From nobody Thu Aug 24 13:41:09 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RWkkY2qjkz4rB8V;
	Thu, 24 Aug 2023 13:41:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RWkkY2BVCz3gKn;
	Thu, 24 Aug 2023 13:41:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1692884469;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MJars+eqAXepOU6b+uB4/LfCI615HeRdeb+sfkJ+iWQ=;
	b=aymeyNPxk9xruzannATbwjGGh/7CdK7rdx6/jAxGkfP9BenoalfQ2NVLHN47rfBvNR3mlI
	wfzGE8gj/4TGjbHJVZU1Fj2D7+dDMo3mdbT8ZYY3EDyqHqOFLJz/f7vjpPhRP+C0GAwoCX
	ss4Lg9Y3KFoRC4BVHeD63gZzYRwRzYYtcydsSm8wr4lEao+MXxHFyTJT1Fn1wXoVCRsYBn
	gZNkpXnXkRDbSrfDcQXEMRKsIuyi3/8dvuo02j4m2MIxX9MEjjTTgOOdyhDWAy67w1ojEF
	w77MhhkmI33OkAs6gImEczGBE8iWZ0ISs9g5aZrRs5ZMSevgG0w1hRUUIb2dJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1692884469;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MJars+eqAXepOU6b+uB4/LfCI615HeRdeb+sfkJ+iWQ=;
	b=s6MjH5yWc6Nvpee1Kt6jhZgr+g0ARQBUCdYsPpweQgzjRO0m9wCgtUZZgFf+t9Je1j0rP7
	5RWQd0GAp+jhqtkY85jVpLU2D1BuHy+5YBY2ba7UwwA4knBAXlZ52kKmM07BjMsjezw6Od
	Ow9sCE50OYd/qHmwfcjRnU3RzrHkwKUBQB/c/CKnTHqMWweppUbmjELrCzL5vefjYiXlfo
	RVT2Cf6JynabppD9kTLXGKfz8PkMhg1uPm+ogSlgXTF5+xRqIRpQLjMXz5It80xAsZr+kz
	gLWErPS4NxqtMKjF1M2VOOFviQ4d37PsE9nRKCS65kVNkQXPofjJ4bbXskUJfQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692884469; a=rsa-sha256; cv=none;
	b=KaFGgUgh8EXoAu4tWeZmetkyd0oB/g7ludimnBoimeueTlzSucB2qTAkr4X86MMCYkDCYl
	OCXHX/LgAmxcK6Y8iYz1kvAoPIB6nwMPBSfYmZHUCMkNQCIFVSQKjgEyNhAKSOw+Y0Pymt
	Nnv8D5Rv5mYbuGBXNxFGGLAMptCalllhpvMoftSfP7FkfQsu87/GCcev4m0sFvNyrW1UGw
	HJGhxJyPzliHR6GxBWcKp7Gw3yVg4qFgWJynhbyCgOlku+OFW3bNO95dL8aRpOA3eYv2Me
	8K987hOKHMpL/6fe1Y2UhUoGPluaYoXSByyde+FLbB4vv/3mlxTdN//4XIr+FQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RWkkY0lB6zTm8;
	Thu, 24 Aug 2023 13:41:09 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37ODf9Iq023625;
	Thu, 24 Aug 2023 13:41:09 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37ODf9Tn023622;
	Thu, 24 Aug 2023 13:41:09 GMT
	(envelope-from git)
Date: Thu, 24 Aug 2023 13:41:09 GMT
Message-Id: <202308241341.37ODf9Tn023622@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: d0434eff5786 - stable/13 - arm/unwind: Check stack
  pointer boundaries before dereferencing
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: d0434eff57861d0fbff6e31ea541c08979c99428
Auto-Submitted: auto-generated

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d0434eff57861d0fbff6e31ea541c08979c99428

commit d0434eff57861d0fbff6e31ea541c08979c99428
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-07-27 19:44:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-08-24 13:33:00 +0000

    arm/unwind: Check stack pointer boundaries before dereferencing
    
    If the unwinder somehow ends up with a stack pointer that lies outside
    the stack, then an attempt to dereference can lead to a fault, which
    causes the kernel to panic again and unwind the stack, which leads to a
    fault...
    
    Add kstack_contains() checks at points where we dereference the stack
    pointer.  This avoids the aforementioned infinite loop in one case I hit
    where some OpenSSL assembly code apparently confuses the unwinder.
    
    Reviewed by:    jhb
    MFC after:      2 weeks
    Sponsored by:   Klara, Inc.
    Sponsored by:   Stormshield
    Differential Revision:  https://reviews.freebsd.org/D41210
    
    (cherry picked from commit 1be56e0bb1e8bd8373e446ff9386bcdd764935aa)
---
 sys/arm/arm/unwind.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/arm/arm/unwind.c b/sys/arm/arm/unwind.c
index 4a24d8f13fb1..cdc9ef225ee7 100644
--- a/sys/arm/arm/unwind.c
+++ b/sys/arm/arm/unwind.c
@@ -33,6 +33,7 @@
 #include <sys/kernel.h>
 #include <sys/linker.h>
 #include <sys/malloc.h>
+#include <sys/proc.h>
 #include <sys/queue.h>
 #include <sys/systm.h>
 
@@ -368,6 +369,7 @@ unwind_exec_read_byte(struct unwind_state *state)
 static int
 unwind_exec_insn(struct unwind_state *state)
 {
+	struct thread *td = curthread;
 	unsigned int insn;
 	uint32_t *vsp = (uint32_t *)state->registers[SP];
 	int update_vsp = 0;
@@ -402,6 +404,10 @@ unwind_exec_insn(struct unwind_state *state)
 		/* Load the registers */
 		for (reg = 4; mask && reg < 16; mask >>= 1, reg++) {
 			if (mask & 1) {
+				if (!kstack_contains(td, (uintptr_t)vsp,
+				    sizeof(*vsp)))
+					return 1;
+
 				state->registers[reg] = *vsp++;
 				state->update_mask |= 1 << reg;
 
@@ -428,6 +434,9 @@ unwind_exec_insn(struct unwind_state *state)
 		update_vsp = 1;
 
 		/* Pop the registers */
+		if (!kstack_contains(td, (uintptr_t)vsp,
+		    sizeof(*vsp) * (4 + count)))
+			return 1;
 		for (reg = 4; reg <= 4 + count; reg++) {
 			state->registers[reg] = *vsp++;
 			state->update_mask |= 1 << reg;
@@ -435,6 +444,8 @@ unwind_exec_insn(struct unwind_state *state)
 
 		/* Check if we are in the pop r14 version */
 		if ((insn & INSN_POP_TYPE_MASK) != 0) {
+			if (!kstack_contains(td, (uintptr_t)vsp, sizeof(*vsp)))
+				return 1;
 			state->registers[14] = *vsp++;
 		}
 
@@ -455,6 +466,9 @@ unwind_exec_insn(struct unwind_state *state)
 		/* Load the registers */
 		for (reg = 0; mask && reg < 4; mask >>= 1, reg++) {
 			if (mask & 1) {
+				if (!kstack_contains(td, (uintptr_t)vsp,
+				    sizeof(*vsp)))
+					return 1;
 				state->registers[reg] = *vsp++;
 				state->update_mask |= 1 << reg;
 			}