Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753780AbcLIOHQ (ORCPT <rfc822;w@1wt.eu>);
        Fri, 9 Dec 2016 09:07:16 -0500
Received: from mail-db5eur01on0106.outbound.protection.outlook.com ([104.47.2.106]:39487
        "EHLO EUR01-DB5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751792AbcLIOHO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Dec 2016 09:07:14 -0500
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=dsafonov@virtuozzo.com; 
Subject: Re: [PATCH] x86/coredump: always use user_regs_struct for
 compat_elf_gregset_t
To: Andy Lutomirski <luto@amacapital.net>
References: <20161123181330.10705-1-dsafonov@virtuozzo.com>
 <CALCETrUQDBX_QqHGeozQ3Q+9pF3SeyE9XyPqX4M6k3XOV8Zd=Q@mail.gmail.com>
CC: Thomas Gleixner <tglx@linutronix.de>,
        Dmitry Safonov <0x7f454c46@gmail.com>, Ingo Molnar <mingo@redhat.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>, X86 ML <x86@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>
From: Dmitry Safonov <dsafonov@virtuozzo.com>
Message-ID: <eed6e3e2-f825-2ad8-9175-0c69c52809d9@virtuozzo.com>
Date: Fri, 9 Dec 2016 14:29:55 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CALCETrUQDBX_QqHGeozQ3Q+9pF3SeyE9XyPqX4M6k3XOV8Zd=Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [195.214.232.10]
X-ClientProxiedBy: AM5PR0701CA0005.eurprd07.prod.outlook.com (10.168.161.15)
 To AM5PR0801MB1729.eurprd08.prod.outlook.com (10.169.247.7)
X-MS-Office365-Filtering-Correlation-Id: 3d3ce6ca-3994-454f-a8b7-08d420272795
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:AM5PR0801MB1729;
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;3:/BisB7ncLfTpN3es5b+byL0fsxb1bj3rHWWS4QmtLJHOtelEsOj+N+DmFLmZpCgcEA7dAcN40Z3owDR+bgoW4PnFLK3Bos+whLB7QOP2ejtDmmQKjSP65AbbEO7r23jqyNJ7DOwwOKIU+XNA9XwHSGx4WYX3CZ0I5uTZX1CQznHrmwv1STEAkOJerD+MahmTQBIoUqESibYo6tc1ilTzHDNIX9xH12DyvXIM3AtTDCf0Az7l0wzGChphYouRwC0USRM9N5cxvO1s5RImldPvrw==
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;25:rV1ZeMizFr5SLGCAnKfZ/B0YuPTL6q/BQx9C/czAV3vHCc1tTyqqOnyfbXjNelNTgPbRXHWgQjA0Qs8trMTpWPZi6GX0RcQ1yOPZWZ8ULmy1MJUUfq4fUSF+5s2fu/bZ4h3+l7DzgVwAxGMwG8AWZnhObfQJWChb3MHRrXUKX+id+VsJwWDZlydQat5GSkTeVuFw1UfICWux2gdz1Lq0D1VhU6bKmURz6ZYYcKu597HhKL5PuoFmKltA8GP98pTERtI9qH2laXUmPjNFxbbrLVs3RIdBD+kf4GjOjA12Dp4dq+faKqhtG/WGcnTuTJFYfT/cNnSGWo8QgPijsWOY3hW6gFTGtWcnX9AErSnO1ljxnroSaraMNvcDhNqyfckJIFpeuZsDBpW75Fh+bdgrCIhT4RCNbfwR5QOOmPRxKrsAnURRr0DuCZOlJKbOhnUIuLS5GLIZTP9TmoB2EcB3/kuN6KkIthxaBPKDqh1TWARRKD1h47Tm0dLDRZQ/t/uOAVpBIQEi9MV8ptwrK+OMY59Wm2OzWa9Vxtj8rwGOKMZQL4Inj8FkcCPHXo6r845prbbA0fBqupsDBelZJHg9AxpGhDwtIq4jg2afP+VuBiw6EdrqV1dAGPZqs+edYnhRxFBoek8z4CtPRzbu2bhNBwAHHfK9XvGzO8wFhjZr0243x8jFOsbitnIFphQ2X2vYe4PDVz0FtzYiDtITyjvv4VoRxLDnTZ6EH2NucbBiJA2NtTxAGpBZbGxENDLolfIwMDnmHRS5bWeIn010GTOHcw==
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;31:n8CoeQV5Lk3GblO21ScM04hjt5iIbL9NV/xL3fhCMa1h6FApU111Je7FrN8kaSBpKkEai5I4LyJhFtKJYRNyCOPtrltRA3bXxBIFC5DpGabEReOwXgRe9GAd0JaarGFJbZR7ZeTDOUsEcFCyqklIbkcN0LUoP7oS2LQ8QiubFcDkpjqrYyx1ZQ5dOKgHEsQDPdRXs33L+x7jRGDGG8vyRqJDbE/lqcZ+FmhsfsVIjukUBOnVh+ytgtcgLaJLn1FS;20:7Sn0mcSIY+gL5ngp3/adkOaYNFgUhMYCVzxd0ppO3Eb44mG1G5iJMDmPB9RcU5bklVz40derN8Y5puiVp9Ss9+cVBI8MUiM5IA50Ty5xblFmRVT53sXja8rkUDbhJp8eT+RZ5RdCfAw/LVKrkG34mQaqQDAB19EkkfcWyUAxiwrUTVc1qR1Hf8feJFNW2qLO+j5PzK4ZYGhkbLugkWd+kU0PsnLzWG248jdgdRF/fJiuJafz9wmaV6Hd4Gaj20kc
X-Microsoft-Antispam-PRVS: <AM5PR0801MB17290074E26CB56857399442D1870@AM5PR0801MB1729.eurprd08.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123555025)(20161123558021)(20161123560025)(20161123564025)(20161123562025)(6072148);SRVR:AM5PR0801MB1729;BCL:0;PCL:0;RULEID:;SRVR:AM5PR0801MB1729;
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;4:g44UqHWX9t8rXIru7+zLu9bkrIlYdGwtg7bKe6f970XButRMuH61OxlAH31q8+q8U3BGZneyRjcUMEIPDcctBpRsz1PfWfZGmjLtoM9yErE/fr43UjbsWqD5stIPwZuQuw7y3zA072+m22BDRzwF+unoMKEVTnkDclgbnHhy51wXCZMwBuv+6Ke8jrHpVhulrsS0ANnB8FwT9MbENrl6ZAvdUi7uY6Y4mncwp8Fe7ILDWsTUq+uyaFZn97EkiCTs+dZVa1KnekUB9Eg6Bkvn+PRalzkglBJ8Je2CXFUqAtlz7IthS24PAgg1MUfc0nPc3swY+LzkBSfB6YBtO0KJMtKV8SPRXs4qioqoWJCVkly+fphCaMKl0vcEXp1DT3yn0iIMeHFisuznhwLgnb9/fUCP6vM7wXXjuys3V5irqUbD4K1SgkMfNHvvdzaotrqo9sziGVfS5sfKhhJL6DW8AfOgx/qgmjHmSZ8ka/E9nlgzMDbOB7ubK6bFRvDvt4EyP9D40ZHHKGF9rJJxrT3uv2Cd2xv0RrngdSuE/kAemymmMC6XIuHtjPNXHIJIuT4Ya5OKSZ/yX+6kQwyTt5YUrFfwwnbXllGiH8WA7NbjZuq7fhyBFxbf/2v0HDeThwHi7MfalwRKniKa+vL1YTtOmgrFhs6TJKeyVmGFMxRVbi6Rr+T5qpPA2lKgfRFJmXBN
X-Forefront-PRVS: 015114592F
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6049001)(6009001)(7916002)(39450400003)(24454002)(199003)(189002)(377454003)(23676002)(76176999)(189998001)(305945005)(54356999)(4001350100001)(7736002)(50986999)(68736007)(105586002)(6486002)(77096006)(733004)(65956001)(47776003)(6666003)(65806001)(101416001)(38730400001)(42186005)(106356001)(90366009)(39060400001)(66066001)(2950100002)(31686004)(6116002)(6916009)(3846002)(229853002)(33646002)(65826007)(86362001)(97736004)(83506001)(31696002)(36756003)(2906002)(81166006)(230700001)(64126003)(5660300001)(92566002)(50466002)(8676002)(81156014)(4326007)(110136003);DIR:OUT;SFP:1102;SCL:1;SRVR:AM5PR0801MB1729;H:[10.30.26.154];FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBTTVQUjA4MDFNQjE3Mjk7MjM6Yk9Wdk9aWk5tRUJhM3VmU2ZlOHkyUDE5?=
 =?utf-8?B?dWloclB5RVZSV292MUtzcE9RZ0pSTFJJWHJiU0N5QXpsWTNkTmJlWFR0alMw?=
 =?utf-8?B?QnhzU0U5Rzh3YVZYUlFpL2hORWtBY0RnOEp6ZjRNQm02dm1aclFEaUh0MWM5?=
 =?utf-8?B?TUVQT016VTJtVjMwSlBBajJJLzQxemExTmpuSWpLNFFJQWxINnhReUFySmhI?=
 =?utf-8?B?M3dsMWFFeC9Ma0h3V2dHZDg0SldXaE1QWFpkL2lmbHlmNGcyditWdnV6dFRy?=
 =?utf-8?B?NXl6aVZNeVBFMHN3T001cCtkU1lVOG5jSGw5OFZsQXVEdXhaa0ZXOTk1ZXdV?=
 =?utf-8?B?QmttU1dYOEtWYXJLYkJkc05KaG5KYVNoRno3V29ubHpjNGxaUUpKUG9TV1NP?=
 =?utf-8?B?UzRpZyt4cDh2V0N2MkJhaVM5UUUwa3lxbmoyeXkzQ2w1VWhjOTZIYzFob3V2?=
 =?utf-8?B?YUNQQzNpZmtQS2x2QUYyL2thSTlWU2wxbHo0cnpJQVNUa21ZMUhHbWM4TXhP?=
 =?utf-8?B?dysra1FxQ3FYdGhKNjVYOTdBYzQ0alB6NThoa3pPenJTMEtaOE4rVDAxc3BJ?=
 =?utf-8?B?anp3Y2JKMXpYYVZyaDduOEdxeHJMdzdqODRnOFhRVGFpRlA5Nmg0MGZEZGVl?=
 =?utf-8?B?WmVIRDEvenFYUjJSdzdmZTl6eWxTenVZQnhMbWVmU25SYXFCbUhDUHhxUzRF?=
 =?utf-8?B?cVh5YTczclF1MWN6Y0o0cE1WUEVobUR4QTZpUU83cStDb2FCYjBpY0pDakVN?=
 =?utf-8?B?OXBKZDN6SkNLRHdPdCtScktabFBHRnNtMXMvY1RWT2ZlRlA5dWRWRkxZeitX?=
 =?utf-8?B?YXpJU01zTXdOdjZjcWF4cG85eGlRbno3OUFmaSswQ0RBcHJpbGhGdTBhMy9Q?=
 =?utf-8?B?bnBmSklVbUs0Z2FEYUd2T0h2aFRUS281WHZYNUdFd21wSjNQUXpSclZUVUdk?=
 =?utf-8?B?cURzK0tlQVY2d1FmQVI3ZjdmYkZaZVJjUHFESFNKbVRzQ1hPa3JrYnU4cGlP?=
 =?utf-8?B?c0w0dGdSTjAzMWNOMUU0MEw0bDdhL2VLOGw3TkRTTnlHYi9UTW1ndXhNMElR?=
 =?utf-8?B?UnovY1J3cmRVOTZya053NStyeXFicENVWnRZdmdld0JjSnN3NE5XMytRT1Vh?=
 =?utf-8?B?MnhtRHRsd2tJeVpqUUtjUzBheVhvTi9qMXNicXdzSk9NNXlwR3daYTB5SEdB?=
 =?utf-8?B?TUs0S2gwVU5lWFdZME5tM1VHSXR6UDYrR3FIUmNNOW0zdkUzK1NPZnF1RGZk?=
 =?utf-8?B?UjRxUzdUaXVyTWFzTkJ3WkM1cXNOcnoyVzBjbHRVRXkyVUVrTWppak0yTWYx?=
 =?utf-8?B?dS9GdDlnNUZzVjJEeVVWRlkzTnNYcVVxTmhMckNYdmxQMjk2RWs2R3ZZR2o0?=
 =?utf-8?B?emY1TzRsOHJyYll1UWF3SlhiNXpYNmFHSHVvMUx2RTlYQWpUcThrd1F6S1J1?=
 =?utf-8?B?MHg0Si9kRzcxV0tXSEI1STVSMU05Tmk4S2tRc2NEMDFTdmsxa0FTQjVGdXU3?=
 =?utf-8?B?dlcrY0pva2thWEtMRzNwd1ByUWNYMkFZTVp6OGVFdjkwMVRnZzJWY0hsYUlr?=
 =?utf-8?B?UnlkYjFocTBNQWEyRlFyS0ZzK3E5OWZzMTBPbldJSDNQd1g0UU9XTzhOL0lM?=
 =?utf-8?B?Y3hFSzFyQjFkblhBTmNYcHdPTVplcmd4WmhrVG5kTVZIRUJGelBTaC9wcDh6?=
 =?utf-8?B?RkVIelBsZmZPZ3NsSWtzQ08xaG53TjY4UTRaQ09zN000a0g4VlV6UU9tbjNS?=
 =?utf-8?B?bmRReXkwSGl0VHpDaGlwM01tNVZqREE5aWZrUDQxVy9QalppaE5UWHJmUHpC?=
 =?utf-8?B?bmxMUFQ4dXJ2RExSb05tM25NMlhCL1dEMkRFMjlHSUR0YWVLQT09?=
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;6:tuWpfY/SqeQ5RgOcmMhbOSQPS/isfOCkUsGM05ME8byCjVlIHRIEy2qLbNUMZVDAvqgvAIzUvJdp4ipbPdj3e76GJWLYgXWJvetRdjgAAkWG6fgKXkCI9b2IBVBBbhbVATQ3T7Guobx+B0J0aQSZ3YoXWCNFV4SaVHMHKQb0a7k2M1rRJ55RyQaYYWLY5PPgGa0nGwp0MDco9Qu/VT633SAQo7hUUol/3wRzhPy2F5OGu4UmswMY4U9FM11FQjLTgL07TwLldjRKiIeJmZpSwkEyUQq4hPk3NHyn+/7cEHSR7xCsoula0fvbjAiExO4UFCE2sQWgoBDvfPUYOzyccwFYQkntG94C8AJM+jZDqBHP/s6DwbzxTyIq4U8S7lrBDo/nn8Bqh9JcSKAw826WSACxIpLWYeY9QHzHjjVS3Zc=;5:WlKXf6Ndg9k8I64SmkJWSWncGau0E5wqszfxkt/L9V3B7NiCRU1SNPk3Cr5hMIhWoKZ/K4HKBpKpooghmfJP8geo1dxkWZ6tNQnaDZHDK3jStlrLs/CaT6wzESZmIvXSo2FmMziadRffaRNuNUzNVQ==;24:L3ZrwXXlbEXmbWJwwNLqcXVGGSCL/mbkJlbXfFd7QOsLgrHaTd50sLMdh0nFnp59BjiKUrQJbor91z4XHrpQpm1Yr8cpI0m8eHz5PLk2TM4=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;AM5PR0801MB1729;7:huBkaYCNkjNEDi03+Duc9RbbEeSsB3+J71dUXhg9d2XjcoEwEfUalfPp/4jFW6P7KRnmGmpj61H1LYrMkL94B+f9CMuWyuIUhNQXeW+9ofcEGAhGjX27Z2MARz6rJiGmSpBrAWeql+sooOfAhAMiGwTR8oQH1YBJsmdNPS6p4n5X8d9xwQN8qCUYUOlF3XO1xQXCEdAqhcIHmpKrATf6LaZZrH9uHoAvpwQjspM2Im9zXJLL6byCdOh8GiMkBFCIiv/wePhpYQVfznUR8Llpqwh5clOIiDIBPrITDQbKCpACAJHiESHVojX5T0iFtUAdQWfNk304FMz29K0El0oCoRBL5bYLx2ncE6E8gfEvb1+FM0/IG/fNcV66g3Lkcn1tVIjQZ9LlhrewKfuJaU8HoEPIlUeqxOnVp8KBYAOJIoZdPP/f0CZYUq7G71/k5hEaGGy+lLiTVNPxqvJQ1XI1zg==;20:imclU5KGyilPamg7NL7b2i4s7pvneDXnWCsRjRr1EZvhIy/bEg4Q/S/8XjvUo+5bQYJbC3+J+eWGy9HIINobKzP7zOGvQCvIUdzWjd9cy6dU2BTdleQz1LoCCOhfEyGqRQB77yOLGOrlQopxOebSE897HFQCZArzRKs000NjDaU=
X-OriginatorOrg: virtuozzo.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2016 11:33:09.9660 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1729
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3219
Lines: 76

On 12/09/2016 02:14 AM, Andy Lutomirski wrote:
> On Nov 23, 2016 10:16 AM, "Dmitry Safonov" <dsafonov@virtuozzo.com> wrote:
>>
>> From commit 90954e7b9407 ("x86/coredump: Use pr_reg size, rather that
>> TIF_IA32 flag") elf coredump file is constructed according to register
>> set size - and that's good: if binary crashes with 32-bit code selector,
>> generate 32-bit ELF core, otherwise - 64-bit core.
>> That was made for restoring 32-bit applications on x86_64: we want
>> 32-bit application after restore to generate 32-bit ELF dump on crash.
>> All was quite good and recently I started reworking 32-bit applications
>> dumping part of CRIU: now it has two parasites (32 and 64) for seizing
>> compat/native tasks, after rework it'll have one parasite, working in
>> 64-bit mode, to which 32-bit prologue long-jumps during infection.
>>
>> And while it has worked for my work machine, in VM with
>> !CONFIG_X86_X32_ABI during reworking I faced that segfault in 32-bit
>> binary, that has long-jumped to 64-bit mode results in dereference
>> of garbage:
>
> Can you point to the actual line that's crashing?  I'm wondering if we
> have code that should be made more robust.

Hi Andy,

Here it is:

 > static int fill_thread_core_info(struct elf_thread_core_info *t,
 > 				 const struct user_regset_view *view,
 > 				 long signr, size_t *total)
 > {
 > 	unsigned int i;
 > 	unsigned int regset_size = view->regsets[0].n * view->regsets[0].size;

For now the regset_size is 64-bit registers set's size if 32-bit ELF
crashed with 64-bit CS.

 >
 > 	/*
 > 	 * NT_PRSTATUS is the one special case, because the regset data
 > 	 * goes into the pr_reg field inside the note contents, rather
 > 	 * than being the whole note contents.  We fill the reset in here.
 > 	 * We assume that regset 0 is NT_PRSTATUS.
 > 	 */
 > 	fill_prstatus(&t->prstatus, t->task, signr);
 > 	(void) view->regsets[0].get(t->task, &view->regsets[0], 0, regset_size,
 > 				    &t->prstatus.pr_reg, NULL);

And here is writing to elf_thread_core_info::prstatus::pr_reg,
prstatus member is typed compat_elf_prstatus as binfmt_elf
interpreter that was used to load the program is from
fs/compat_binfmt_elf.c:
 > #define elf_prstatus	compat_elf_prstatus
 > #define elf_prpsinfo	compat_elf_prpsinfo

So, we're overwriting elf_thread_core_info structure's content by
writing bigger regset than it can hold.
(.get() method is genregs_get() from arch/x86/kernel/ptrace.c)

The crash happens afterwards, when we're trying to dereference some
fields of elf_thread_core_info - for me it was as you can see in
writenote():
   [<ffffffff811d6929>] ? writenote+0x19/0xa0
   [<ffffffff811d9479>] elf_core_dump+0x11a9/0x1480
   [<ffffffff811dc70b>] do_coredump+0xa6b/0xe60
   [<ffffffff81065820>] ? signal_wake_up_state+0x20/0x30
   [<ffffffff81065941>] ? complete_signal+0xf1/0x1f0
   [<ffffffff810679e8>] get_signal+0x1a8/0x5c0
   [<ffffffff8101b1a3>] do_signal+0x23/0x660

In my point of view 64-bit regset is generated rightly - otherwise
I couldn't see x86_64 registers in gdb for that kind of crashes.
So, I fixed it as simple as possible - by having one size for
compat_elf_gregset_t independent of CONFIG_X86_X32_ABI option.

-- 
              Dmitry