• Peter Zijlstra's avatar
    x86/alternatives: Fix int3_emulate_call() selftest stack corruption · ecc60610
    Peter Zijlstra authored
    KASAN shows the following splat during boot:
    
      BUG: KASAN: unknown-crash in unwind_next_frame+0x3f6/0x490
      Read of size 8 at addr ffffffff84007db0 by task swapper/0
    
      CPU: 0 PID: 0 Comm: swapper Tainted: G                T 5.2.0-rc6-00013-g7457c0da #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      Call Trace:
       dump_stack+0x19/0x1b
       print_address_description+0x1b0/0x2b2
       __kasan_report+0x10f/0x171
       kasan_report+0x12/0x1c
       __asan_load8+0x54/0x81
       unwind_next_frame+0x3f6/0x490
       unwind_next_frame+0x1b/0x23
       arch_stack_walk+0x68/0xa5
       stack_trace_save+0x7b/0xa0
       save_trace+0x3c/0x93
       mark_lock+0x1ef/0x9b1
       lock_acquire+0x122/0x221
       __mutex_lock+0xb6/0x731
       mutex_lock_nested+0x16/0x18
       _vm_unmap_aliases+0x141/0x183
       vm_unmap_aliases+0x14/0x16
       change_page_attr_set_clr+0x15e/0x2f2
       set_memory_4k+0x2a/0x2c
       check_bugs+0x11fd/0x1298
       start_kernel+0x793/0x7eb
       x86_64_start_reservations+0x55/0x76
       x86_64_start_kernel+0x87/0xaa
       secondary_startup_64+0xa4/0xb0
    
      Memory state around the buggy address:
       ffffffff84007c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
       ffffffff84007d00: f1 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3
      >ffffffff84007d80: f3 79 be 52 49 79 be 00 00 00 00 00 00 00 00 f1
    
    It turns out that int3_selftest() is corrupting the stack.  The problem is
    that the KASAN-ified version of int3_magic() is much less trivial than the
    C code appears.  It clobbers several unexpected registers.  So when the
    selftest's INT3 is converted to an emulated call to int3_magic(), the
    registers are clobbered and Bad Things happen when the function returns.
    
    Fix this by converting int3_magic() to the trivial ASM function it should
    be, avoiding all calling convention issues. Also add ASM_CALL_CONSTRAINT to
    the INT3 ASM, since it contains a 'CALL'.
    
    [peterz: cribbed changelog from josh]
    
    Fixes: 7457c0da ("x86/alternatives: Add int3_emulate_call() selftest")
    Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
    Debugged-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Link: https://lkml.kernel.org/r/20190709125744.GB3402@hirez.programming.kicks-ass.net
    ecc60610
alternative.c 27.6 KB