Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp107887pxm; Tue, 22 Feb 2022 18:02:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJwaUT3ASuHWSiqqMD4QZ6TJIHorDJ/snPRm3nsDItRk+jeYay/1MplswtcUe40OXOKOG860 X-Received: by 2002:a63:4f4a:0:b0:36c:704b:a051 with SMTP id p10-20020a634f4a000000b0036c704ba051mr21695301pgl.349.1645581753385; Tue, 22 Feb 2022 18:02:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645581753; cv=none; d=google.com; s=arc-20160816; b=TRn37TrnNEfTCsN+N+NwkBh49pR6BPvF/lhwj1dKDHnPSDDUmzUFjYqoaBIT948lzE rQjQEpvLZBAgUfGjErFxvDujnmkzja4pzG67/u2LMl18vSeQNOryejsNQRs+2yg/MGpm OTZtUN9Kj/RYFIowSnKtFqSkqGk99IS5H4JK9LSRGpp3cWhUeFtLxG1sQTeOyChdOz3X Gh+KWwaV5cvaPAwTZ/YJ9HJJwSXfgyzDkra/hi3CvLfBjp2N93rlV0jT+w6vyzT2MPKm USuiLSwcybVhIZ01I0a8Z2gyTApQRZj0VcAo/R28RzmrW+1KUb1DHdYDbaTAy1qzBVG7 h8Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:subject:reply-to:cc:from:to:dkim-signature:date; bh=CQFxD1W39+Df70ddAmAdf4AQl7i9OvdeVhpyoh8lVhE=; b=OArp1EGPipO/ueaLFUAJXORAmOnHdCYzVKDEetjUbAcZFmKAupPcg1Ny+eCZzypB9G AElJGwglea8M7ZhoTmH6cQfcTDmtQeF0U4o6vDVznUJ0QTUmI04ZMbE4qYIOfGgRy8T2 bJERuwJJT49Emg1SC2XH1m3z2EaJ9pECvAP5eSXMgSDxDkAyob9aOCn3aS2uq3AQ0OT7 YRl3AwMmj1q378vw7k1YwBUvtPWzb3Zyk1vsbaISAyGXqbsy/x5hTj4iVEXbSP9v/YAt kFwvDSXNon61YSIBIJcI/vCEWo7ezG6QPqD2mRy7rOxLaHtvPwDJrd0tA5Y/ELp9YDdT Maxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pm.me header.s=protonmail2 header.b=mvo7jVeS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=pm.me Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u13si21047916pgr.605.2022.02.22.18.02.17; Tue, 22 Feb 2022 18:02:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@pm.me header.s=protonmail2 header.b=mvo7jVeS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=pm.me Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236551AbiBWBbC (ORCPT + 99 others); Tue, 22 Feb 2022 20:31:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234716AbiBWBbA (ORCPT ); Tue, 22 Feb 2022 20:31:00 -0500 Received: from mail-4327.protonmail.ch (mail-4327.protonmail.ch [185.70.43.27]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1438149FB5 for ; Tue, 22 Feb 2022 17:30:33 -0800 (PST) Received: from mail-0201.mail-europe.com (mail-0201.mail-europe.com [51.77.79.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by mail-4321.protonmail.ch (Postfix) with ESMTPS id 4K3JQ02C1Vz4wwd4; Wed, 23 Feb 2022 01:30:32 +0000 (UTC) Authentication-Results: mail-4321.protonmail.ch; dkim=pass (2048-bit key) header.d=pm.me header.i=@pm.me header.b="mvo7jVeS" Date: Wed, 23 Feb 2022 01:30:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail2; t=1645579827; bh=CQFxD1W39+Df70ddAmAdf4AQl7i9OvdeVhpyoh8lVhE=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID; b=mvo7jVeSvzvjWXma7OZlSfTkGhoaZ9NX/KDBtfb+MAgm8/Kv8y6jQCkthz3aqmNVF 6tIQ0maSDG4WHKhwEDovLCXJoqtwCwdyySTzqlIr9Wsg0d/qYIQ6iIliVRCXho8OyC y7/dsuj1YtNwC3Afgb3y/SeiaLNu3qtPz4bYoIZ4ABd9oEumVdgef3NaGtrVWa/9IL VeqI6O9htqh0m5t2MSjxd0f1MMV0AHHGFXQR+ld5J0tJBaWhxnEDIKySk67quOFveZ 1lsL/FfGQ4/lLV1d2b0AuS9/sOLwg6hm6NQLBecphwvB4hCU+scszRgd2Dff9NRYSa cHvDSeYeVyKVA== To: Thomas Bogendoerfer From: Alexander Lobakin Cc: Alexander Lobakin , "Eric W. Biederman" , Mike Rapoport , Davidlohr Bueso , Florian Fainelli , Liam Howlett , Ralf Baechle , Atsushi Nemoto , linux-mips@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org Reply-To: Alexander Lobakin Subject: [PATCH mips-fixes] MIPS: fix fortify panic when copying asm exception handlers Message-ID: <20220223012338.262041-1-alobakin@pm.me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With KCFLAGS=3D"-O3", I was able to trigger a fortify-source memcpy() overflow panic on set_vi_srs_handler(). Although O3 level is not supported in the mainline, under some conditions that may've happened with any optimization settings, it's just a matter of inlining luck. The panic itself is correct, more precisely, 50/50 false-positive and not at the same time. From the one side, no real overflow happens. Exception handler defined in asm just gets copied to some reserved places in the memory. But the reason behind is that C code refers to that exception handler declares it as `char`, i.e. something of 1 byte length. It's obvious that the asm function itself is way more than 1 byte, so fortify logics thought we are going to past the symbol declared. The standard way to refer to asm symbols from C code which is not supposed to be called from C is to declare them as `extern const u8[]`. This is fully correct from any point of view, as any code itself is just a bunch of bytes (including 0 as it is for syms like _stext/_etext/etc.), and the exact size is not known at the moment of compilation. Adjust the type of the except_vec_vi_*() and related variables. Make set_handler() take `const` as a second argument to avoid cast-away warnings and give a little more room for optimization. Fixes: e01402b115cc ("More AP / SP bits for the 34K, the Malta bits and thi= ngs. Still wants") Fixes: c65a5480ff29 ("[MIPS] Fix potential latency problem due to non-atomi= c cpu_wait.") Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Alexander Lobakin --- arch/mips/include/asm/setup.h | 2 +- arch/mips/kernel/traps.c | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/arch/mips/include/asm/setup.h b/arch/mips/include/asm/setup.h index bb36a400203d..8c56b862fd9c 100644 --- a/arch/mips/include/asm/setup.h +++ b/arch/mips/include/asm/setup.h @@ -16,7 +16,7 @@ static inline void setup_8250_early_printk_port(unsigned = long base, =09unsigned int reg_shift, unsigned int timeout) {} #endif -extern void set_handler(unsigned long offset, void *addr, unsigned long le= n); +void set_handler(unsigned long offset, const void *addr, unsigned long len= ); extern void set_uncached_handler(unsigned long offset, void *addr, unsigne= d long len); typedef void (*vi_handler_t)(void); diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c index a486486b2355..246c6a6b0261 100644 --- a/arch/mips/kernel/traps.c +++ b/arch/mips/kernel/traps.c @@ -2091,19 +2091,19 @@ static void *set_vi_srs_handler(int n, vi_handler_t= addr, int srs) =09=09 * If no shadow set is selected then use the default handler =09=09 * that does normal register saving and standard interrupt exit =09=09 */ -=09=09extern char except_vec_vi, except_vec_vi_lui; -=09=09extern char except_vec_vi_ori, except_vec_vi_end; -=09=09extern char rollback_except_vec_vi; -=09=09char *vec_start =3D using_rollback_handler() ? -=09=09=09&rollback_except_vec_vi : &except_vec_vi; +=09=09extern const u8 except_vec_vi[], except_vec_vi_lui[]; +=09=09extern const u8 except_vec_vi_ori[], except_vec_vi_end[]; +=09=09extern const u8 rollback_except_vec_vi[]; +=09=09const u8 *vec_start =3D using_rollback_handler() ? +=09=09=09=09 rollback_except_vec_vi : except_vec_vi; #if defined(CONFIG_CPU_MICROMIPS) || defined(CONFIG_CPU_BIG_ENDIAN) -=09=09const int lui_offset =3D &except_vec_vi_lui - vec_start + 2; -=09=09const int ori_offset =3D &except_vec_vi_ori - vec_start + 2; +=09=09const int lui_offset =3D except_vec_vi_lui - vec_start + 2; +=09=09const int ori_offset =3D except_vec_vi_ori - vec_start + 2; #else -=09=09const int lui_offset =3D &except_vec_vi_lui - vec_start; -=09=09const int ori_offset =3D &except_vec_vi_ori - vec_start; +=09=09const int lui_offset =3D except_vec_vi_lui - vec_start; +=09=09const int ori_offset =3D except_vec_vi_ori - vec_start; #endif -=09=09const int handler_len =3D &except_vec_vi_end - vec_start; +=09=09const int handler_len =3D except_vec_vi_end - vec_start; =09=09if (handler_len > VECTORSPACING) { =09=09=09/* @@ -2311,7 +2311,7 @@ void per_cpu_trap_init(bool is_boot_cpu) } /* Install CPU exception handler */ -void set_handler(unsigned long offset, void *addr, unsigned long size) +void set_handler(unsigned long offset, const void *addr, unsigned long siz= e) { #ifdef CONFIG_CPU_MICROMIPS =09memcpy((void *)(ebase + offset), ((unsigned char *)addr - 1), size); -- 2.35.1