Page MenuHomeFreeBSD
Differential D25996

Check that the frame pointer is within the current stack.
ClosedPublic
Actions

Authored by jhb on Aug 7 2020, 4:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 25 2024, 9:57 AM
Unknown Object (File)
Oct 5 2024, 8:37 AM
Unknown Object (File)
Oct 5 2024, 1:38 AM
Unknown Object (File)
Oct 4 2024, 11:27 AM
Unknown Object (File)
Sep 28 2024, 3:46 PM
Unknown Object (File)
Sep 28 2024, 3:46 PM
Unknown Object (File)
Sep 28 2024, 3:46 PM
Unknown Object (File)
Sep 28 2024, 3:32 PM
View All 28 Files
Subscribers
andrew
imp
trasz

Details

Reviewers
br
mhorne
Commits
rS364181: Check that the frame pointer is within the current stack.
Summary

This same check is used on other architectures. Previously this would
permit a stack frame to unwind into any arbitrary kernel address
(including unmapped addresses).

Test Plan
  • in a CHERI kernel where the stack uses a pointer with bounds, this was faulting when it tried to read off the end of the stack inside ddb

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Aug 7 2020, 4:17 PM
jhb created this revision.
Harbormaster completed remote builds in B32850: Diff 75577.Aug 7 2020, 4:17 PM
mhorne accepted this revision.Aug 8 2020, 9:17 PM
mhorne added a subscriber: trasz.

I was investigating a panic recently encountered on the Jenkins run of the test suite, and ended up with an identical patch.

While I haven't had any luck reproducing the issue, the excerpt (P412) shows recursive panics in unwind_frame(), so I strongly suspect this is the cause.

Note that arm64 might benefit from this check as well, but that code has been in widespread use for a while now and has seemingly never encountered this.

This revision is now accepted and ready to land.Aug 8 2020, 9:17 PM
jhb added a subscriber: andrew.Aug 12 2020, 8:30 PM
In D25996#576826, @mhorne wrote:

I was investigating a panic recently encountered on the Jenkins run of the test suite, and ended up with an identical patch.

While I haven't had any luck reproducing the issue, the excerpt (P412) shows recursive panics in unwind_frame(), so I strongly suspect this is the cause.

Note that arm64 might benefit from this check as well, but that code has been in widespread use for a while now and has seemingly never encountered this.

arm64 almost certainly needs the same check. Tagging @andrew so he sees this.

Closed by commit rS364181: Check that the frame pointer is within the current stack. (authored by jhb). · Explain WhyAug 12 2020, 8:33 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS364181: Check that the frame pointer is within the current stack..
Herald added a subscriber: imp. · View Herald TranscriptAug 12 2020, 8:33 PM
andrew added a comment.Aug 13 2020, 8:44 AM

On arm64 we have the following in fork_trampoline to stop unwinding past the top of the stack.

mov     fp, #0  /* Stack traceback stops here. */
jhb added a comment.Aug 13 2020, 6:39 PM
In D25996#578091, @andrew wrote:

On arm64 we have the following in fork_trampoline to stop unwinding past the top of the stack.

mov     fp, #0  /* Stack traceback stops here. */

Yes, but you will want to validate that the frame pointer is contained in td_kstack and not random garbage. It is much nicer to have ddb abort the trace when the frame pointer goes off in the weeds due to the stack being trashed than to have it do a nested fault in ddb, or worse, do a fault in stack_capture() that turns into a kernel panic.

Revision Contents
Changeset List

PathSize
head/
sys/
riscv/
riscv/
13 lines

Diff 75754

View Options

head/sys/riscv/riscv/stack_machdep.c

Loading...