[PATCH v3] powerpc/64: Fix memcmp reading past the end of src/dest
Chandan Rajendra
chandan at linux.ibm.com
Mon Mar 25 17:38:46 AEDT 2019
On Friday, March 22, 2019 6:07:24 PM IST Michael Ellerman wrote:
> Chandan reported that fstests' generic/026 test hit a crash:
>
> BUG: Unable to handle kernel data access at 0xc00000062ac40000
> Faulting instruction address: 0xc000000000092240
> Oops: Kernel access of bad area, sig: 11 [#1]
> LE SMP NR_CPUS=2048 DEBUG_PAGEALLOC NUMA pSeries
> CPU: 0 PID: 27828 Comm: chacl Not tainted 5.0.0-rc2-next-20190115-00001-g6de6dba64dda #1
> NIP: c000000000092240 LR: c00000000066a55c CTR: 0000000000000000
> REGS: c00000062c0c3430 TRAP: 0300 Not tainted (5.0.0-rc2-next-20190115-00001-g6de6dba64dda)
> MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 44000842 XER: 20000000
> CFAR: 00007fff7f3108ac DAR: c00000062ac40000 DSISR: 40000000 IRQMASK: 0
> GPR00: 0000000000000000 c00000062c0c36c0 c0000000017f4c00 c00000000121a660
> GPR04: c00000062ac3fff9 0000000000000004 0000000000000020 00000000275b19c4
> GPR08: 000000000000000c 46494c4500000000 5347495f41434c5f c0000000026073a0
> GPR12: 0000000000000000 c0000000027a0000 0000000000000000 0000000000000000
> GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> GPR20: c00000062ea70020 c00000062c0c38d0 0000000000000002 0000000000000002
> GPR24: c00000062ac3ffe8 00000000275b19c4 0000000000000001 c00000062ac30000
> GPR28: c00000062c0c38d0 c00000062ac30050 c00000062ac30058 0000000000000000
> NIP memcmp+0x120/0x690
> LR xfs_attr3_leaf_lookup_int+0x53c/0x5b0
> Call Trace:
> xfs_attr3_leaf_lookup_int+0x78/0x5b0 (unreliable)
> xfs_da3_node_lookup_int+0x32c/0x5a0
> xfs_attr_node_addname+0x170/0x6b0
> xfs_attr_set+0x2ac/0x340
> __xfs_set_acl+0xf0/0x230
> xfs_set_acl+0xd0/0x160
> set_posix_acl+0xc0/0x130
> posix_acl_xattr_set+0x68/0x110
> __vfs_setxattr+0xa4/0x110
> __vfs_setxattr_noperm+0xac/0x240
> vfs_setxattr+0x128/0x130
> setxattr+0x248/0x600
> path_setxattr+0x108/0x120
> sys_setxattr+0x28/0x40
> system_call+0x5c/0x70
> Instruction dump:
> 7d201c28 7d402428 7c295040 38630008 38840008 408201f0 4200ffe8 2c050000
> 4182ff6c 20c50008 54c61838 7d201c28 <7d402428> 7d293436 7d4a3436 7c295040
>
> The instruction dump decodes as:
> subfic r6,r5,8
> rlwinm r6,r6,3,0,28
> ldbrx r9,0,r3
> ldbrx r10,0,r4 <-
>
> Which shows us doing an 8 byte load from c00000062ac3fff9, which
> crosses the page boundary at c00000062ac40000 and faults.
>
> It's not OK for memcmp to read past the end of the source or
> destination buffers if that would cross a page boundary, because we
> don't know that the next page is mapped.
>
> As pointed out by Segher, we can read past the end of the source or
> destination as long as we don't cross a 4K boundary, because that's
> our minimum page size on all platforms.
>
> The bug is in the code at the .Lcmp_rest_lt8bytes label. When we get
> there we know that s1 is 8-byte aligned and we have at least 1 byte to
> read, so a single 8-byte load won't read past the end of s1 and cross
> a page boundary.
>
> But we have to be more careful with s2. So check if it's within 8
> bytes of a 4K boundary and if so go to the byte-by-byte loop.
>
> Fixes: 2d9ee327adce ("powerpc/64: Align bytes before fall back to .Lshort in powerpc64 memcmp()")
> Cc: stable at vger.kernel.org # v4.19+
> Reported-by: Chandan Rajendra <chandan at linux.ibm.com>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
For unknown reasons, I am unable to recreate this bug on the unmodified
next-20190115 which was the original kernel I had found this bug on.
FWIW, I have executed generic/026 on a next-20190115 kernel with this patch
applied and I wasn't able to recreate the bug. Hence,
Tested-by: Chandan Rajendra <chandan at linux.ibm.com>
--
chandan
More information about the Linuxppc-dev
mailing list