arm64: fix segfault

2024-11-12 07:29:48 +00:00 · 2024-11-12 07:29:48 +00:00 · ab0c915194
commit ab0c915194
parent 85821039a8
10 changed files with 132 additions and 8 deletions
--- a/0000-lzo_snappy.patch
+++ b/0000-lzo_snappy.patch
--- a/0001-use_system_readline_v3.patch
+++ b/0001-use_system_readline_v3.patch
--- a/0002-add-SDEI-stack-resolution.patch
+++ b/0002-add-SDEI-stack-resolution.patch
--- a/0003-fix-bitmap_len-calculation-overflow-problem-in-large.patch
+++ b/0003-fix-bitmap_len-calculation-overflow-problem-in-large.patch
--- a/0004-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
+++ b/0004-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
--- a/0005-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
+++ b/0005-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
--- a/0006-arm64-fix-backtraces-of-KASAN-kernel-dumpfile-truncated.patch
+++ b/0006-arm64-fix-backtraces-of-KASAN-kernel-dumpfile-truncated.patch
--- a/0007-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
+++ b/0007-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
@ -0,0 +1,47 @@
+From 6c8cd9b5dcf48221e5f75fc5850bb4719d77acce Mon Sep 17 00:00:00 2001
+From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
+Date: Wed, 7 Jun 2023 18:37:34 +0900
+Subject: [PATCH] arm64: Fix again segfault in
+ arm64_is_kernel_exception_frame() when corrupt stack pointer address is given
+
+This is the second trial from the commit
+9868ebc8e648e5791764a51567a23efae7170d9b that was reverted at the
+previous commit.
+
+As described in the previous commit, result of STACK_OFFSET_TYPE() can
+be an address out of bt->stackbuf and hence the address needs to be
+checked prior to being referred to as an pt_regs object.
+
+So, to fix the issue, let's check if stkptr points to within the range
+of the kernel stack first.
+
+[ kh: added a warning at Lianbo's suggestion ]
+
+Signed-off-by: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
+
+Conflict: Adapat patch context
+Reference: https://github.com/crash-utility/crash/commit/6c8cd9b5dcf48221e5f75fc5850bb4719d77acce
+---
+ arm64.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arm64.c b/arm64.c
+index efbdccb..67b1a22 100644
+--- a/arm64.c
+++ b/arm64.c
+@@ -1844,6 +1844,12 @@ arm64_is_kernel_exception_frame(struct bt_info *bt, ulong stkptr)
+ {
+         struct arm64_pt_regs *regs;
+ 
+	if (stkptr > STACKSIZE() && !INSTACK(stkptr, bt)) {
+		if (CRASHDEBUG(1))
+			error(WARNING, "stkptr: %lx is outside the kernel stack range\n", stkptr);
+		return FALSE;
+	}
+
+         regs = (struct arm64_pt_regs *)&bt->stackbuf[(ulong)(STACK_OFFSET_TYPE(stkptr))];
+ 
+ 	if (INSTACK(regs->sp, bt) && INSTACK(regs->regs[29], bt) && 
+-- 
+2.33.0
+
--- a/0008-arm64-fix-a-potential-segfault-when-unwind-frame.patch
+++ b/0008-arm64-fix-a-potential-segfault-when-unwind-frame.patch
@ -0,0 +1,71 @@
+From af895b219876b293d551e6dec825aba3905c0588 Mon Sep 17 00:00:00 2001
+From: "qiwu.chen" <qiwu.chen@transsion.com>
+Date: Wed, 24 Jul 2024 01:36:09 +0000
+Subject: [PATCH] arm64: fix a potential segfault when unwind frame
+
+The range of frame->fp is checked insufficiently, which may lead to a wrong
+next fp. As a result, bt->stackbuf will be accessed out of range, and segfault.
+
+  crash> bt
+  [Detaching after fork from child process 11409]
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+   #0 [ffffffc008003f50] local_cpu_stop at ffffffdd7669444c
+
+  Thread 1 "crash" received signal SIGSEGV, Segmentation fault.
+  0x00005555558266cc in arm64_unwind_frame (bt=0x7fffffffd8f0, frame=0x7fffffffd080) at
+  arm64.c:2821
+  2821            frame->fp = GET_STACK_ULONG(fp);
+  (gdb) bt
+  arm64.c:2821
+  out>) at main.c:1338
+  gdb_interface.c:81
+  (gdb) p /x *(struct bt_info*) 0x7fffffffd8f0
+  $3 = {task = 0xffffff81858aa500, flags = 0x0, instptr = 0xffffffdd76694450, stkptr =
+  0xffffffc008003f40, bptr = 0x0, stackbase = 0xffffffc027288000,
+    stacktop = 0xffffffc02728c000, stackbuf = 0x555556115a40, tc = 0x55559d16fdc0, hp = 0x0,
+  textlist = 0x0, ref = 0x0, frameptr = 0xffffffc008003f50,
+    call_target = 0x0, machdep = 0x0, debug = 0x0, eframe_ip = 0x0, radix = 0x0, cpumask =
+  0x0}
+  (gdb) p /x *(struct arm64_stackframe*) 0x7fffffffd080
+  $4 = {fp = 0xffffffc008003f50, sp = 0xffffffc008003f60, pc = 0xffffffdd76694450}
+  crash> bt -S 0xffffffc008003f50
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+  bt: non-process stack address for this task: ffffffc008003f50
+      (valid range: ffffffc027288000 - ffffffc02728c000)
+
+Check frame->fp value sufficiently before access it. Only frame->fp within
+the range of bt->stackbase and bt->stacktop will be regarded as valid.
+
+Signed-off-by: qiwu.chen <qiwu.chen@transsion.com>
+
+Conflict: NA
+Reference: https://github.com/crash-utility/crash/commit/af895b219876b293d551e6dec825aba3905c0588
+---
+ arm64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arm64.c b/arm64.c
+index b3040d7..624dba2 100644
+--- a/arm64.c
+++ b/arm64.c
+@@ -2814,7 +2814,7 @@ arm64_unwind_frame(struct bt_info *bt, struct arm64_stackframe *frame)
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
+	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	frame->sp = fp + 0x10;
+@@ -3024,7 +3024,7 @@ arm64_unwind_frame_v2(struct bt_info *bt, struct arm64_stackframe *frame,
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
+	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	if (CRASHDEBUG(1))
+-- 
+2.33.0
+
--- a/crash.spec
+++ b/crash.spec
@ -1,19 +1,21 @@
 Name: crash
 Version: 7.2.8
-Release: 5
+Release: 6
 Summary: Linux kernel crash utility.
 License: GPLv3
 URL: https://crash-utility.github.io
 Source0: https://github.com/crash-utility/crash/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1: http://ftp.gnu.org/gnu/gdb/gdb-7.6.tar.gz

-Patch0: lzo_snappy.patch
-Patch1: use_system_readline_v3.patch
-Patch2: add-SDEI-stack-resolution.patch
-Patch3: fix-bitmap_len-calculation-overflow-problem-in-large.patch
-Patch4: 0001-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
-Patch5: 0002-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
-Patch6: arm64-fix-backtraces-of-KASAN-kernel-dumpfile-truncated.patch
+Patch0: 0000-lzo_snappy.patch
+Patch1: 0001-use_system_readline_v3.patch
+Patch2: 0002-add-SDEI-stack-resolution.patch
+Patch3: 0003-fix-bitmap_len-calculation-overflow-problem-in-large.patch
+Patch4: 0004-CVE-2019-1010180-Add-bfd_get_file_size-to-get-archive-element-size.patch
+Patch5: 0005-CVE-2019-1010180-DWARF-reader-Reject-sections-with-invalid-sizes.patch
+Patch6: 0006-arm64-fix-backtraces-of-KASAN-kernel-dumpfile-truncated.patch
+Patch7: 0007-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
+Patch8: 0008-arm64-fix-a-potential-segfault-when-unwind-frame.patch

 BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel
 BuildRequires: gcc gcc-c++ bison readline-devel
@ -79,6 +81,10 @@ install -D -m 0644 defs.h %{buildroot}%{_includedir}/%{name}/defs.h
 %{_mandir}/man8/crash.8*

 %changelog
+* Tue Nov 12 2024 wangxiao <wangxiao184@h-partners.com> - 7.2.8-6
+- arm64: fix again segfault in arm64_is_kernel_exception_frame
+  arm64: fix a potential segfault when unwind frame
+
 * Thu Dec 1 2022 Ding Hui <dinghui@sangfor.com.cn> - 7.2.8-5
 - fix backtraces of arm64 KASAN kernel dumpfile truncated