releases/5.9.2/x86-dumpstack-fix-misleading-instruction-pointer-err.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 698bb07146fe4443685d9ea48dfb16d07e37e3f6 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Fri, 2 Oct 2020 04:29:16 +0000
 Subject: x86/dumpstack: Fix misleading instruction pointer error message

 From: Mark Mossberg <mark.mossberg@gmail.com>

 [ Upstream commit 238c91115cd05c71447ea071624a4c9fe661f970 ]

 Printing "Bad RIP value" if copy_code() fails can be misleading for
 userspace pointers, since copy_code() can fail if the instruction
 pointer is valid but the code is paged out. This is because copy_code()
 calls copy_from_user_nmi() for userspace pointers, which disables page
 fault handling.

 This is reproducible in OOM situations, where it's plausible that the
 code may be reclaimed in the time between entry into the kernel and when
 this message is printed. This leaves a misleading log in dmesg that
 suggests instruction pointer corruption has occurred, which may alarm
 users.

 Change the message to state the error condition more precisely.

  [ bp: Massage a bit. ]

 Signed-off-by: Mark Mossberg <mark.mossberg@gmail.com>
 Signed-off-by: Borislav Petkov <bp@suse.de>
 Link: https://lkml.kernel.org/r/20201002042915.403558-1-mark.mossberg@gmail.com
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  arch/x86/kernel/dumpstack.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
 index 48ce44576947c..ea8d51ec251bb 100644
 --- a/arch/x86/kernel/dumpstack.c
 +++ b/arch/x86/kernel/dumpstack.c
 @@ -115,7 +115,8 @@ void show_opcodes(struct pt_regs *regs, const char *loglvl)
  	unsigned long prologue = regs->ip - PROLOGUE_SIZE;

  	if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) {
 -		printk("%sCode: Bad RIP value.\n", loglvl);
 +		printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n",
 +		       loglvl, prologue);
  	} else {
  		printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %"
  		       __stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes,
 --
 2.25.1
	From 698bb07146fe4443685d9ea48dfb16d07e37e3f6 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Fri, 2 Oct 2020 04:29:16 +0000
	Subject: x86/dumpstack: Fix misleading instruction pointer error message

	From: Mark Mossberg <mark.mossberg@gmail.com>

	[ Upstream commit 238c91115cd05c71447ea071624a4c9fe661f970 ]

	Printing "Bad RIP value" if copy_code() fails can be misleading for
	userspace pointers, since copy_code() can fail if the instruction
	pointer is valid but the code is paged out. This is because copy_code()
	calls copy_from_user_nmi() for userspace pointers, which disables page
	fault handling.

	This is reproducible in OOM situations, where it's plausible that the
	code may be reclaimed in the time between entry into the kernel and when
	this message is printed. This leaves a misleading log in dmesg that
	suggests instruction pointer corruption has occurred, which may alarm
	users.

	Change the message to state the error condition more precisely.

	[ bp: Massage a bit. ]

	Signed-off-by: Mark Mossberg <mark.mossberg@gmail.com>
	Signed-off-by: Borislav Petkov <bp@suse.de>
	Link: https://lkml.kernel.org/r/20201002042915.403558-1-mark.mossberg@gmail.com
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	arch/x86/kernel/dumpstack.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
	index 48ce44576947c..ea8d51ec251bb 100644
	--- a/arch/x86/kernel/dumpstack.c
	+++ b/arch/x86/kernel/dumpstack.c
	@@ -115,7 +115,8 @@ void show_opcodes(struct pt_regs regs, const char loglvl)
	unsigned long prologue = regs->ip - PROLOGUE_SIZE;

	if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) {
	- printk("%sCode: Bad RIP value.\n", loglvl);
	+ printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n",
	+ loglvl, prologue);
	} else {
	printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %"
	__stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes,
	--
	2.25.1