* [PATCH] ia64: module: fix symbolizer crash on fdescr
@ 2021-04-03 7:48 Sergei Trofimovich
2021-04-04 20:53 ` John Paul Adrian Glaubitz
0 siblings, 1 reply; 2+ messages in thread
From: Sergei Trofimovich @ 2021-04-03 7:48 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel, Sergei Trofimovich, linux-ia64
Noticed failure as a crash on ia64 when tried to symbolize all
backtraces collected by page_owner=on:
$ cat /sys/kernel/debug/page_owner
<oops>
CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
ip is at dereference_module_function_descriptor+0x41/0x100
Crash happens at dereference_module_function_descriptor() due to
use-after-free when dereferencing ".opd" section header.
All section headers are already freed after module is laoded
successfully.
To keep symbolizer working the change stores ".opd" address
and size after module is relocated to a new place and before
section headers are discarded.
To make similar errors less obscure module_finalize() now
zeroes out all variables relevant to module loading only.
CC: Andrew Morton <akpm@linux-foundation.org>
CC: linux-ia64@vger.kernel.org
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
arch/ia64/include/asm/module.h | 6 +++++-
arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++----
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h
index 5a29652e6def..7271b9c5fc76 100644
--- a/arch/ia64/include/asm/module.h
+++ b/arch/ia64/include/asm/module.h
@@ -14,16 +14,20 @@
struct elf64_shdr; /* forward declration */
struct mod_arch_specific {
+ /* Used only at module load time. */
struct elf64_shdr *core_plt; /* core PLT section */
struct elf64_shdr *init_plt; /* init PLT section */
struct elf64_shdr *got; /* global offset table */
struct elf64_shdr *opd; /* official procedure descriptors */
struct elf64_shdr *unwind; /* unwind-table section */
unsigned long gp; /* global-pointer for module */
+ unsigned int next_got_entry; /* index of next available got entry */
+ /* Used at module run and cleanup time. */
void *core_unw_table; /* core unwind-table cookie returned by unwinder */
void *init_unw_table; /* init unwind-table cookie returned by unwinder */
- unsigned int next_got_entry; /* index of next available got entry */
+ void *opd_addr; /* symbolize uses .opd to get to actual function */
+ unsigned long opd_size;
};
#define ARCH_SHF_SMALL SHF_IA_64_SHORT
diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
index 00a496cb346f..f3385fe6e37e 100644
--- a/arch/ia64/kernel/module.c
+++ b/arch/ia64/kernel/module.c
@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod)
int
module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod)
{
+ struct mod_arch_specific *mas = &mod->arch;
+
DEBUGP("%s: init: entry=%p\n", __func__, mod->init);
- if (mod->arch.unwind)
+ if (mas->unwind)
register_unwind_table(mod);
+
+ /*
+ * ".opd" was already relocated to the final destination. Store
+ * it's address for use in symbolizer.
+ */
+ mas->opd_addr = (void *)mas->opd->sh_addr;
+ mas->opd_size = mas->opd->sh_size;
+
+ /*
+ * Module relocation was already done at this point. Section
+ * headers are about to be deleted. Wipe out load-time context.
+ */
+ mas->core_plt = NULL;
+ mas->init_plt = NULL;
+ mas->got = NULL;
+ mas->opd = NULL;
+ mas->unwind = NULL;
+ mas->gp = 0;
+ mas->next_got_entry = 0;
+
return 0;
}
@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod)
void *dereference_module_function_descriptor(struct module *mod, void *ptr)
{
- Elf64_Shdr *opd = mod->arch.opd;
+ struct mod_arch_specific *mas = &mod->arch;
- if (ptr < (void *)opd->sh_addr ||
- ptr >= (void *)(opd->sh_addr + opd->sh_size))
+ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size)
return ptr;
return dereference_function_descriptor(ptr);
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] ia64: module: fix symbolizer crash on fdescr
2021-04-03 7:48 [PATCH] ia64: module: fix symbolizer crash on fdescr Sergei Trofimovich
@ 2021-04-04 20:53 ` John Paul Adrian Glaubitz
0 siblings, 0 replies; 2+ messages in thread
From: John Paul Adrian Glaubitz @ 2021-04-04 20:53 UTC (permalink / raw)
To: Sergei Trofimovich, Andrew Morton; +Cc: linux-kernel, linux-ia64
Hi Sergei!
On 4/3/21 9:48 AM, Sergei Trofimovich wrote:
> Noticed failure as a crash on ia64 when tried to symbolize all
> backtraces collected by page_owner=on:
>
> $ cat /sys/kernel/debug/page_owner
> <oops>
>
> CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
> Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
> ip is at dereference_module_function_descriptor+0x41/0x100
>
> Crash happens at dereference_module_function_descriptor() due to
> use-after-free when dereferencing ".opd" section header.
>
> All section headers are already freed after module is laoded
> successfully.
>
> To keep symbolizer working the change stores ".opd" address
> and size after module is relocated to a new place and before
> section headers are discarded.
>
> To make similar errors less obscure module_finalize() now
> zeroes out all variables relevant to module loading only.
Typo: s/zeroes/zero/.
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-04 20:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-03 7:48 [PATCH] ia64: module: fix symbolizer crash on fdescr Sergei Trofimovich
2021-04-04 20:53 ` John Paul Adrian Glaubitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).