Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3023087pxj; Mon, 17 May 2021 15:49:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzcqdsOy6ytBTVasDew879AAho/8fhsdnRpsABJEBTX+KGtrcEcqTKWKu6Xv8Kit49AxbxR X-Received: by 2002:a02:93a4:: with SMTP id z33mr2292169jah.107.1621291794170; Mon, 17 May 2021 15:49:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621291794; cv=none; d=google.com; s=arc-20160816; b=yprullB+z1Pc39gUaLCQ2ioQHtFitiW8jnqxUUWWzrvksArc6NAJy5RcwUAOh2w68h 0zZlgZcKrgwnEZXHTukVbPDqaBcd0hA573TtMfSsj+7OgjjEOBRgbRmBNEIB//ovhRM4 SkzA4F3AK09h2rjMJp25F9/7hrmfVg/hYULvwU68w6Ne9Ec5+/dP5JGkicDtyUVq2As+ EHc6EEKmojmAbGWhw4qKC4kW2qIhst1QEQvHJBCVip9KLtFaJAgHG9Iahis/KO3EQWDE BqP5o/Im/zW4aNEDJT5oxl4BAUBRYiDTJDD92b/6hl3892RTK7ehra0dv2DyZc6FNKNc Umiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Sj6HLBgxbBqPYrWnlRm5D/OjjOnWA2r+2oAs192x9Gg=; b=IY+bNv8nDZ8+oEwZVrGBaV+Z2YfqE2OHeZWsxUyKhfZAOuwnVaukY7TW+fVb6izizm LOJrWEbULKV4XTVQmLV58wKXrY+qbwytzHPkxq40WM4cBeicfx0Bk4FSstCu1NIF/Vsf 2IVPVoE1Ex6Fo1bAsRfySBUEtRIbTm5ZRemQv4IK8OXQq6HvmpAIn/c7ad2UNFNapWZn gOm3lMmoIxMnod80ze0rY1mHSk9QntEd+N2rlgevbckn7tq2m2yz0cODCRrVbXzGCsWp yuXO2LQRqDJEdez5UWzWSm5ZGFukNUXJh6FkV8AtvH+sRh5p3NVAlQyr98LUijPsjgMu vAMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BYflqca1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si17442408ilo.155.2021.05.17.15.49.40; Mon, 17 May 2021 15:49:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BYflqca1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238762AbhEQOQQ (ORCPT + 99 others); Mon, 17 May 2021 10:16:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:43504 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238631AbhEQONg (ORCPT ); Mon, 17 May 2021 10:13:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1EDE8613C8; Mon, 17 May 2021 14:08:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621260516; bh=4SUyrWMklPhz6u+2+ZQbOuVSYJvmj9deWcfZDult3CM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BYflqca1sTxuygt0A+jzCCIpJxtnAK4aTRGadUnvv/ZevYqzPfiycrf4r9oN3vnZ2 9knAezVqr6JDEMp/+wCnKMMBCio5HPeKK+ijH/4AFYHOTKSR/lT5LNZywx/pqFTV74 SiQzV5vDhJBA+kTu+XJ7jt2OizQBwFkKNFllQkhM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sergei Trofimovich , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 5.12 117/363] ia64: module: fix symbolizer crash on fdescr Date: Mon, 17 May 2021 15:59:43 +0200 Message-Id: <20210517140306.578148094@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.508966430@linuxfoundation.org> References: <20210517140302.508966430@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sergei Trofimovich [ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ] Noticed failure as a crash on ia64 when tried to symbolize all backtraces collected by page_owner=on: $ cat /sys/kernel/debug/page_owner CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226 Hardware name: hp server rx3600, BIOS 04.03 04/08/2008 ip is at dereference_module_function_descriptor+0x41/0x100 Crash happens at dereference_module_function_descriptor() due to use-after-free when dereferencing ".opd" section header. All section headers are already freed after module is laoded successfully. To keep symbolizer working the change stores ".opd" address and size after module is relocated to a new place and before section headers are discarded. To make similar errors less obscure module_finalize() now zeroes out all variables relevant to module loading only. Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org Signed-off-by: Sergei Trofimovich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- arch/ia64/include/asm/module.h | 6 +++++- arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h index 5a29652e6def..7271b9c5fc76 100644 --- a/arch/ia64/include/asm/module.h +++ b/arch/ia64/include/asm/module.h @@ -14,16 +14,20 @@ struct elf64_shdr; /* forward declration */ struct mod_arch_specific { + /* Used only at module load time. */ struct elf64_shdr *core_plt; /* core PLT section */ struct elf64_shdr *init_plt; /* init PLT section */ struct elf64_shdr *got; /* global offset table */ struct elf64_shdr *opd; /* official procedure descriptors */ struct elf64_shdr *unwind; /* unwind-table section */ unsigned long gp; /* global-pointer for module */ + unsigned int next_got_entry; /* index of next available got entry */ + /* Used at module run and cleanup time. */ void *core_unw_table; /* core unwind-table cookie returned by unwinder */ void *init_unw_table; /* init unwind-table cookie returned by unwinder */ - unsigned int next_got_entry; /* index of next available got entry */ + void *opd_addr; /* symbolize uses .opd to get to actual function */ + unsigned long opd_size; }; #define ARCH_SHF_SMALL SHF_IA_64_SHORT diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c index 00a496cb346f..2cba53c1da82 100644 --- a/arch/ia64/kernel/module.c +++ b/arch/ia64/kernel/module.c @@ -905,9 +905,31 @@ register_unwind_table (struct module *mod) int module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod) { + struct mod_arch_specific *mas = &mod->arch; + DEBUGP("%s: init: entry=%p\n", __func__, mod->init); - if (mod->arch.unwind) + if (mas->unwind) register_unwind_table(mod); + + /* + * ".opd" was already relocated to the final destination. Store + * it's address for use in symbolizer. + */ + mas->opd_addr = (void *)mas->opd->sh_addr; + mas->opd_size = mas->opd->sh_size; + + /* + * Module relocation was already done at this point. Section + * headers are about to be deleted. Wipe out load-time context. + */ + mas->core_plt = NULL; + mas->init_plt = NULL; + mas->got = NULL; + mas->opd = NULL; + mas->unwind = NULL; + mas->gp = 0; + mas->next_got_entry = 0; + return 0; } @@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod) void *dereference_module_function_descriptor(struct module *mod, void *ptr) { - Elf64_Shdr *opd = mod->arch.opd; + struct mod_arch_specific *mas = &mod->arch; - if (ptr < (void *)opd->sh_addr || - ptr >= (void *)(opd->sh_addr + opd->sh_size)) + if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size) return ptr; return dereference_function_descriptor(ptr); -- 2.30.2