MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
c6a3b81c36
linux-yocto/arch/arm64/kernel
History
Tengda Wu 67abac27d8 arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() 
[ Upstream commit 39dfc971e4 ]

KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().

Call Trace:
[   97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8
[   97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550
[   97.285732]
[   97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11
[   97.287032] Hardware name: linux,dummy-virt (DT)
[   97.287815] Call trace:
[   97.288279]  dump_backtrace+0xa0/0x128
[   97.288946]  show_stack+0x20/0x38
[   97.289551]  dump_stack_lvl+0x78/0xc8
[   97.290203]  print_address_description.constprop.0+0x84/0x3c8
[   97.291159]  print_report+0xb0/0x280
[   97.291792]  kasan_report+0x84/0xd0
[   97.292421]  __asan_load8+0x9c/0xc0
[   97.293042]  regs_get_kernel_stack_nth+0xa8/0xc8
[   97.293835]  process_fetch_insn+0x770/0xa30
[   97.294562]  kprobe_trace_func+0x254/0x3b0
[   97.295271]  kprobe_dispatcher+0x98/0xe0
[   97.295955]  kprobe_breakpoint_handler+0x1b0/0x210
[   97.296774]  call_break_hook+0xc4/0x100
[   97.297451]  brk_handler+0x24/0x78
[   97.298073]  do_debug_exception+0xac/0x178
[   97.298785]  el1_dbg+0x70/0x90
[   97.299344]  el1h_64_sync_handler+0xcc/0xe8
[   97.300066]  el1h_64_sync+0x78/0x80
[   97.300699]  kernel_clone+0x0/0x500
[   97.301331]  __arm64_sys_clone+0x70/0x90
[   97.302084]  invoke_syscall+0x68/0x198
[   97.302746]  el0_svc_common.constprop.0+0x11c/0x150
[   97.303569]  do_el0_svc+0x38/0x50
[   97.304164]  el0_svc+0x44/0x1d8
[   97.304749]  el0t_64_sync_handler+0x100/0x130
[   97.305500]  el0t_64_sync+0x188/0x190
[   97.306151]
[   97.306475] The buggy address belongs to stack of task 1.sh/2550
[   97.307461]  and is located at offset 0 in frame:
[   97.308257]  __se_sys_clone+0x0/0x138
[   97.308910]
[   97.309241] This frame has 1 object:
[   97.309873]  [48, 184) 'args'
[   97.309876]
[   97.310749] The buggy address belongs to the virtual mapping at
[   97.310749]  [ffff800089270000, ffff800089279000) created by:
[   97.310749]  dup_task_struct+0xc0/0x2e8
[   97.313347]
[   97.313674] The buggy address belongs to the physical page:
[   97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a
[   97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)
[   97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000
[   97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   97.319445] page dumped because: kasan: bad access detected
[   97.320371]
[   97.320694] Memory state around the buggy address:
[   97.321511]  ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.322681]  ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00
[   97.325023]                          ^
[   97.325683]  ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
[   97.326856]  ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This issue seems to be related to the behavior of some gcc compilers and
was also fixed on the s390 architecture before:

 commit d93a855c31 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()")

As described in that commit, regs_get_kernel_stack_nth() has confirmed that
`addr` is on the stack, so reading the value at `*addr` should be allowed.
Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.

Fixes: 0a8ea52c3e ("arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature")
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Link: https://lore.kernel.org/r/20250604005533.1278992-1-wutengda@huaweicloud.com
[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-06-27 11:04:25 +01:00
..
probes arm64: probes: Fix uprobes for big-endian kernels 2024-11-08 16:21:58 +01:00
vdso arm64: Handle .ARM.attributes section in linker scripts 2025-03-13 12:47:20 +01:00
vdso32 arm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfd 2021-12-29 12:25:53 +01:00
.gitignore
acpi_numa.c arm64: acpi: Move get_cpu_for_acpi_id() to a header 2024-09-12 11:06:51 +02:00
acpi_parking_protocol.c
acpi.c
alternative.c arm64: alternatives: mark patch_alternative() as noinstr 2022-04-20 09:23:22 +02:00
armv8_deprecated.c arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process 2024-07-27 10:40:18 +02:00
asm-offsets.c
cacheinfo.c arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array 2025-03-13 12:47:14 +01:00
cpu_errata.c arm64: errata: Expand speculative SSBS workaround once more 2024-10-17 15:08:26 +02:00
cpu_ops.c
cpu-reset.h
cpu-reset.S
cpufeature.c arm64: cpufeature: Fix the visibility of compat hwcaps 2024-08-19 05:41:23 +02:00
cpuidle.c cpuidle: PSCI: Move the has_lpi check to the beginning of the function 2022-04-20 09:23:09 +02:00
cpuinfo.c arm64: cpufeature: add HWCAP for FEAT_RPRES 2022-03-11 12:11:51 +01:00
crash_core.c
crash_dump.c
debug-monitors.c arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step 2023-05-17 11:47:45 +02:00
efi-entry.S
efi-header.S
efi-rt-wrapper.S efi: rt-wrapper: Add missing include 2023-01-24 07:20:01 +01:00
efi.c arm64: efi: Make efi_rt_lock a raw_spinlock 2023-03-17 08:45:08 +01:00
entry-common.c arm64: split EL0/EL1 UNDEF handlers 2023-10-25 11:54:17 +02:00
entry-fpsimd.S
entry-ftrace.S arm64: ftrace: add missing BTIs 2021-12-08 09:03:24 +01:00
entry.S Revert "arm64: Stash shadow stack pointer in the task struct on interrupt" 2024-02-23 08:42:31 +01:00
fpsimd.c arm64/sve: Use correct size when reinitialising SVE state 2021-09-22 12:27:54 +02:00
ftrace.c arm64: ftrace: fix module PLTs with mcount 2022-10-26 13:25:29 +02:00
head.S arm64: Always load shadow stack pointer directly from the task struct 2023-05-17 11:48:07 +02:00
hibernate-asm.S
hibernate.c
hw_breakpoint.c hw_breakpoint: fix single-stepping when using bpf_overflow_handler 2023-09-23 11:01:05 +02:00
hyp-stub.S
image-vars.h KVM: arm64: Link position-independent string routines into .hyp.text 2023-05-30 12:57:55 +01:00
image.h
insn.c arm64: insn: Add support for encoding DSB 2025-06-27 11:04:23 +01:00
io.c
irq.c
jump_label.c
kaslr.c
kexec_image.c
kgdb.c arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step 2023-05-17 11:47:45 +02:00
kuser32.S
machine_kexec_file.c
machine_kexec.c
Makefile
module-plts.c arm64: module: Use module_init_layout_section() to spot init sections 2023-09-02 09:18:13 +02:00
module.c
mte.c arm64: mte: Ensure the cleared tags are visible before setting the PTE 2022-05-25 09:17:56 +02:00
paravirt.c arm64: paravirt: Use RCU read locks to guard stolen_time 2022-05-25 09:17:56 +02:00
pci.c
perf_callchain.c perf: Protect perf_guest_cbs with RCU 2022-01-20 09:17:50 +01:00
perf_event.c drivers/perf: pmuv3: don't expose SW_INCR event in sysfs 2024-02-23 08:42:02 +01:00
perf_regs.c
pointer_auth.c
process.c arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled 2024-12-14 19:48:11 +01:00
proton-pack.c arm64: proton-pack: Add new CPUs 'k' values for branch mitigation 2025-06-27 11:04:23 +01:00
psci.c
ptrace.c arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() 2025-06-27 11:04:25 +01:00
reloc_test_core.c
reloc_test_syms.S
relocate_kernel.S
return_address.c
scs.c
sdei.c arm64: sdei: abort running SDEI handlers during crash 2023-09-19 12:20:28 +02:00
setup.c arm64/mm: Fix ttbr0 values stored in struct thread_info for software-pan 2021-07-14 16:56:07 +02:00
signal.c arm64: add support for TIF_NOTIFY_SIGNAL 2023-01-04 11:39:19 +01:00
signal32.c
sigreturn32.S
sleep.S
smccc-call.S
smp_spin_table.c
smp.c arm64: sdei: abort running SDEI handlers during crash 2023-09-19 12:20:28 +02:00
stacktrace.c arm64: stacktrace: avoid tracing arch_stack_walk() 2021-08-12 13:22:12 +02:00
suspend.c
sys_compat.c arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall 2022-06-09 10:20:53 +02:00
sys.c
sys32.c
syscall.c arm64: fix compat syscall return truncation 2021-08-12 13:22:20 +02:00
time.c
topology.c arm64: topology: move store_cpu_topology() to shared code 2022-10-30 09:41:19 +01:00
trace-events-emulation.h
traps.c arm64: armv8_deprecated: rework deprected instruction handling 2023-10-25 11:54:17 +02:00
vdso.c
vmlinux.lds.S arm64: Handle .ARM.attributes section in linker scripts 2025-03-13 12:47:20 +01:00