Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBorislav Petkov <bp@suse.de>2018-01-12 21:55:29 +0100
committerBorislav Petkov <bp@suse.de>2018-01-12 21:55:33 +0100
commit7171dc2cc12f38352b1338284057aa039d2b79f8 (patch)
tree8803f6a64c4510657fc6752fee311322f320b971
parent87c656380e582acd4dbee625427719d6efbfef49 (diff)
x86/unwinder/orc: Dont bail on stack overflow (bsc#1068032
CVE-2017-5754).
-rw-r--r--patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch82
-rw-r--r--series.conf1
2 files changed, 83 insertions, 0 deletions
diff --git a/patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch b/patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch
new file mode 100644
index 0000000000..49d3b2ad17
--- /dev/null
+++ b/patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch
@@ -0,0 +1,82 @@
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 4 Dec 2017 15:07:08 +0100
+Subject: x86/unwinder/orc: Dont bail on stack overflow
+Git-commit: d3a09104018cf2ad5973dfa8a9c138ef9f5015a3
+Patch-mainline: v4.15-rc5
+References: bsc#1068032 CVE-2017-5754
+
+If the stack overflows into a guard page and the ORC unwinder should work
+well: by construction, there can't be any meaningful data in the guard page
+because no writes to the guard page will have succeeded.
+
+But there is a bug that prevents unwinding from working correctly: if the
+starting register state has RSP pointing into a stack guard page, the ORC
+unwinder bails out immediately.
+
+Instead of bailing out immediately check whether the next page up is a
+valid check page and if so analyze that. As a result the ORC unwinder will
+start the unwind.
+
+Tested by intentionally overflowing the task stack. The result is an
+accurate call trace instead of a trace consisting purely of '?' entries.
+
+There are a few other bugs that are triggered if the unwinder encounters a
+stack overflow after the first step, but they are outside the scope of this
+fix.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Eduardo Valentin <eduval@amazon.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: aliguori@amazon.com
+Cc: daniel.gruss@iaik.tugraz.at
+Cc: hughd@google.com
+Cc: keescook@google.com
+Link: https://lkml.kernel.org/r/20171204150604.991389777@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
+index a3f973b2c97a..ff8e1132b2ae 100644
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -553,8 +553,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ }
+
+ if (get_stack_info((unsigned long *)state->sp, state->task,
+- &state->stack_info, &state->stack_mask))
+- return;
++ &state->stack_info, &state->stack_mask)) {
++ /*
++ * We weren't on a valid stack. It's possible that
++ * we overflowed a valid stack into a guard page.
++ * See if the next page up is valid so that we can
++ * generate some kind of backtrace if this happens.
++ */
++ void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
++ if (get_stack_info(next_page, state->task, &state->stack_info,
++ &state->stack_mask))
++ return;
++ }
+
+ /*
+ * The caller can provide the address of the first frame directly
+
diff --git a/series.conf b/series.conf
index d25add33db..82093cd844 100644
--- a/series.conf
+++ b/series.conf
@@ -7373,6 +7373,7 @@
# KPTI bsc#1068032 CVE-2017-5754, part 2, prep entry_64.S stuff
patches.arch/01-x86-entry-64-paravirt-use-paravirt-safe-macro-to-access-eflags.patch
+ patches.arch/02-x86-unwinder-orc-dont-bail-on-stack-overflow.patch
########################################################
# Staging tree patches