The range of frame->fp is checked insufficiently, which may lead to a wrong
next fp. As a result, bt->stackbuf will be accessed out of range, and segfault.
crash> bt
[Detaching after fork from child process 11409]
PID: 7661 TASK: ffffff81858aa500 CPU: 4 COMMAND: "sh"
#0 [ffffffc008003f50] local_cpu_stop at ffffffdd7669444c
Thread 1 "crash" received signal SIGSEGV, Segmentation fault.
0x00005555558266cc in arm64_unwind_frame (bt=0x7fffffffd8f0, frame=0x7fffffffd080) at arm64.c:2821
2821 frame->fp = GET_STACK_ULONG(fp);
(gdb) bt
#0 0x00005555558266cc in arm64_unwind_frame (bt=0x7fffffffd8f0, frame=0x7fffffffd080) at arm64.c:2821
#1 0x0000555555827527 in arm64_back_trace_cmd (bt=0x7fffffffd8f0) at arm64.c:3306
#2 0x00005555557df7ee in back_trace (bt=0x7fffffffd8f0) at kernel.c:3240
#3 0x00005555557dd748 in cmd_bt () at kernel.c:2881
#4 0x00005555557367fb in exec_command () at main.c:893
#5 0x00005555557365ce in main_loop () at main.c:840
#6 0x0000555555aa4801 in captured_main (data=<optimized out>) at main.c:1284
#7 gdb_main (args=<optimized out>) at main.c:1313
#8 0x0000555555aa4880 in gdb_main_entry (argc=<optimized out>, argv=<optimized out>) at main.c:1338
#9 0x000055555580206f in gdb_main_loop (argc=2, argv=0x7fffffffe248) at gdb_interface.c:81
#10 0x0000555555736291 in main (argc=3, argv=0x7fffffffe248) at main.c:721
(gdb) p /x *(struct bt_info*) 0x7fffffffd8f0
$3 = {task = 0xffffff81858aa500, flags = 0x0, instptr = 0xffffffdd76694450, stkptr = 0xffffffc008003f40, bptr = 0x0, stackbase = 0xffffffc027288000,
stacktop = 0xffffffc02728c000, stackbuf = 0x555556115a40, tc = 0x55559d16fdc0, hp = 0x0, textlist = 0x0, ref = 0x0, frameptr = 0xffffffc008003f50,
call_target = 0x0, machdep = 0x0, debug = 0x0, eframe_ip = 0x0, radix = 0x0, cpumask = 0x0}
(gdb) p /x *(struct arm64_stackframe*) 0x7fffffffd080
$4 = {fp = 0xffffffc008003f50, sp = 0xffffffc008003f60, pc = 0xffffffdd76694450}
crash> bt -S 0xffffffc008003f50
PID: 7661 TASK: ffffff81858aa500 CPU: 4 COMMAND: "sh"
bt: non-process stack address for this task: ffffffc008003f50
(valid range: ffffffc027288000 - ffffffc02728c000)
Check frame->fp value sufficiently before access it . Only frame->fp within
the range of bt->stackbase and bt->stacktop will be regarded as valid.
Signed-off-by: qiwu.chen <qiwu.chen@xxxxxxxxxxxxx>
---
arm64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arm64.c b/arm64.c
index b3040d7..b992c01 100644
--- a/arm64.c
+++ b/arm64.c
@@ -2814,7 +2814,7 @@ arm64_unwind_frame(struct bt_info *bt, struct arm64_stackframe *frame)
low = frame->sp;
high = (low + stack_mask) & ~(stack_mask);
- if (fp < low || fp > high || fp & 0xf)
+ if (fp < low || fp > high || fp & 0xf || !arm64_is_kernel_exception_frame(bt, fp))
return FALSE;
frame->sp = fp + 0x10;
--
2.25.1
--
Crash-utility mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxxxxxx
https://${domain_name}/admin/lists/devel.lists.crash-utility.osci.io/
Contribution Guidelines: https://github.com/crash-utility/crash/wiki
