diff options
author | James Hogan <james.hogan@imgtec.com> | 2013-10-07 07:14:26 -0400 |
---|---|---|
committer | Ralf Baechle <ralf@linux-mips.org> | 2013-10-07 09:31:04 -0400 |
commit | 8b3c569a3999a8fd5a819f892525ab5520777c92 (patch) | |
tree | 1dec3d98b854b4d41195cb2b7566143630421970 | |
parent | 162bdafa46bfbc10c564de3c1aca2708440181e8 (diff) |
MIPS: stack protector: Fix per-task canary switch
Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
per task) was merged in v3.11 and introduced assembly in the MIPS resume
functions to update the value of the current canary in
__stack_chk_guard. However it used PTR_L resulting in a load of the
canary value, instead of PTR_LA to construct its address. The value is
intended to be random but is then treated as an address in the
subsequent LONG_S (store).
This was observed to cause a fault and panic:
CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
Oops[#1]:
...
$24 : 139fea20 1e1f7cb6
...
Call Trace:
[<8000cc0c>] resume+0xac/0x118
[<8034f2a4>] __schedule+0x5f8/0x78c
[<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
[<80348eec>] rest_init+0x74/0x84
[<804dc990>] start_kernel+0x43c/0x454
Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
This can also be forced by modifying
arch/mips/include/asm/stackprotector.h so that the default
__stack_chk_guard value is more likely to be a bad (or unaligned)
pointer.
Fix it to use PTR_LA instead, to load the address of the canary value,
which the LONG_S can then use to write into it.
Reported-by: bobjones (via #mipslinux on IRC)
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Gregory Fong <gregory.0xf0@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/6026/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
-rw-r--r-- | arch/mips/kernel/octeon_switch.S | 2 | ||||
-rw-r--r-- | arch/mips/kernel/r2300_switch.S | 2 | ||||
-rw-r--r-- | arch/mips/kernel/r4k_switch.S | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/arch/mips/kernel/octeon_switch.S b/arch/mips/kernel/octeon_switch.S index 4204d76af854..029e002a4ea0 100644 --- a/arch/mips/kernel/octeon_switch.S +++ b/arch/mips/kernel/octeon_switch.S | |||
@@ -73,7 +73,7 @@ | |||
73 | 3: | 73 | 3: |
74 | 74 | ||
75 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) | 75 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) |
76 | PTR_L t8, __stack_chk_guard | 76 | PTR_LA t8, __stack_chk_guard |
77 | LONG_L t9, TASK_STACK_CANARY(a1) | 77 | LONG_L t9, TASK_STACK_CANARY(a1) |
78 | LONG_S t9, 0(t8) | 78 | LONG_S t9, 0(t8) |
79 | #endif | 79 | #endif |
diff --git a/arch/mips/kernel/r2300_switch.S b/arch/mips/kernel/r2300_switch.S index 38af83f84c4a..20b7b040e76f 100644 --- a/arch/mips/kernel/r2300_switch.S +++ b/arch/mips/kernel/r2300_switch.S | |||
@@ -67,7 +67,7 @@ LEAF(resume) | |||
67 | 1: | 67 | 1: |
68 | 68 | ||
69 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) | 69 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) |
70 | PTR_L t8, __stack_chk_guard | 70 | PTR_LA t8, __stack_chk_guard |
71 | LONG_L t9, TASK_STACK_CANARY(a1) | 71 | LONG_L t9, TASK_STACK_CANARY(a1) |
72 | LONG_S t9, 0(t8) | 72 | LONG_S t9, 0(t8) |
73 | #endif | 73 | #endif |
diff --git a/arch/mips/kernel/r4k_switch.S b/arch/mips/kernel/r4k_switch.S index 921238a6bd26..078de5eaca8f 100644 --- a/arch/mips/kernel/r4k_switch.S +++ b/arch/mips/kernel/r4k_switch.S | |||
@@ -69,7 +69,7 @@ | |||
69 | 1: | 69 | 1: |
70 | 70 | ||
71 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) | 71 | #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP) |
72 | PTR_L t8, __stack_chk_guard | 72 | PTR_LA t8, __stack_chk_guard |
73 | LONG_L t9, TASK_STACK_CANARY(a1) | 73 | LONG_L t9, TASK_STACK_CANARY(a1) |
74 | LONG_S t9, 0(t8) | 74 | LONG_S t9, 0(t8) |
75 | #endif | 75 | #endif |