Page MenuHomeFreeBSD
Differential D41677

arm64: initialize pcb in the TBI/PAC/etc. fault case
ClosedPublic
Actions

Authored by kevans on Aug 31 2023, 7:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jan 9, 12:48 PM
Unknown Object (File)
Dec 3 2024, 9:08 AM
Unknown Object (File)
Nov 12 2024, 5:35 PM
Unknown Object (File)
Nov 7 2024, 4:09 AM
Unknown Object (File)
Nov 3 2024, 2:10 AM
Unknown Object (File)
Oct 21 2024, 12:52 PM
Unknown Object (File)
Oct 21 2024, 12:52 PM
Unknown Object (File)
Oct 21 2024, 12:52 PM
View All 43 Files
Subscribers
emaste
imp

Details

Reviewers
markj
andrew
manu
Group Reviewers
arm64
Commits
rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case
Summary

After 2c10be9e06d, we may jump to the bad_far label without pcb being
set, resulting in a follow-up fault as we may dereference it immediately
after the jump if td_intr_nesting_level == 0. In this branch, it should
be safe to dereference td as we're not handling the special case
mentioned below of accessing it during promotion/demotion.

This seems to fix a null ptr deref I hit during my most recent pkgbase
build attempt on the Windows DevKit.

Fixes: 2c10be9e06d ("arm64: Handle translation faults for thread [..]")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Aug 31 2023, 7:45 PM
Herald added a reviewer: manu. · View Herald TranscriptAug 31 2023, 7:45 PM
Herald added subscribers: emaste, imp. · View Herald Transcript
kevans requested review of this revision.Aug 31 2023, 7:45 PM
Harbormaster completed remote builds in B53381: Diff 126749.Aug 31 2023, 7:45 PM
andrew accepted this revision.Aug 31 2023, 7:52 PM
This revision is now accepted and ready to land.Aug 31 2023, 7:52 PM
markj accepted this revision.Aug 31 2023, 8:30 PM

Seems ok to me, but:

This seems to fix a null ptr deref I hit

Could you please elaborate a bit further? Upon a NULL pointer deref I'd expect FAR to contain 0, in which case we shouldn't take the !ADDR_IS_CANONICAL path.

andrew added inline comments.Aug 31 2023, 8:35 PM
sys/arm64/arm64/trap.c
371

This is the NULL pointer dereference

markj added inline comments.Aug 31 2023, 8:41 PM
sys/arm64/arm64/trap.c
371

How did the original fault arise? PAC is disabled on devkits.

andrew added inline comments.Aug 31 2023, 8:44 PM
sys/arm64/arm64/trap.c
371

It doesn't have to be PAC, just any invalid address that's not in the kernel or user address spaces.

kevans added inline comments.Aug 31 2023, 9:00 PM
sys/arm64/arm64/trap.c
371

Yeah, I suspect I was on the way to a panic anyways based on where the first fault was... currently working on building a functional version of kgdb so that I can confirm the details

kevans added inline comments.Sep 1 2023, 1:52 AM
sys/arm64/arm64/trap.c
371

Ok, I fixed kgdb enough to confirm that I was on the way to a panic, some use-after-free in ZFS so it was trying to deref some offset from 0xdeadc0dedeadc0de, which would fit the bill for non-canonical address. So this wouldn't have actually fixed the panic, but it at least would have revealed the real reason for panicking.

Closed by commit rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case (authored by kevans). · Explain WhySep 1 2023, 2:11 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case.

Revision Contents
Changeset List

PathSize
sys/
arm64/
arm64/
1 line

Diff 126769

View Options

sys/arm64/arm64/trap.c

Loading...