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,8 @@  void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
 			break;
 		/* Unwind stack frame */
 		frame = (struct stackframe *)fp - 1;
+		if (!virt_addr_valid(frame))
+			break;
 		sp = fp;
 		if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
 			fp = frame->ra;

riscv: fix out of bounds in walk_stackframe

Checks

Commit Message

Comments

Patch