Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1674307ybl; Thu, 30 Jan 2020 04:06:45 -0800 (PST) X-Google-Smtp-Source: APXvYqyRZHVlS53A/8MDgf5DITtvuozjXe0Bni2xK0YVnRjgBJdu0IaMbrCgssRbOsXLzMtEmfeA X-Received: by 2002:a05:6808:658:: with SMTP id z24mr2696668oih.91.1580386004956; Thu, 30 Jan 2020 04:06:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580386004; cv=none; d=google.com; s=arc-20160816; b=x+LNhNQEn3bxU8bU50KGVcFs2LEMHOGWO7HsVve7p3PTZQbFuK8HJYpgECpulQgR6D 3zoBgrbAnwgVoL0CYUaBeiILKLfR9Yn4jT6rYAzSXsZVlGH+0V+2KkWRW6s6xNUgYmbP Aa67gT2cr2pwXwXF9LRNrFV1+sj85ZCy7g/qb4UTyFuzeUikNXBmfe2VU5puyA6tm9g3 OkDtxxkRvQ/mPLdZDeVMTiB4Wxc8AiR5d8PSKnbAAEGiYJ8UTT5gtDDQIGmeCEeKnvYA 27qTMtJxqftJJ/MlrnQXNKvOYuFe7Qdpq2lKu92d881fj0ny5uRsz+tl6T+hZpbWP7zp c7ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Z8G2nDx9WHWYROzn/JgZ7wxgI6aKyyxtEyWYfcNEyQU=; b=R6h82qW7a9v/A4G+xAivaV0Ov8jJfZTQHbwVVkQmlo51tbZnEDsUh95CaZDuAAkW/n e++MXdxNGubDKuyzc32KY4pto1DkSmKshcljnw4VuEXiEp0lhz2JBBrY6SUxFQJVwj8Q x3ChARWewY0gmPVOam8eRUXiNUVBNnkbcGB6gL7mUxkFBbour+TAx2JYAIFzLgUDQexb 3au3gGDvaGpDzGggt7sh46vG0wubilTO9crw1RdJW2Uajbc4YK/yRqMFzQKGXQZYXTQP +/UOMCOPEgqipt/WibX+zof3R6YxRHka76dxBRUqbBZldn0GPkjQZ8oC/TBiTKfn6SFs pr+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lBAEJadw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v14si3082766otn.293.2020.01.30.04.06.32; Thu, 30 Jan 2020 04:06:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lBAEJadw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727197AbgA3MEL (ORCPT + 99 others); Thu, 30 Jan 2020 07:04:11 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:39724 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726980AbgA3MEL (ORCPT ); Thu, 30 Jan 2020 07:04:11 -0500 Received: by mail-wr1-f68.google.com with SMTP id y11so3718980wrt.6 for ; Thu, 30 Jan 2020 04:04:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Z8G2nDx9WHWYROzn/JgZ7wxgI6aKyyxtEyWYfcNEyQU=; b=lBAEJadw9ZYvQXQKdOzKpPzGlzoNVuJ5v8r8CqV5/4dLEX7pFlppZxDhGBnNKS8zJg 1IJwI77FK7BfCt9DDChKiDlwctdHUiVGETSyISB3XQQJBNGEDuxVYjn9LtrQiWYzxSNH zUdyFclHkqpFZRR+FU7uX+I3wwLNkMZcXpc4xrfNB5p3DBKq3NweyhsZsb3QlVj10odu hORYJTmrEE9gI7xsMKDJIo9QTM6UDA5sxrjuJngvotZQUW3/YGh0Szgt1S/P7xw9lUi0 oPi+6NGbist1gFAXJY4BfF7OAyI7oaItgjviiYZUuWG/eCOFpeZPNJxgfkyNQpJRyTXp eDwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Z8G2nDx9WHWYROzn/JgZ7wxgI6aKyyxtEyWYfcNEyQU=; b=ZcOTDEa7F0DS9DzOdH3IIyplIc/otK+aTZlK83w7uyHOHkW5ggKlBvCLnHKDKT+xXr 5Db821hFS5GkyxE33BCGfffiu/18kHIXXdPiHcL4bzYuIzb6JqbpxFbaL5yqWauSglxW k8+CNDTCea2F2Nli28mp/5gi7h40HgaNRH9/V4/z4pnq5cJre3ROVaeBtwuWHmgazWu3 kTq447Q5ofG2ppklzrwghxzpj3tiUilctgoM5+t0MNCJPAXy7IhcMRIP/eBCEW/vQYFw CGbP1IxtqyOubGI5VNwYCo3q+Bx4buG3s8L2v1QNIoO6V058CLPADAHUpBk/0JJ1Qvcn qqbQ== X-Gm-Message-State: APjAAAVL7NmnjgWAwF/lLAsMZasdhZMARthRfTPXwNMcYDVCE+ZZI5bI UTwAK4U6/hTcSPMWjYx7GLo+wyuGsGyC6NZJH8Af0Q== X-Received: by 2002:a5d:550f:: with SMTP id b15mr2806269wrv.196.1580385849232; Thu, 30 Jan 2020 04:04:09 -0800 (PST) MIME-Version: 1.0 References: <20200130064430.17198-1-walter-zh.wu@mediatek.com> In-Reply-To: <20200130064430.17198-1-walter-zh.wu@mediatek.com> From: Alexander Potapenko Date: Thu, 30 Jan 2020 13:03:58 +0100 Message-ID: Subject: Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in stackdepot To: Walter Wu Cc: Dmitry Vyukov , Matthias Brugger , Thomas Gleixner , Josh Poimboeuf , Greg Kroah-Hartman , Kate Stewart , LKML , linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, wsd_upstream Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 30, 2020 at 7:44 AM Walter Wu wrote= : Hi Walter, > If the depot_index =3D STACK_ALLOC_MAX_SLABS - 2 and next_slab_inited =3D= 0, > then it will cause array out-of-bounds access, so that we should modify > the detection to avoid this array out-of-bounds bug. > > Assume depot_index =3D STACK_ALLOC_MAX_SLABS - 3 > Consider following call flow sequence: > > stack_depot_save() > depot_alloc_stack() > if (unlikely(depot_index + 1 >=3D STACK_ALLOC_MAX_SLABS)) //pass > depot_index++ //depot_index =3D STACK_ALLOC_MAX_SLABS - 2 > if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) //enter > smp_store_release(&next_slab_inited, 0); //next_slab_inited =3D = 0 > init_stack_slab() > if (stack_slabs[depot_index] =3D=3D NULL) //enter and exit > > stack_depot_save() > depot_alloc_stack() > if (unlikely(depot_index + 1 >=3D STACK_ALLOC_MAX_SLABS)) //pass > depot_index++ //depot_index =3D STACK_ALLOC_MAX_SLABS - 1 > init_stack_slab(&prealloc) > stack_slabs[depot_index + 1] //here get global out-of-bounds > > Cc: Dmitry Vyukov > Cc: Matthias Brugger > Cc: Thomas Gleixner > Cc: Alexander Potapenko > Cc: Josh Poimboeuf > Cc: Kate Stewart > Cc: Greg Kroah-Hartman > Cc: Kate Stewart > Signed-off-by: Walter Wu > --- > changes in v2: > modify call flow sequence and preconditon > > changes in v3: > add some reviewers > --- > lib/stackdepot.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/stackdepot.c b/lib/stackdepot.c > index ed717dd08ff3..7e8a15e41600 100644 > --- a/lib/stackdepot.c > +++ b/lib/stackdepot.c > @@ -106,7 +106,7 @@ static struct stack_record *depot_alloc_stack(unsigne= d long *entries, int size, > required_size =3D ALIGN(required_size, 1 << STACK_ALLOC_ALIGN); > > if (unlikely(depot_offset + required_size > STACK_ALLOC_SIZE)) { > - if (unlikely(depot_index + 1 >=3D STACK_ALLOC_MAX_SLABS))= { > + if (unlikely(depot_index + 2 >=3D STACK_ALLOC_MAX_SLABS))= { I don't think this is the right way to fix the problem. You're basically throwing away the last element of stack_slabs[], as we won't allocate anything from it. How about we set |next_slab_inited| to 1 here: diff --git a/lib/stackdepot.c b/lib/stackdepot.c index 2e7d2232ed3c..943a51eb746d 100644 --- a/lib/stackdepot.c +++ b/lib/stackdepot.c @@ -105,6 +105,8 @@ static bool init_stack_slab(void **prealloc) return true; if (stack_slabs[depot_index] =3D=3D NULL) { stack_slabs[depot_index] =3D *prealloc; + if (depot_index + 1 =3D=3D STACK_ALLOC_MAX_SLABS) + smp_store_release(&next_slab_inited, 1); } else { stack_slabs[depot_index + 1] =3D *prealloc; /* This will ensure we won't be preallocating pages once |depot_index| reaches the last element, and we won't attempt to write those pages anywhere either. Could you please check if this fixes the problem for you? > WARN_ONCE(1, "Stack depot reached limit capacity"= ); > return NULL; > } > -- > 2.18.0 --=20 Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg