[Crash-utility] [PATCH] Fix a potential segfault for the ARM64 "bt -S <stack-address>" command

陈启武 chenqiwu at xiaomi.com
Mon Nov 4 08:32:21 UTC 2019 

Hi Dave,
I‘m working on arm64 kdump by crash-7.2.7++.
There is a potential segmentation violation due to an invalid exception frame before
transitioning to the process stack when try using the bt command's "-S <stack-address>" options.
For example, take the sp argument from the log:
[   84.048650] pc : _raw_spin_lock+0x30/0x88
[   84.048658] lr : lowmem_scan+0x45c/0xbd0
[   84.048661] sp : ffffff800c42ba00 pstate : 20c00145

A segmentation violation is generated as below:
crash> bt -S ffffff800c42ba00 108
PID: 108    TASK: ffffffcd74122000  CPU: 5   COMMAND: "rtmm_reclaim"
bt: WARNING: cannot determine starting stack frame for task ffffffcd74122000

Program received signal SIGSEGV, Segmentation fault.
0x000055555572de2b in arm64_is_kernel_exception_frame (bt=0x7fffffffd640, stkptr=18446743644915693792) at arm64.c:1785
warning: Source file is more recent than executable.
1785            if (INSTACK(regs->sp, bt) && INSTACK(regs->regs[29], bt) &&
(gdb) bt
#0  0x000055555572de2b in arm64_is_kernel_exception_frame (bt=0x7fffffffd640, stkptr=18446743644915693792) at arm64.c:1785
#1  0x000055555572ffaf in arm64_back_trace_cmd (bt=0x7fffffffd640) at arm64.c:2594
#2  0x00005555556ef0c4 in back_trace (bt=0x7fffffffd640) at kernel.c:3164
#3  0x00005555556ed624 in cmd_bt () at kernel.c:2833
#4  0x000055555564a73b in exec_command () at main.c:879
#5  0x000055555564a515 in main_loop () at main.c:826
#6  0x00005555558b5b43 in captured_command_loop (data=data at entry=0x0) at main.c:258
#7  0x00005555558b46ca in catch_errors (func=func at entry=0x5555558b5b30 <captured_command_loop>, func_args=func_args at entry=0x0,
    errstring=errstring at entry=0x555555b0b728 "", mask=mask at entry=6) at exceptions.c:557
#8  0x00005555558b6c42 in captured_main (data=data at entry=0x7fffffffdfb0) at main.c:1064
#9  0x00005555558b46ca in catch_errors (func=func at entry=0x5555558b5e70 <captured_main>, func_args=func_args at entry=0x7fffffffdfb0,
    errstring=errstring at entry=0x555555b0b728 "", mask=mask at entry=6) at exceptions.c:557
#10 0x00005555558b702e in gdb_main (args=0x7fffffffdfb0) at main.c:1079
#11 gdb_main_entry (argc=<optimized out>, argv=<optimized out>) at main.c:1099
#12 0x000055555570fc53 in gdb_main_loop (argc=2, argv=0x7fffffffe148) at gdb_interface.c:76
#13 0x000055555564a1e0 in main (argc=4, argv=0x7fffffffe148) at main.c:707

(gdb) p /x *(struct bt_info *) 0x7fffffffd640
$4 = {task = 0xffffffcd74122000, flags = 0x0, instptr = 0x0, stkptr = 0xffffff800c42ba00, bptr = 0x0, stackbase = 0xffffff800c428000,
  stacktop = 0xffffff800c42c000, stackbuf = 0x555555f23ae0, tc = 0x5555596e1778, hp = 0x7fffffffd5f0, textlist = 0x0, ref = 0x0, frameptr = 0x0,
  call_target = 0x0, machdep = 0x0, debug = 0x0, eframe_ip = 0x0, radix = 0x0, cpumask = 0x0}

The stackframe.fp(0xffffff9c29e4f8e0) is larger than the stacktop address, so lead to segmentation violation gernarated by accessing regs->sp:
(gdb) p /x 18446743644915693792//stkptr
$5 = 0xffffff9c29e4f8e0
(gdb) p /x 0xffffff9c29e4f8e0-0xffffff800c428000//STACK_OFFSET_TYPE(stkptr)
$6 = 0x1c1da278e0
(gdb) p /x regs
$7 = 0x55717394b3c0
(gdb) p *(struct arm64_pt_regs *) 0x55717394b3c0
Cannot access memory at address 0x55717394b3c0

For fix this, I think it must be add a condition "arm64_in_exception_text(stackframe.pc) && INSTACK(stackframe.fp, bt)" to avoid
an invalid exception frame before transitioning to the process stack.

The patch file has been upload to attachment.
Thanks for your review. I’m looking forward to your favourable reply!

Best regards,
Qiwu

#/******本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!******/#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-a-potential-segfault-for-the-ARM64-bt-S-stack-ad.patch
Type: application/octet-stream
Size: 1867 bytes
Desc: 0001-Fix-a-potential-segfault-for-the-ARM64-bt-S-stack-ad.patch
URL: <http://listman.redhat.com/archives/crash-utility/attachments/20191104/c4eb02ad/attachment.obj>

More information about the Crash-utility mailing list