Currently enabling this triggers a warning
| usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)!
| usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()!
|
|gcc generated __builtin_trap
|Path: /bin/busybox
|CPU: 0 PID: 84 Comm: init Not tainted 5.4.22
|
|[ECR ]: 0x00090005 => gcc generated __builtin_trap
|[EFA ]: 0x9024fcaa
|[BLINK ]: usercopy_abort+0x8a/0x8c
|[ERET ]: memfd_fcntl+0x0/0x470
|[STAT32]: 0x80080802 : IE K
|BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950
|LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000
|r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000
|r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000
|r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00
|r09: 0x00000000 r10: 0x0000035c r11: 0x61206572
|r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b
|r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000
|r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001
|r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1
|r24: 0xbe196c00 r25: 0xbf0ed280
|
|Stack Trace:
| memfd_fcntl+0x0/0x470
| usercopy_abort+0x8a/0x8c
| __check_object_size+0x10e/0x138
| copy_strings+0x1f4/0x38c
| __do_execve_file+0x352/0x848
| EV_Trap+0xcc/0xd0
Fixes: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/15
Reported-by: Evgeniy Didin <[email protected]>
Signed-off-by: Vineet Gupta <[email protected]>
---
arch/arc/kernel/vmlinux.lds.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
index 33ce59d91461..e2146a8da195 100644
--- a/arch/arc/kernel/vmlinux.lds.S
+++ b/arch/arc/kernel/vmlinux.lds.S
@@ -57,7 +57,6 @@ SECTIONS
.init.ramfs : { INIT_RAM_FS }
. = ALIGN(PAGE_SIZE);
- _stext = .;
HEAD_TEXT_SECTION
INIT_TEXT_SECTION(L1_CACHE_BYTES)
@@ -83,6 +82,7 @@ SECTIONS
.text : {
_text = .;
+ _stext = .;
TEXT_TEXT
SCHED_TEXT
CPUIDLE_TEXT
--
2.25.1
On Wed, Jun 09, 2021 at 03:12:11PM -0700, Vineet Gupta wrote:
> Currently enabling this triggers a warning
>
> | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)!
> | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()!
> |
> |gcc generated __builtin_trap
> |Path: /bin/busybox
> |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22
> |
> |[ECR ]: 0x00090005 => gcc generated __builtin_trap
> |[EFA ]: 0x9024fcaa
> |[BLINK ]: usercopy_abort+0x8a/0x8c
> |[ERET ]: memfd_fcntl+0x0/0x470
> |[STAT32]: 0x80080802 : IE K
> |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950
> |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000
> |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000
> |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000
> |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00
> |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572
> |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b
> |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000
> |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001
> |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1
> |r24: 0xbe196c00 r25: 0xbf0ed280
> |
> |Stack Trace:
> | memfd_fcntl+0x0/0x470
> | usercopy_abort+0x8a/0x8c
> | __check_object_size+0x10e/0x138
> | copy_strings+0x1f4/0x38c
> | __do_execve_file+0x352/0x848
> | EV_Trap+0xcc/0xd0
What was the root cause here? Was it that the init section gets freed
and reused for kmalloc?
>
> Fixes: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/15
> Reported-by: Evgeniy Didin <[email protected]>
> Signed-off-by: Vineet Gupta <[email protected]>
> ---
> arch/arc/kernel/vmlinux.lds.S | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arc/kernel/vmlinux.lds.S b/arch/arc/kernel/vmlinux.lds.S
> index 33ce59d91461..e2146a8da195 100644
> --- a/arch/arc/kernel/vmlinux.lds.S
> +++ b/arch/arc/kernel/vmlinux.lds.S
> @@ -57,7 +57,6 @@ SECTIONS
> .init.ramfs : { INIT_RAM_FS }
>
> . = ALIGN(PAGE_SIZE);
> - _stext = .;
>
> HEAD_TEXT_SECTION
> INIT_TEXT_SECTION(L1_CACHE_BYTES)
> @@ -83,6 +82,7 @@ SECTIONS
>
> .text : {
> _text = .;
> + _stext = .;
> TEXT_TEXT
> SCHED_TEXT
> CPUIDLE_TEXT
> --
> 2.25.1
>
--
Kees Cook
On 6/10/21 10:02 AM, Kees Cook wrote:
> On Wed, Jun 09, 2021 at 03:12:11PM -0700, Vineet Gupta wrote:
>> Currently enabling this triggers a warning
>>
>> | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)!
>> | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()!
>> |
>> |gcc generated __builtin_trap
>> |Path: /bin/busybox
>> |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22
>> |
>> |[ECR ]: 0x00090005 => gcc generated __builtin_trap
>> |[EFA ]: 0x9024fcaa
>> |[BLINK ]: usercopy_abort+0x8a/0x8c
>> |[ERET ]: memfd_fcntl+0x0/0x470
>> |[STAT32]: 0x80080802 : IE K
>> |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950
>> |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000
>> |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000
>> |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000
>> |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00
>> |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572
>> |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b
>> |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000
>> |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001
>> |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1
>> |r24: 0xbe196c00 r25: 0xbf0ed280
>> |
>> |Stack Trace:
>> | memfd_fcntl+0x0/0x470
>> | usercopy_abort+0x8a/0x8c
>> | __check_object_size+0x10e/0x138
>> | copy_strings+0x1f4/0x38c
>> | __do_execve_file+0x352/0x848
>> | EV_Trap+0xcc/0xd0
> What was the root cause here? Was it that the init section gets freed
> and reused for kmalloc?
Right. ARC _stext was encompassing the init section (to cover the init
code) so when init gets freed and used by kmalloc,
check_kernel_text_object() trips as it thinks the allocated pointer is
in kernel .text. Actually I should have added this to changelog.
Thx,
-Vineet
On Thu, Jun 10, 2021 at 06:56:48PM +0000, Vineet Gupta wrote:
> On 6/10/21 10:02 AM, Kees Cook wrote:
> > On Wed, Jun 09, 2021 at 03:12:11PM -0700, Vineet Gupta wrote:
> >> Currently enabling this triggers a warning
> >>
> >> | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)!
> >> | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()!
> >> |
> >> |gcc generated __builtin_trap
> >> |Path: /bin/busybox
> >> |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22
> >> |
> >> |[ECR ]: 0x00090005 => gcc generated __builtin_trap
> >> |[EFA ]: 0x9024fcaa
> >> |[BLINK ]: usercopy_abort+0x8a/0x8c
> >> |[ERET ]: memfd_fcntl+0x0/0x470
> >> |[STAT32]: 0x80080802 : IE K
> >> |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950
> >> |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000
> >> |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000
> >> |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000
> >> |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00
> >> |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572
> >> |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b
> >> |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000
> >> |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001
> >> |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1
> >> |r24: 0xbe196c00 r25: 0xbf0ed280
> >> |
> >> |Stack Trace:
> >> | memfd_fcntl+0x0/0x470
> >> | usercopy_abort+0x8a/0x8c
> >> | __check_object_size+0x10e/0x138
> >> | copy_strings+0x1f4/0x38c
> >> | __do_execve_file+0x352/0x848
> >> | EV_Trap+0xcc/0xd0
> > What was the root cause here? Was it that the init section gets freed
> > and reused for kmalloc?
>
> Right. ARC _stext was encompassing the init section (to cover the init
> code) so when init gets freed and used by kmalloc,
> check_kernel_text_object() trips as it thinks the allocated pointer is
> in kernel .text. Actually I should have added this to changelog.
Great! Yeah, if you respin it with that added, please consider it:
Reviewed-by: Kees Cook <[email protected]>
Thanks!
--
Kees Cook
On 6/10/21 4:56 PM, Kees Cook wrote:
>>>> |Stack Trace:
>>>> | memfd_fcntl+0x0/0x470
>>>> | usercopy_abort+0x8a/0x8c
>>>> | __check_object_size+0x10e/0x138
>>>> | copy_strings+0x1f4/0x38c
>>>> | __do_execve_file+0x352/0x848
>>>> | EV_Trap+0xcc/0xd0
>>> What was the root cause here? Was it that the init section gets freed
>>> and reused for kmalloc?
>> Right. ARC _stext was encompassing the init section (to cover the init
>> code) so when init gets freed and used by kmalloc,
>> check_kernel_text_object() trips as it thinks the allocated pointer is
>> in kernel .text. Actually I should have added this to changelog.
> Great! Yeah, if you respin it with that added, please consider it:
>
> Reviewed-by: Kees Cook <[email protected]>
Thx. I added this and pushed to ARC for-curr
--->
The issue is triggered by an allocation in "init reclaimed" region.
ARC _stext emcompasses the init region (for historical reasons we
wanted
the init.text to be under .text as well). This however trips up
__check_object_size()->check_kernel_text_object() which treats this as
object bleedign into kernel text.
Fix that by rezoning _stext to start from regular kernel .text and
leave
out .init altogether.