[RFC PATCH 01/19] powerpc/perf: callchain validate kernel stack pointer bounds

Segher Boessenkool segher at kernel.crashing.org
Sat Nov 5 00:10:28 AEDT 2022


On Mon, Oct 31, 2022 at 03:54:22PM +1000, Nicholas Piggin wrote:
> Could the user set r1 to be equal to the address matching the first
> interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
> due to the kernel redzone, and induce the kernel to load the marker from
> there? Possibly it could cause a crash at least.

Yes, the user can set r1 to anything, it is just a general purpose
register.  This isn't a valid thing to do of course, the ABI requires
r1 to point at a valid stack at all times, but it is an obvious attack
point if we do not harden against this :-)


Segher


More information about the Linuxppc-dev mailing list