[artful] panic in update_stack_state when reading /proc/<pid>/stack on i386

Bug #1747263 reported by Andy Whitcroft on 2018-02-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

It seems that when reading /proc/<pid>/stack we can sometimes triggers a panic on i386. This is triggered by an unsafe pointer access when validating the stack in the stack unwinder. This is reproducible in a 4 cpu 32bit VM with the stress-ng /proc stressor.

Andy Whitcroft (apw) wrote :
Download full text (3.4 KiB)

The below commit has been confirmed as the fix for this:

commit 62dd86ac01f9fb6386d7f8c6b389c3ea4582a50a
Author: Josh Poimboeuf <email address hidden>
Date: Mon Oct 9 20:20:02 2017 -0500

    x86/unwind: Fix dereference of untrusted pointer

    Tetsuo Handa and Fengguang Wu reported a panic in the unwinder:

      BUG: unable to handle kernel NULL pointer dereference at 000001f2
      IP: update_stack_state+0xd4/0x340
      *pde = 00000000

      Oops: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 18728 Comm: 01-cpu-hotplug Not tainted 4.13.0-rc4-00170-gb09be67 #592
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
      task: bb0b53c0 task.stack: bb3ac000
      EIP: update_stack_state+0xd4/0x340
      EFLAGS: 00010002 CPU: 0
      EAX: 0000a570 EBX: bb3adccb ECX: 0000f401 EDX: 0000a570
      ESI: 00000001 EDI: 000001ba EBP: bb3adc6b ESP: bb3adc3f
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      CR0: 80050033 CR2: 000001f2 CR3: 0b3a7000 CR4: 00140690
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: fffe0ff0 DR7: 00000400
      Call Trace:
       ? unwind_next_frame+0xea/0x400
       ? __unwind_start+0xf5/0x180
       ? __save_stack_trace+0x81/0x160
       ? save_stack_trace+0x20/0x30
       ? __lock_acquire+0xfa5/0x12f0
       ? lock_acquire+0x1c2/0x230
       ? tick_periodic+0x3a/0xf0
       ? _raw_spin_lock+0x42/0x50
       ? tick_periodic+0x3a/0xf0
       ? tick_periodic+0x3a/0xf0
       ? debug_smp_processor_id+0x12/0x20
       ? tick_handle_periodic+0x23/0xc0
       ? local_apic_timer_interrupt+0x63/0x70
       ? smp_trace_apic_timer_interrupt+0x235/0x6a0
       ? trace_apic_timer_interrupt+0x37/0x3c
       ? strrchr+0x23/0x50
      Code: 0f 95 c1 89 c7 89 45 e4 0f b6 c1 89 c6 89 45 dc 8b 04 85 98 cb 74 bc 88 4d e3 89 45 f0 83 c0 01 84 c9 89 04 b5 98 cb 74 bc 74 3b <8b> 47 38 8b 57 34 c6 43 1d 01 25 00 00 02 00 83 e2 03 09 d0 83
      EIP: update_stack_state+0xd4/0x340 SS:ESP: 0068:bb3adc3f
      CR2: 00000000000001f2
      ---[ end trace 0d147fd4aba8ff50 ]---
      Kernel panic - not syncing: Fatal exception in interrupt

    On x86-32, after decoding a frame pointer to get a regs address,
    regs_size() dereferences the regs pointer when it checks regs->cs to see
    if the regs are user mode. This is dangerous because it's possible that
    what looks like a decoded frame pointer is actually a corrupt value, and
    we don't want the unwinder to make things worse.

    Instead of calling regs_size() on an unsafe pointer, just assume they're
    kernel regs to start with. Later, once it's safe to access the regs, we
    can do the user mode check and corresponding safety check for the
    remaining two regs.

    Reported-and-tested-by: Tetsuo Handa <email address hidden>
    Reported-and-tested-by: Fengguang Wu <email address hidden>
    Signed-off-by: Josh Poimboeuf <email address hidden>
    Cc: Byungchul Park <email address hidden>
    Cc: LKP <lkp@01.org>
    Cc: Linus Torvalds <email address hidden>
    Cc: Peter Zijlstra <email address hidden>
    Cc: Thomas Gleixner <email address hidden>


Changed in linux (Ubuntu):
status: New → In Progress
Andy Whitcroft (apw) on 2018-02-04
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in linux (Ubuntu Artful):
status: New → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed-artful'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-artful
Launchpad Janitor (janitor) wrote :
Download full text (20.1 KiB)

This bug was fixed in the package linux - 4.13.0-36.40

linux (4.13.0-36.40) artful; urgency=medium

  * linux: 4.13.0-36.40 -proposed tracker (LP: #1750010)

  * Rebuild without "CVE-2017-5754 ARM64 KPTI fixes" patch set

linux (4.13.0-35.39) artful; urgency=medium

  * linux: 4.13.0-35.39 -proposed tracker (LP: #1748743)

  * CVE-2017-5715 (Spectre v2 Intel)
    - Revert "UBUNTU: SAUCE: turn off IBPB when full retpoline is present"
    - SAUCE: turn off IBRS when full retpoline is present
    - [Packaging] retpoline files must be sorted
    - [Packaging] pull in retpoline files

linux (4.13.0-34.37) artful; urgency=medium

  * linux: 4.13.0-34.37 -proposed tracker (LP: #1748475)

  * libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (LP: #1743053)
    - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices

  * KVM patches for s390x to provide facility bits 81 (ppa15) and 82 (bpb)
    (LP: #1747090)
    - KVM: s390: wire up bpb feature

  * artful 4.13 i386 kernels crash after memory hotplug remove (LP: #1747069)
    - Revert "mm, memory_hotplug: do not associate hotadded memory to zones until

  * CVE-2017-5715 (Spectre v2 Intel)
    - x86/feature: Enable the x86 feature to control Speculation
    - x86/feature: Report presence of IBPB and IBRS control
    - x86/enter: MACROS to set/clear IBRS and set IBPB
    - x86/enter: Use IBRS on syscall and interrupts
    - x86/idle: Disable IBRS entering idle and enable it on wakeup
    - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - x86/mm: Set IBPB upon context switch
    - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
    - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
    - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - x86/kvm: Set IBPB when switching VM
    - x86/kvm: Toggle IBRS on VM entry and exit
    - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - x86/cpu/AMD: Add speculative control support for AMD
    - x86/microcode: Extend post microcode reload to support IBPB feature
    - KVM: SVM: Do not intercept new speculative control MSRs
    - x86/svm: Set IBRS value on VM entry and exit
    - x86/svm: Set IBPB when running a different VCPU
    - KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: turn off IBPB when full retpoline is present

  * Artful 4.13 fixes for tun (LP: #1748846)
    - tun: call dev_get_valid_name() before register_netdevice()
    - tun: allow positive return values on dev_get_valid_name() call
    - tun/tap: sanitize TUNSETSNDBUF input

  * boot failure on AMD Raven + WestonXT (LP: #1742759)
    - SAUCE: drm/amdgpu: add atpx quirk handling (v2)

linux (4.13.0-33.36) artful; urgency=low

  * linux: 4.13.0-33.36 -proposed tracker (LP: #1746903)

  [ Stefan Bader ]
  * starting VMs causing retpoline4 to reboot (LP: #1747507) // CVE-2017-5715
    (Spectre v2 retpoline)
    - x86/retpoline: Fill RSB on context switch for affected CPUs
    - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
    - x86/retpol...

Changed in linux (Ubuntu Artful):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers