• Jann Horn's avatar
    x86/unwind: Handle NULL pointer calls better in frame unwinder · 367ccafb
    Jann Horn authored
    commit f4f34e1b upstream.
    
    When the frame unwinder is invoked for an oops caused by a call to NULL, it
    currently skips the parent function because BP still points to the parent's
    stack frame; the (nonexistent) current function only has the first half of
    a stack frame, and BP doesn't point to it yet.
    
    Add a special case for IP==0 that calculates a fake BP from SP, then uses
    the real BP for the next frame.
    
    Note that this handles first_frame specially: Return information about the
    parent function as long as the saved IP is >=first_frame, even if the fake
    BP points below it.
    
    With an artificially-added NULL call in prctl_set_seccomp(), before this
    patch, the trace is:
    
    Call Trace:
     ? prctl_set_seccomp+0x3a/0x50
     __x64_sys_prctl+0x457/0x6f0
     ? __ia32_sys_prctl+0x750/0x750
     do_syscall_64+0x72/0x160
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    After this patch, the trace is:
    
    Call Trace:
     prctl_set_seccomp+0x3a/0x50
     __x64_sys_prctl+0x457/0x6f0
     ? __ia32_sys_prctl+0x750/0x750
     do_syscall_64+0x72/0x160
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: syzbot <syzbot+ca95b2b7aef9e7cbd6ab@syzkaller.appspotmail.com>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
    Cc: Michal Marek <michal.lkml@markovi.net>
    Cc: linux-kbuild@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190301031201.7416-1-jannh@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    367ccafb
unwind_frame.c 11.4 KB