Page MenuHomeFreeBSD
Differential D41677

arm64: initialize pcb in the TBI/PAC/etc. fault case
ClosedPublic
Actions

Authored by kevans on Aug 31 2023, 7:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Sep 5, 9:30 AM
Unknown Object (File)
Tue, Sep 3, 4:13 AM
Unknown Object (File)
Sat, Aug 31, 3:29 AM
Unknown Object (File)
Mon, Aug 19, 1:01 AM
Unknown Object (File)
Tue, Aug 13, 4:50 AM
Unknown Object (File)
Tue, Aug 13, 4:48 AM
Unknown Object (File)
Tue, Aug 13, 3:26 AM
Unknown Object (File)
Apr 9 2024, 3:07 PM
View All 27 Files
Subscribers
emaste
imp

Details

Reviewers
markj
andrew
manu
Group Reviewers
arm64
Commits
rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case
Summary

After 2c10be9e06d, we may jump to the bad_far label without pcb being
set, resulting in a follow-up fault as we may dereference it immediately
after the jump if td_intr_nesting_level == 0. In this branch, it should
be safe to dereference td as we're not handling the special case
mentioned below of accessing it during promotion/demotion.

This seems to fix a null ptr deref I hit during my most recent pkgbase
build attempt on the Windows DevKit.

Fixes: 2c10be9e06d ("arm64: Handle translation faults for thread [..]")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Aug 31 2023, 7:45 PM
Herald added a reviewer: manu. · View Herald TranscriptAug 31 2023, 7:45 PM
Herald added subscribers: emaste, imp. · View Herald Transcript
kevans requested review of this revision.Aug 31 2023, 7:45 PM
Harbormaster completed remote builds in B53381: Diff 126749.Aug 31 2023, 7:45 PM
andrew accepted this revision.Aug 31 2023, 7:52 PM
This revision is now accepted and ready to land.Aug 31 2023, 7:52 PM
markj accepted this revision.Aug 31 2023, 8:30 PM

Seems ok to me, but:

This seems to fix a null ptr deref I hit

Could you please elaborate a bit further? Upon a NULL pointer deref I'd expect FAR to contain 0, in which case we shouldn't take the !ADDR_IS_CANONICAL path.

andrew added inline comments.Aug 31 2023, 8:35 PM
sys/arm64/arm64/trap.c
371

This is the NULL pointer dereference

markj added inline comments.Aug 31 2023, 8:41 PM
sys/arm64/arm64/trap.c
371

How did the original fault arise? PAC is disabled on devkits.

andrew added inline comments.Aug 31 2023, 8:44 PM
sys/arm64/arm64/trap.c
371

It doesn't have to be PAC, just any invalid address that's not in the kernel or user address spaces.

kevans added inline comments.Aug 31 2023, 9:00 PM
sys/arm64/arm64/trap.c
371

Yeah, I suspect I was on the way to a panic anyways based on where the first fault was... currently working on building a functional version of kgdb so that I can confirm the details

kevans added inline comments.Sep 1 2023, 1:52 AM
sys/arm64/arm64/trap.c
371

Ok, I fixed kgdb enough to confirm that I was on the way to a panic, some use-after-free in ZFS so it was trying to deref some offset from 0xdeadc0dedeadc0de, which would fit the bill for non-canonical address. So this wouldn't have actually fixed the panic, but it at least would have revealed the real reason for panicking.

Closed by commit rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case (authored by kevans). · Explain WhySep 1 2023, 2:11 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG03d104888cae: arm64: initialize pcb in the TBI/PAC/etc. fault case.

Revision Contents
Changeset List

PathSize
sys/
arm64/
arm64/
1 line

Diff 126769

View Options

sys/arm64/arm64/trap.c

Loading...