diff options
| author | Catalin Marinas <catalin.marinas@arm.com> | 2009-09-02 17:17:13 +0100 |
|---|---|---|
| committer | Catalin Marinas <catalin.marinas@arm.com> | 2009-09-02 17:17:13 +0100 |
| commit | 47896406c5173f6f03eab9736e1b47220302008b (patch) | |
| tree | 5bd5e3db63b6d819dce6febd3589cde2c1d0d0a6 /arch/arm/kernel | |
| parent | b69c3f804308b0c50f2ca18a0e0170a1ec2e6685 (diff) | |
Add extra checks to ARM unwinder to avoid tracing corrupt stacks
There are situations where the unwinder goes beyond stack boundaries and
unwinds random data. This patch moves the stack boundaries check after
the unwind_exec_insn() call and adds an extra check for possible
infinite loops (like "mov pc, lr" with pc == lr).
The patch also fixes a bug in the unwind instructions interpreter. The
0xb0 instruction can only set PC to LR if this wasn't already set by
a previous instruction (this is used on exceptions taken while in kernel
mode where svc_entry is annotated with ".save {r0 - pc}").
The patch also corrects the FP register number for Thumb-2.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Diffstat (limited to 'arch/arm/kernel')
| -rw-r--r-- | arch/arm/kernel/unwind.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c index 1dedc2c7ff49..39baf1128bfa 100644 --- a/arch/arm/kernel/unwind.c +++ b/arch/arm/kernel/unwind.c @@ -62,7 +62,11 @@ struct unwind_ctrl_block { }; enum regs { +#ifdef CONFIG_THUMB2_KERNEL + FP = 7, +#else FP = 11, +#endif SP = 13, LR = 14, PC = 15 @@ -212,7 +216,8 @@ static int unwind_exec_insn(struct unwind_ctrl_block *ctrl) ctrl->vrs[14] = *vsp++; ctrl->vrs[SP] = (unsigned long)vsp; } else if (insn == 0xb0) { - ctrl->vrs[PC] = ctrl->vrs[LR]; + if (ctrl->vrs[PC] == 0) + ctrl->vrs[PC] = ctrl->vrs[LR]; /* no further processing */ ctrl->entries = 0; } else if (insn == 0xb1) { @@ -309,18 +314,20 @@ int unwind_frame(struct stackframe *frame) } while (ctrl.entries > 0) { - int urc; - - if (ctrl.vrs[SP] < low || ctrl.vrs[SP] >= high) - return -URC_FAILURE; - urc = unwind_exec_insn(&ctrl); + int urc = unwind_exec_insn(&ctrl); if (urc < 0) return urc; + if (ctrl.vrs[SP] < low || ctrl.vrs[SP] >= high) + return -URC_FAILURE; } if (ctrl.vrs[PC] == 0) ctrl.vrs[PC] = ctrl.vrs[LR]; + /* check for infinite loop */ + if (frame->pc == ctrl.vrs[PC]) + return -URC_FAILURE; + frame->fp = ctrl.vrs[FP]; frame->sp = ctrl.vrs[SP]; frame->lr = ctrl.vrs[LR]; @@ -332,7 +339,6 @@ int unwind_frame(struct stackframe *frame) void unwind_backtrace(struct pt_regs *regs, struct task_struct *tsk) { struct stackframe frame; - unsigned long high, low; register unsigned long current_sp asm ("sp"); pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk); @@ -362,9 +368,6 @@ void unwind_backtrace(struct pt_regs *regs, struct task_struct *tsk) frame.pc = thread_saved_pc(tsk); } - low = frame.sp & ~(THREAD_SIZE - 1); - high = low + THREAD_SIZE; - while (1) { int urc; unsigned long where = frame.pc; |