On Mon, 30 Jun 2025 22:56:03 -0400 Steven Rostedt <rostedt@xxxxxxxxxxx> wrote: > On Mon, 30 Jun 2025 19:10:09 -0700 > Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > > On Mon, 30 Jun 2025 at 17:54, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote: > > > > > > + /* stack going in wrong direction? */ > > > + if (cfa <= state->sp) > > > + goto done; > > > > I suspect this should do a lot more testing. > > Sure. Adding Kees too. Kees, I'd like to get some security eyes on this code to take a look at it. As it is making decisions on input from user space, I'd like to have more security folks looking at this to make sure that some malicious task can't set up its stack in such a way that it can exploit something here. The parsing of the sframe code (latest version net yet posted) will need a similar audit. Thanks, -- Steve > > > > > > + /* Find the Return Address (RA) */ > > > + if (get_user(ra, (unsigned long *)(cfa + frame->ra_off))) > > > + goto done; > > > + > > > + if (frame->fp_off && get_user(fp, (unsigned long __user *)(cfa + frame->fp_off))) > > > + goto done; > > > > .. and this should check the frame for validity too. At a minimum it > > should be properly aligned, but things like "it had better be above > > the current frame" to avoid having some loop would seem to be a good > > idea. > > Makes sense. > > > > > Maybe even check that it's the same vma? > > Hmm, I call on to Jens Remus and ask if s390 can do anything whacky here? > Where something that isn't allowed on other architectures may be allowed > there? I know s390 has some strange type of stack usage. > > -- Steve
