On 6/10/21 10:02 AM, Kees Cook wrote: > On Wed, Jun 09, 2021 at 03:12:11PM -0700, Vineet Gupta wrote: >> Currently enabling this triggers a warning >> >> | usercopy: Kernel memory overwrite attempt detected to kernel text (offset >> 155633, size 11)! >> | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()! >> | >> |gcc generated __builtin_trap >> |Path: /bin/busybox >> |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22 >> | >> |[ECR ]: 0x00090005 => gcc generated __builtin_trap >> |[EFA ]: 0x9024fcaa >> |[BLINK ]: usercopy_abort+0x8a/0x8c >> |[ERET ]: memfd_fcntl+0x0/0x470 >> |[STAT32]: 0x80080802 : IE K >> |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950 >> |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000 >> |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000 >> |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000 >> |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00 >> |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572 >> |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b >> |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000 >> |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001 >> |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1 >> |r24: 0xbe196c00 r25: 0xbf0ed280 >> | >> |Stack Trace: >> | memfd_fcntl+0x0/0x470 >> | usercopy_abort+0x8a/0x8c >> | __check_object_size+0x10e/0x138 >> | copy_strings+0x1f4/0x38c >> | __do_execve_file+0x352/0x848 >> | EV_Trap+0xcc/0xd0 > What was the root cause here? Was it that the init section gets freed > and reused for kmalloc?
Right. ARC _stext was encompassing the init section (to cover the init code) so when init gets freed and used by kmalloc, check_kernel_text_object() trips as it thinks the allocated pointer is in kernel .text. Actually I should have added this to changelog. Thx, -Vineet _______________________________________________ linux-snps-arc mailing list linux-snps-arc@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-snps-arc
