+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Mon, 4 Dec 2017 15:07:08 +0100
-Subject: [PATCH] x86/unwinder/orc: Dont bail on stack overflow
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2017-5754
-
-If the stack overflows into a guard page and the ORC unwinder should work
-well: by construction, there can't be any meaningful data in the guard page
-because no writes to the guard page will have succeeded.
-
-But there is a bug that prevents unwinding from working correctly: if the
-starting register state has RSP pointing into a stack guard page, the ORC
-unwinder bails out immediately.
-
-Instead of bailing out immediately check whether the next page up is a
-valid check page and if so analyze that. As a result the ORC unwinder will
-start the unwind.
-
-Tested by intentionally overflowing the task stack. The result is an
-accurate call trace instead of a trace consisting purely of '?' entries.
-
-There are a few other bugs that are triggered if the unwinder encounters a
-stack overflow after the first step, but they are outside the scope of this
-fix.
-
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Borislav Petkov <bpetkov@suse.de>
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Dave Hansen <dave.hansen@intel.com>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: David Laight <David.Laight@aculab.com>
-Cc: Denys Vlasenko <dvlasenk@redhat.com>
-Cc: Eduardo Valentin <eduval@amazon.com>
-Cc: Greg KH <gregkh@linuxfoundation.org>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Josh Poimboeuf <jpoimboe@redhat.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Rik van Riel <riel@redhat.com>
-Cc: Will Deacon <will.deacon@arm.com>
-Cc: aliguori@amazon.com
-Cc: daniel.gruss@iaik.tugraz.at
-Cc: hughd@google.com
-Cc: keescook@google.com
-Link: https://lkml.kernel.org/r/20171204150604.991389777@linutronix.de
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-(cherry picked from commit d3a09104018cf2ad5973dfa8a9c138ef9f5015a3)
-Signed-off-by: Andy Whitcroft <apw@canonical.com>
-Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-(cherry picked from commit e5c3115ac69cddd384d6f7abc4a0ef030b247498)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
-index 570b70d3f604..cea85bfe93f7 100644
---- a/arch/x86/kernel/unwind_orc.c
-+++ b/arch/x86/kernel/unwind_orc.c
-@@ -552,8 +552,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
- }
-
- if (get_stack_info((unsigned long *)state->sp, state->task,
-- &state->stack_info, &state->stack_mask))
-- return;
-+ &state->stack_info, &state->stack_mask)) {
-+ /*
-+ * We weren't on a valid stack. It's possible that
-+ * we overflowed a valid stack into a guard page.
-+ * See if the next page up is valid so that we can
-+ * generate some kind of backtrace if this happens.
-+ */
-+ void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
-+ if (get_stack_info(next_page, state->task, &state->stack_info,
-+ &state->stack_mask))
-+ return;
-+ }
-
- /*
- * The caller can provide the address of the first frame directly
---
-2.14.2
-
projects / pve-kernel.git / blobdiff