From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sergei Trofimovich <slyfox@gentoo.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-ia64@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 32/32] ia64: module: fix symbolizer crash on fdescr
Date: Wed, 5 May 2021 12:40:04 -0400 [thread overview]
Message-ID: <20210505164004.3463707-32-sashal@kernel.org> (raw)
In-Reply-To: <20210505164004.3463707-1-sashal@kernel.org>
From: Sergei Trofimovich <slyfox@gentoo.org>
[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ]
Noticed failure as a crash on ia64 when tried to symbolize all backtraces
collected by page_owner=on:
$ cat /sys/kernel/debug/page_owner
<oops>
CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
ip is at dereference_module_function_descriptor+0x41/0x100
Crash happens at dereference_module_function_descriptor() due to
use-after-free when dereferencing ".opd" section header.
All section headers are already freed after module is laoded successfully.
To keep symbolizer working the change stores ".opd" address and size after
module is relocated to a new place and before section headers are
discarded.
To make similar errors less obscure module_finalize() now zeroes out all
variables relevant to module loading only.
Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/ia64/include/asm/module.h | 6 +++++-
arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++----
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h
index f319144260ce..9fbf32e6e881 100644
--- a/arch/ia64/include/asm/module.h
+++ b/arch/ia64/include/asm/module.h
@@ -14,16 +14,20 @@
struct elf64_shdr; /* forward declration */
struct mod_arch_specific {
+ /* Used only at module load time. */
struct elf64_shdr *core_plt; /* core PLT section */
struct elf64_shdr *init_plt; /* init PLT section */
struct elf64_shdr *got; /* global offset table */
struct elf64_shdr *opd; /* official procedure descriptors */
struct elf64_shdr *unwind; /* unwind-table section */
unsigned long gp; /* global-pointer for module */
+ unsigned int next_got_entry; /* index of next available got entry */
+ /* Used at module run and cleanup time. */
void *core_unw_table; /* core unwind-table cookie returned by unwinder */
void *init_unw_table; /* init unwind-table cookie returned by unwinder */
- unsigned int next_got_entry; /* index of next available got entry */
+ void *opd_addr; /* symbolize uses .opd to get to actual function */
+ unsigned long opd_size;
};
#define MODULE_PROC_FAMILY "ia64"
diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
index 1a42ba885188..ee693c8cec49 100644
--- a/arch/ia64/kernel/module.c
+++ b/arch/ia64/kernel/module.c
@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod)
int
module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod)
{
+ struct mod_arch_specific *mas = &mod->arch;
+
DEBUGP("%s: init: entry=%p\n", __func__, mod->init);
- if (mod->arch.unwind)
+ if (mas->unwind)
register_unwind_table(mod);
+
+ /*
+ * ".opd" was already relocated to the final destination. Store
+ * it's address for use in symbolizer.
+ */
+ mas->opd_addr = (void *)mas->opd->sh_addr;
+ mas->opd_size = mas->opd->sh_size;
+
+ /*
+ * Module relocation was already done at this point. Section
+ * headers are about to be deleted. Wipe out load-time context.
+ */
+ mas->core_plt = NULL;
+ mas->init_plt = NULL;
+ mas->got = NULL;
+ mas->opd = NULL;
+ mas->unwind = NULL;
+ mas->gp = 0;
+ mas->next_got_entry = 0;
+
return 0;
}
@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod)
void *dereference_module_function_descriptor(struct module *mod, void *ptr)
{
- Elf64_Shdr *opd = mod->arch.opd;
+ struct mod_arch_specific *mas = &mod->arch;
- if (ptr < (void *)opd->sh_addr ||
- ptr >= (void *)(opd->sh_addr + opd->sh_size))
+ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size)
return ptr;
return dereference_function_descriptor(ptr);
--
2.30.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sergei Trofimovich <slyfox@gentoo.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-ia64@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 32/32] ia64: module: fix symbolizer crash on fdescr
Date: Wed, 05 May 2021 16:40:04 +0000 [thread overview]
Message-ID: <20210505164004.3463707-32-sashal@kernel.org> (raw)
In-Reply-To: <20210505164004.3463707-1-sashal@kernel.org>
From: Sergei Trofimovich <slyfox@gentoo.org>
[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ]
Noticed failure as a crash on ia64 when tried to symbolize all backtraces
collected by page_owner=on:
$ cat /sys/kernel/debug/page_owner
<oops>
CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
ip is at dereference_module_function_descriptor+0x41/0x100
Crash happens at dereference_module_function_descriptor() due to
use-after-free when dereferencing ".opd" section header.
All section headers are already freed after module is laoded successfully.
To keep symbolizer working the change stores ".opd" address and size after
module is relocated to a new place and before section headers are
discarded.
To make similar errors less obscure module_finalize() now zeroes out all
variables relevant to module loading only.
Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/ia64/include/asm/module.h | 6 +++++-
arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++----
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h
index f319144260ce..9fbf32e6e881 100644
--- a/arch/ia64/include/asm/module.h
+++ b/arch/ia64/include/asm/module.h
@@ -14,16 +14,20 @@
struct elf64_shdr; /* forward declration */
struct mod_arch_specific {
+ /* Used only at module load time. */
struct elf64_shdr *core_plt; /* core PLT section */
struct elf64_shdr *init_plt; /* init PLT section */
struct elf64_shdr *got; /* global offset table */
struct elf64_shdr *opd; /* official procedure descriptors */
struct elf64_shdr *unwind; /* unwind-table section */
unsigned long gp; /* global-pointer for module */
+ unsigned int next_got_entry; /* index of next available got entry */
+ /* Used at module run and cleanup time. */
void *core_unw_table; /* core unwind-table cookie returned by unwinder */
void *init_unw_table; /* init unwind-table cookie returned by unwinder */
- unsigned int next_got_entry; /* index of next available got entry */
+ void *opd_addr; /* symbolize uses .opd to get to actual function */
+ unsigned long opd_size;
};
#define MODULE_PROC_FAMILY "ia64"
diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
index 1a42ba885188..ee693c8cec49 100644
--- a/arch/ia64/kernel/module.c
+++ b/arch/ia64/kernel/module.c
@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod)
int
module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod)
{
+ struct mod_arch_specific *mas = &mod->arch;
+
DEBUGP("%s: init: entry=%p\n", __func__, mod->init);
- if (mod->arch.unwind)
+ if (mas->unwind)
register_unwind_table(mod);
+
+ /*
+ * ".opd" was already relocated to the final destination. Store
+ * it's address for use in symbolizer.
+ */
+ mas->opd_addr = (void *)mas->opd->sh_addr;
+ mas->opd_size = mas->opd->sh_size;
+
+ /*
+ * Module relocation was already done at this point. Section
+ * headers are about to be deleted. Wipe out load-time context.
+ */
+ mas->core_plt = NULL;
+ mas->init_plt = NULL;
+ mas->got = NULL;
+ mas->opd = NULL;
+ mas->unwind = NULL;
+ mas->gp = 0;
+ mas->next_got_entry = 0;
+
return 0;
}
@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod)
void *dereference_module_function_descriptor(struct module *mod, void *ptr)
{
- Elf64_Shdr *opd = mod->arch.opd;
+ struct mod_arch_specific *mas = &mod->arch;
- if (ptr < (void *)opd->sh_addr ||
- ptr >= (void *)(opd->sh_addr + opd->sh_size))
+ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size)
return ptr;
return dereference_function_descriptor(ptr);
--
2.30.2
next prev parent reply other threads:[~2021-05-05 17:11 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 16:39 [PATCH AUTOSEL 4.19 01/32] fs: dlm: fix debugfs dump Sasha Levin
2021-05-05 16:39 ` [Cluster-devel] " Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 02/32] tipc: convert dest node's address to network order Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 03/32] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 04/32] net: stmmac: Set FIFO sizes for ipq806x Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 05/32] i2c: bail out early when RDWR parameters are wrong Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 06/32] ALSA: hdsp: don't disable if not enabled Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 07/32] ALSA: hdspm: " Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 08/32] ALSA: rme9652: " Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 09/32] Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 10/32] Bluetooth: verify AMP hci_chan before amp_destroy Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 11/32] Bluetooth: initialize skb_queue_head at l2cap_chan_create() Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 12/32] net: bridge: when suppression is enabled exclude RARP packets Sasha Levin
2021-05-05 16:39 ` [Bridge] " Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 13/32] Bluetooth: check for zapped sk before connecting Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 14/32] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 15/32] ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 16/32] i2c: Add I2C_AQ_NO_REP_START adapter quirk Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 17/32] mac80211: clear the beacon's CRC after channel switch Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 18/32] pinctrl: samsung: use 'int' for register masks in Exynos Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 19/32] cuse: prevent clone Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 20/32] selftests: Set CC to clang in lib.mk if LLVM is set Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 21/32] kconfig: nconf: stop endless search loops Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 22/32] sctp: Fix out-of-bounds warning in sctp_process_asconf_param() Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 23/32] powerpc/smp: Set numa node before updating mask Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 24/32] ASoC: rt286: Generalize support for ALC3263 codec Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 25/32] ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user() Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 26/32] samples/bpf: Fix broken tracex1 due to kprobe argument change Sasha Levin
2021-05-05 16:39 ` [PATCH AUTOSEL 4.19 27/32] powerpc/pseries: Stop calling printk in rtas_stop_self() Sasha Levin
2021-05-05 16:39 ` Sasha Levin
2021-05-05 16:40 ` [PATCH AUTOSEL 4.19 28/32] wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt Sasha Levin
2021-05-05 16:40 ` [PATCH AUTOSEL 4.19 29/32] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join Sasha Levin
2021-05-05 16:40 ` [PATCH AUTOSEL 4.19 30/32] powerpc/iommu: Annotate nested lock for lockdep Sasha Levin
2021-05-05 16:40 ` Sasha Levin
2021-05-05 16:40 ` [PATCH AUTOSEL 4.19 31/32] net: ethernet: mtk_eth_soc: fix RX VLAN offload Sasha Levin
2021-05-05 16:40 ` Sasha Levin
2021-05-05 16:40 ` Sasha Levin
2021-05-05 16:40 ` Sasha Levin [this message]
2021-05-05 16:40 ` [PATCH AUTOSEL 4.19 32/32] ia64: module: fix symbolizer crash on fdescr Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505164004.3463707-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=slyfox@gentoo.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.