riscv：修复由 irqsoff 延迟跟踪器 (CVE-2022-48922) 引起的 oops

CVE编号

CVE-2022-48922

利用情况

暂无

补丁情况

N/A

披露时间

2024-08-22

漏洞描述

In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>:ld a1,-16(s0) 0xffffffff80115112 <+84>:ld s2,-8(a1) # <-- paging fault here The oops message during booting if compiled with 'irqoff' tracer enabled: [0.039615][T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 [0.041925][T0] Oops [#1] [0.042063][T0] Modules linked in: [0.042864][T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [0.043568][T0] Hardware name: riscv-virtio,qemu (DT) [0.044343][T0] epc : trace_hardirqs_on+0x56/0xe2 [0.044601][T0] ra : restore_all+0x12/0x6e [0.044721][T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 [0.044801][T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 [0.044882][T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [0.044967][T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [0.045046][T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [0.045124][T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 [0.045210][T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [0.045289][T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 [0.045389][T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 [0.045474][T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 [0.045548][T0] t5 : 0000000000000000 t6 : ffffffff814aa368 [0.045620][T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d [0.046402][T0] [<ffffffff80003b94>] restore_all+0x12/0x6e This because the $fp(aka. $s0) register is not used as frame pointer in the assembly entry code. resume_kernel: REG_L s0, TASK_TI_PREEMPT_COUNT(tp) bnez s0, restore_all REG_L s0, TASK_TI_FLAGS(tp) andi s0, s0, _TIF_NEED_RESCHED beqz s0, restore_all call preempt_schedule_irq j restore_all To fix above issue, here we add one extra level wrapper for function trace_hardirqs_{on,off}() so they can be safely called by low level entry code.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/stable/c/1851b9a467065b18ec2cba156eea345206df1c8f
https://git.kernel.org/stable/c/22e2100b1b07d6f5acc71cc1acb53f680c677d77
https://git.kernel.org/stable/c/9e2dbc31e367d08ee299a0d8aeb498cb2e12a1c3
https://git.kernel.org/stable/c/b5e180490db4af8c0f80c4b65ee482d333d0e8ee

CVSS3评分 N/A

• 攻击路径 N/A
• 攻击复杂度 N/A
• 权限要求 N/A
• 影响范围 N/A
• 用户交互 N/A
• 可用性 N/A
• 保密性 N/A
• 完整性 N/A

N/A

CWE-ID	漏洞类型

Exp相关链接

- avd.aliyun.com