Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3615334ybl; Mon, 3 Feb 2020 03:32:59 -0800 (PST) X-Google-Smtp-Source: APXvYqziSTdBGTTiQzwaHp4Bl4UHn+65oxz39vGs8F/VheftVk+ttHLkKBrRLVb8bKizqnVYsuEV X-Received: by 2002:a9d:53cb:: with SMTP id i11mr17820130oth.158.1580729578933; Mon, 03 Feb 2020 03:32:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580729578; cv=none; d=google.com; s=arc-20160816; b=Kt90GR+BPyHIDr7yhRo9D3vnf3zJh6fdMFW85tg2uW07+24mleuSn29iVKgUBLvdLH u6/sXE3ZjUnDMAktuDWwSA3Ve42gbcjquip2O06qN88Aoz05Fj7mFCutYmI1kgusDo/Q u0urxCnR3JBm2hEX5XK9n7NemAw5F4nfPEMbz05+e93Sii8onLwz6ayP3O6YFHw7UsIy yZKyuoJBnNbenLm/ejoH/FznCWsTjffDtFCrdSe1N64xWFEPvro1V75yf5ARyndyD51A qZ15CUtpuiBhTqAzUgIKEHTR9+3A/o6LrFNRjb+fP1WcN8q/0iPCraCH6T53Dv3BU0Kp liug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=dD9fba3D0HqXgOSqJlLFz2muhY16h6Gr+BwVuHnFIv4=; b=gE2OxaxnSwyPsoeyjc3wwFLk9xrkreOua1WGQZEwPAUB3WQWe7ynXZVOcIlQsGEa6M deAgtVUV5Lls3HlNPYNMKG84vNuEKTYvSmPSwZLINxChDUDuhNkjH5mKh/4XceHMyMjN PrMu7lyttuhiFHAFGEyzcjsF/zcz/edFfOpGGqlLZoGrf1DHql9cis9cTyACvgEXmugI xTyCFH0LshpMQ40HOkhTVO/Fa1sHN0ud0U3tHOQl4zrEKGW02gSvsf8MMlJbtPmFIKAC kWeUsCTCIgSSaldq8e0SZcfQM5FUOfbhr20Yq2rXUCIfXkkF2+MA9YvIk6n+sv6RHepe 0LeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UKGNNJxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l5si9180647otf.37.2020.02.03.03.32.46; Mon, 03 Feb 2020 03:32:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UKGNNJxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727565AbgBCKan (ORCPT + 99 others); Mon, 3 Feb 2020 05:30:43 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:55998 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726100AbgBCKan (ORCPT ); Mon, 3 Feb 2020 05:30:43 -0500 Received: by mail-wm1-f65.google.com with SMTP id q9so15182331wmj.5 for ; Mon, 03 Feb 2020 02:30:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dD9fba3D0HqXgOSqJlLFz2muhY16h6Gr+BwVuHnFIv4=; b=UKGNNJxPihSVdDnyfCzDlB+1MVddilSdG2GMCVkiCGZL6D4AXhN/Byg8SWyWW/bnPv ZhR3DWnYrfYRCjJom/Sh/JFBZ7Iwl4epixB/18DbnkFz7yPe8kl55ww3eOTntukb3ppn DJMyUvrIU12QGoinWcbsJ/q0VJC88l8j9qeBE7MvLq2Yj6xHtWBYBAQYNNlPMKQf8Nd5 EqLLTWtOUfsnFNR7Kr+L3uZvlKVeimHI/QULdJTHLV8iEpdDqj4VDcz3s7vCA2nKdmiV f+EQ9zpHVS6KalEcfPgv8DBDc6jw7fnqqMZlQjLHwj9n0GfXXn0NPvHjPnaM1pSMxGxT XLKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dD9fba3D0HqXgOSqJlLFz2muhY16h6Gr+BwVuHnFIv4=; b=E//25EmqGvSZshvoR8k91dQjBWYvNzKKQzw6/9sDk0nJy+jNWVfTcwvgGcHhezziKX iDef3q4USOTRFnMn1IBsNpenINjpjNnrFPxeRnr4cSlKcxopXUut2TfXhpzQqROC2MUJ 1QliENmIyoDyH6sZ4+SclolNksRGKSeLm/WRnICMdMHUB2LYLJVc3N/WQ3nBWlGOIvWA Gt+fxjzzG9DKcv9KzDC6b/GOCspqms5AxeubScuPz9gOz2tFrlWOOJGhOXM1NSFpmCPs OwX0m8Y7gAvFtKafycEnlWs2NZT+ZPHMSlmADJoyfPXP2MwiePAW87EO3s0iZ7Kni8QH 2byQ== X-Gm-Message-State: APjAAAX+p4sWpzYQb7bZkof4JGNslxPwG9foN0kF1wBgPI0qHedWMsBt jbPCGIzcRYhuVuPpkcFn7boNLiFAuBjQSTvF1uVYERCiTN8= X-Received: by 2002:a1c:7907:: with SMTP id l7mr27326507wme.37.1580725840251; Mon, 03 Feb 2020 02:30:40 -0800 (PST) MIME-Version: 1.0 References: <20200130064430.17198-1-walter-zh.wu@mediatek.com> <1580436306.11126.16.camel@mtksdccf07> <1580695544.17006.7.camel@mtksdccf07> In-Reply-To: <1580695544.17006.7.camel@mtksdccf07> From: Alexander Potapenko Date: Mon, 3 Feb 2020 11:30:28 +0100 Message-ID: Subject: Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in stackdepot To: Walter Wu Cc: Dmitry Vyukov , Matthias Brugger , Thomas Gleixner , Josh Poimboeuf , Greg Kroah-Hartman , Kate Stewart , LKML , linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, wsd_upstream Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 3, 2020 at 3:05 AM Walter Wu wrote: > > On Fri, 2020-01-31 at 19:11 +0100, Alexander Potapenko wrote: > > On Fri, Jan 31, 2020 at 3:05 AM Walter Wu wrote: > > > > > > On Thu, 2020-01-30 at 13:03 +0100, Alexander Potapenko wrote: > > > > On Thu, Jan 30, 2020 at 7:44 AM Walter Wu wrote: > > > > > > > > Hi Walter, > > > > > > > > > If the depot_index = STACK_ALLOC_MAX_SLABS - 2 and next_slab_inited = 0, > > > > > then it will cause array out-of-bounds access, so that we should modify > > > > > the detection to avoid this array out-of-bounds bug. > > > > > > > > > > Assume depot_index = STACK_ALLOC_MAX_SLABS - 3 > > > > > Consider following call flow sequence: > > > > > > > > > > stack_depot_save() > > > > > depot_alloc_stack() > > > > > if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass > > > > > depot_index++ //depot_index = STACK_ALLOC_MAX_SLABS - 2 > > > > > if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) //enter > > > > > smp_store_release(&next_slab_inited, 0); //next_slab_inited = 0 > > > > > init_stack_slab() > > > > > if (stack_slabs[depot_index] == NULL) //enter and exit > > > > > > > > > > stack_depot_save() > > > > > depot_alloc_stack() > > > > > if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) //pass > > > > > depot_index++ //depot_index = STACK_ALLOC_MAX_SLABS - 1 > > > > > init_stack_slab(&prealloc) > > > > > stack_slabs[depot_index + 1] //here get global out-of-bounds > > > > > > > > > > Cc: Dmitry Vyukov > > > > > Cc: Matthias Brugger > > > > > Cc: Thomas Gleixner > > > > > Cc: Alexander Potapenko > > > > > Cc: Josh Poimboeuf > > > > > Cc: Kate Stewart > > > > > Cc: Greg Kroah-Hartman > > > > > Cc: Kate Stewart > > > > > Signed-off-by: Walter Wu > > > > > --- > > > > > changes in v2: > > > > > modify call flow sequence and preconditon > > > > > > > > > > changes in v3: > > > > > add some reviewers > > > > > --- > > > > > lib/stackdepot.c | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > diff --git a/lib/stackdepot.c b/lib/stackdepot.c > > > > > index ed717dd08ff3..7e8a15e41600 100644 > > > > > --- a/lib/stackdepot.c > > > > > +++ b/lib/stackdepot.c > > > > > @@ -106,7 +106,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size, > > > > > required_size = ALIGN(required_size, 1 << STACK_ALLOC_ALIGN); > > > > > > > > > > if (unlikely(depot_offset + required_size > STACK_ALLOC_SIZE)) { > > > > > - if (unlikely(depot_index + 1 >= STACK_ALLOC_MAX_SLABS)) { > > > > > + if (unlikely(depot_index + 2 >= STACK_ALLOC_MAX_SLABS)) { > > > > This again means stack_slabs[STACK_ALLOC_MAX_SLABS - 2] gets > > initialized, but stack_slabs[STACK_ALLOC_MAX_SLABS - 1] doesn't, > > because we'll be bailing out from init_stack_slab() from now on. > > Does this patch actually fix the problem (do you have a reliable reproducer?) > We get it by reviewing code, because Kasan doesn't scan it and we catch > another bug internally, we found it unintentionally. > > > This addition of 2 is also counterintuitive, I don't think further > > readers will understand the logic behind it. > > > Yes > > > What if we just check that depot_index + 1 is a valid index before accessing it? > > > It should fix the problem, do you want to send this patch? I've sent the patch. Thanks for the report!