pve-kernel-lowlatency-qoup/patches/kernel/0140-x86-unwinder-orc-Dont-bail-on-stack-overflow.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andy Lutomirski <luto@kernel.org>
Date: Mon, 4 Dec 2017 15:07:08 +0100
Subject: [PATCH] x86/unwinder/orc: Dont bail on stack overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

If the stack overflows into a guard page and the ORC unwinder should work
well: by construction, there can't be any meaningful data in the guard page
because no writes to the guard page will have succeeded.

But there is a bug that prevents unwinding from working correctly: if the
starting register state has RSP pointing into a stack guard page, the ORC
unwinder bails out immediately.

Instead of bailing out immediately check whether the next page up is a
valid check page and if so analyze that. As a result the ORC unwinder will
start the unwind.

Tested by intentionally overflowing the task stack.  The result is an
accurate call trace instead of a trace consisting purely of '?' entries.

There are a few other bugs that are triggered if the unwinder encounters a
stack overflow after the first step, but they are outside the scope of this
fix.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Link: https://lkml.kernel.org/r/20171204150604.991389777@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit d3a09104018cf2ad5973dfa8a9c138ef9f5015a3)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit e5c3115ac69cddd384d6f7abc4a0ef030b247498)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kernel/unwind_orc.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index 570b70d3f604..cea85bfe93f7 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -552,8 +552,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
 	}
 
 	if (get_stack_info((unsigned long *)state->sp, state->task,
-			   &state->stack_info, &state->stack_mask))
-		return;
+			   &state->stack_info, &state->stack_mask)) {
+		/*
+		 * We weren't on a valid stack.  It's possible that
+		 * we overflowed a valid stack into a guard page.
+		 * See if the next page up is valid so that we can
+		 * generate some kind of backtrace if this happens.
+		 */
+		void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
+		if (get_stack_info(next_page, state->task, &state->stack_info,
+				   &state->stack_mask))
+			return;
+	}
 
 	/*
 	 * The caller can provide the address of the first frame directly
-- 
2.14.2
build: reformat existing patches drop numbers and commit hashes from patch metadata to reduce future patch churn 2018-01-15 14:26:15 +03:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
add KPTI and related patches picked from Ubuntu-4.13.0-23.26 2018-01-06 17:13:39 +03:00			`From: Andy Lutomirski <luto@kernel.org>`
			`Date: Mon, 4 Dec 2017 15:07:08 +0100`
build: reformat existing patches drop numbers and commit hashes from patch metadata to reduce future patch churn 2018-01-15 14:26:15 +03:00			`Subject: [PATCH] x86/unwinder/orc: Dont bail on stack overflow`
add KPTI and related patches picked from Ubuntu-4.13.0-23.26 2018-01-06 17:13:39 +03:00			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`CVE-2017-5754`

			`If the stack overflows into a guard page and the ORC unwinder should work`
			`well: by construction, there can't be any meaningful data in the guard page`
			`because no writes to the guard page will have succeeded.`

			`But there is a bug that prevents unwinding from working correctly: if the`
			`starting register state has RSP pointing into a stack guard page, the ORC`
			`unwinder bails out immediately.`

			`Instead of bailing out immediately check whether the next page up is a`
			`valid check page and if so analyze that. As a result the ORC unwinder will`
			`start the unwind.`

			`Tested by intentionally overflowing the task stack. The result is an`
			`accurate call trace instead of a trace consisting purely of '?' entries.`

			`There are a few other bugs that are triggered if the unwinder encounters a`
			`stack overflow after the first step, but they are outside the scope of this`
			`fix.`

			`Signed-off-by: Andy Lutomirski <luto@kernel.org>`
			`Signed-off-by: Thomas Gleixner <tglx@linutronix.de>`
			`Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>`
			`Cc: Borislav Petkov <bp@alien8.de>`
			`Cc: Borislav Petkov <bpetkov@suse.de>`
			`Cc: Brian Gerst <brgerst@gmail.com>`
			`Cc: Dave Hansen <dave.hansen@intel.com>`
			`Cc: Dave Hansen <dave.hansen@linux.intel.com>`
			`Cc: David Laight <David.Laight@aculab.com>`
			`Cc: Denys Vlasenko <dvlasenk@redhat.com>`
			`Cc: Eduardo Valentin <eduval@amazon.com>`
			`Cc: Greg KH <gregkh@linuxfoundation.org>`
			`Cc: H. Peter Anvin <hpa@zytor.com>`
			`Cc: Josh Poimboeuf <jpoimboe@redhat.com>`
			`Cc: Juergen Gross <jgross@suse.com>`
			`Cc: Linus Torvalds <torvalds@linux-foundation.org>`
			`Cc: Peter Zijlstra <peterz@infradead.org>`
			`Cc: Rik van Riel <riel@redhat.com>`
			`Cc: Will Deacon <will.deacon@arm.com>`
			`Cc: aliguori@amazon.com`
			`Cc: daniel.gruss@iaik.tugraz.at`
			`Cc: hughd@google.com`
			`Cc: keescook@google.com`
			`Link: https://lkml.kernel.org/r/20171204150604.991389777@linutronix.de`
			`Signed-off-by: Ingo Molnar <mingo@kernel.org>`
			`(cherry picked from commit d3a09104018cf2ad5973dfa8a9c138ef9f5015a3)`
			`Signed-off-by: Andy Whitcroft <apw@canonical.com>`
			`Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>`
			`(cherry picked from commit e5c3115ac69cddd384d6f7abc4a0ef030b247498)`
			`Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>`
			`---`
			`arch/x86/kernel/unwind_orc.c \| 14 ++++++++++++--`
			`1 file changed, 12 insertions(+), 2 deletions(-)`

			`diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c`
			`index 570b70d3f604..cea85bfe93f7 100644`
			`--- a/arch/x86/kernel/unwind_orc.c`
			`+++ b/arch/x86/kernel/unwind_orc.c`
			`@@ -552,8 +552,18 @@ void __unwind_start(struct unwind_state state, struct task_struct task,`
			`}`

			`if (get_stack_info((unsigned long *)state->sp, state->task,`
			`- &state->stack_info, &state->stack_mask))`
			`- return;`
			`+ &state->stack_info, &state->stack_mask)) {`
			`+ /*`
			`+ * We weren't on a valid stack. It's possible that`
			`+ * we overflowed a valid stack into a guard page.`
			`+ * See if the next page up is valid so that we can`
			`+ * generate some kind of backtrace if this happens.`
			`+ */`
			`+ void next_page = (void )PAGE_ALIGN((unsigned long)state->sp);`
			`+ if (get_stack_info(next_page, state->task, &state->stack_info,`
			`+ &state->stack_mask))`
			`+ return;`
			`+ }`

			`/*`
			`* The caller can provide the address of the first frame directly`
			`--`
			`2.14.2`