Thread (54 messages) 54 messages, 12 authors, 2017-07-24

Re: KASAN vs. boot-time switching between 4- and 5-level paging

From: Andrey Ryabinin <hidden>
Date: 2017-07-11 15:13:37
Also in: linux-arch, lkml 


On 07/11/2017 06:06 PM, Andy Lutomirski wrote:
On Tue, Jul 11, 2017 at 3:35 AM, Kirill A. Shutemov
[off-list ref] wrote:
quoted
On Mon, Jul 10, 2017 at 05:30:38PM -0700, Andy Lutomirski wrote:
quoted
On Mon, Jul 10, 2017 at 2:24 PM, Kirill A. Shutemov
[off-list ref] wrote:
quoted
On Mon, Jul 10, 2017 at 01:07:13PM -0700, Andy Lutomirski wrote:
quoted
Can you give the disassembly of the backtrace lines?  Blaming the
.endr doesn't make much sense to me.
I don't have backtrace. It's before printk() is functional. I only see
triple fault and reboot.

I had to rely on qemu tracing and gdb.
Can you ask GDB or objtool to disassemble around those addresses?  Can
you also attach the big dump that QEMU throws out that shows register
state?  In particular, CR2, CR3, and CR4 could be useful.
The last three execptions:

check_exception old: 0xffffffff new 0xe, cr2: 0xffffffff7ffffff8, rip: 0xffffffff84bb3036
RAX=00000000ffffffff RBX=ffffffff800000d8 RCX=ffffffff84be4021 RDX=dffffc0000000000
RSI=0000000000000006 RDI=ffffffff84c57000 RBP=ffffffff800000c8 RSP=ffffffff80000000
So RSP was 0xffffffff80000000, a push happened, and we tried to write
to 0xffffffff7ffffff8, which failed.
quoted
check_exception old: 0xe new 0xe, cr2: 0xffffffff7ffffff8, rip: 0xffffffff84bb3141
RAX=00000000ffffffff RBX=ffffffff800000d8 RCX=ffffffff84be4021 RDX=dffffc0000000000
RSI=0000000000000006 RDI=ffffffff84c57000 RBP=ffffffff800000c8 RSP=ffffffff80000000
And #PF doesn't use IST, so it double-faulted.

Either the stack isn't mapped in the page tables, RSP is corrupt, or
there's a genuine stack overflow here.
I reproduced this, and this is kasan bug:

   a??0xffffffff84864897 <x86_early_init_platform_quirks+5>   mov    $0xffffffff83f1d0b8,%rdi 
   a??0xffffffff8486489e <x86_early_init_platform_quirks+12>  movabs $0xdffffc0000000000,%rax 
   a??0xffffffff848648a8 <x86_early_init_platform_quirks+22>  push   %rbp
   a??0xffffffff848648a9 <x86_early_init_platform_quirks+23>  mov    %rdi,%rdx  
   a??0xffffffff848648ac <x86_early_init_platform_quirks+26>  shr    $0x3,%rdx
   a??0xffffffff848648b0 <x86_early_init_platform_quirks+30>  mov    %rsp,%rbp
  >a??0xffffffff848648b3 <x86_early_init_platform_quirks+33>  mov    (%rdx,%rax,1),%al

we crash on the last move which is a read from shadow

(gdb) p/x $rdx 
$1 = 0x1ffffffff07e3a17
(gdb) p/x $rax
$2 = 0xdffffc0000000000

(gdb) p/x 0xdffffc0000000000 + 0x1ffffffff07e3a17
$4 = 0xfffffbfff07e3a17
(gdb) p/x *0xfffffbfff07e3a17
Cannot access memory at address 0xfffffbfff07e3a17

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help