From 6e2432e60340018555061813cfd6995743028033 Mon Sep 17 00:00:00 2001
From: chenhaixiang <chenhaixiang3@huawei.com>
Date: Fri, 25 Oct 2024 23:41:06 -0400
Subject: [PATCH] arm64: Fix again segfault in
 arm64_is_kernel_exception_frame() when corrupt stack pointer address is given

Signed-off-by: chenhaixiang <chenhaixiang3@huawei.com>
(cherry picked from commit e5371d84920bd26167f0d3e6527246f1119fbd62)
---
 ...segfault-in-arm64_is_kernel_exceptio.patch | 47 ++++++++++++
 ...potential-segfault-when-unwind-frame.patch | 71 +++++++++++++++++++
 crash.spec                                    |  8 ++-
 3 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 0006-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
 create mode 100644 0007-arm64-fix-a-potential-segfault-when-unwind-frame.patch

diff --git a/0006-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch b/0006-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
new file mode 100644
index 0000000..9c10059
--- /dev/null
+++ b/0006-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
@@ -0,0 +1,47 @@
+From 6c8cd9b5dcf48221e5f75fc5850bb4719d77acce Mon Sep 17 00:00:00 2001
+From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
+Date: Wed, 7 Jun 2023 18:37:34 +0900
+Subject: [PATCH] arm64: Fix again segfault in
+ arm64_is_kernel_exception_frame() when corrupt stack pointer address is given
+
+This is the second trial from the commit
+9868ebc8e648e5791764a51567a23efae7170d9b that was reverted at the
+previous commit.
+
+As described in the previous commit, result of STACK_OFFSET_TYPE() can
+be an address out of bt->stackbuf and hence the address needs to be
+checked prior to being referred to as an pt_regs object.
+
+So, to fix the issue, let's check if stkptr points to within the range
+of the kernel stack first.
+
+[ kh: added a warning at Lianbo's suggestion ]
+
+Signed-off-by: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
+
+Conflict:NA
+Reference:https://github.com/crash-utility/crash/commit/6c8cd9b5dcf48221e5f75fc5850bb4719d77acce
+---
+ arm64.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arm64.c b/arm64.c
+index efbdccb..67b1a22 100644
+--- a/arm64.c
++++ b/arm64.c
+@@ -2381,6 +2381,12 @@ arm64_is_kernel_exception_frame(struct bt_info *bt, ulong stkptr)
+         struct arm64_pt_regs *regs;
+ 	struct machine_specific *ms = machdep->machspec;
+ 
++	if (stkptr > STACKSIZE() && !INSTACK(stkptr, bt)) {
++		if (CRASHDEBUG(1))
++			error(WARNING, "stkptr: %lx is outside the kernel stack range\n", stkptr);
++		return FALSE;
++	}
++
+         regs = (struct arm64_pt_regs *)&bt->stackbuf[(ulong)(STACK_OFFSET_TYPE(stkptr))];
+ 
+ 	if (INSTACK(regs->sp, bt) && INSTACK(regs->regs[29], bt) && 
+-- 
+2.43.0
+
diff --git a/0007-arm64-fix-a-potential-segfault-when-unwind-frame.patch b/0007-arm64-fix-a-potential-segfault-when-unwind-frame.patch
new file mode 100644
index 0000000..e18cb68
--- /dev/null
+++ b/0007-arm64-fix-a-potential-segfault-when-unwind-frame.patch
@@ -0,0 +1,71 @@
+From af895b219876b293d551e6dec825aba3905c0588 Mon Sep 17 00:00:00 2001
+From: "qiwu.chen" <qiwu.chen@transsion.com>
+Date: Wed, 24 Jul 2024 01:36:09 +0000
+Subject: [PATCH] arm64: fix a potential segfault when unwind frame
+
+The range of frame->fp is checked insufficiently, which may lead to a wrong
+next fp. As a result, bt->stackbuf will be accessed out of range, and segfault.
+
+  crash> bt
+  [Detaching after fork from child process 11409]
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+   #0 [ffffffc008003f50] local_cpu_stop at ffffffdd7669444c
+
+  Thread 1 "crash" received signal SIGSEGV, Segmentation fault.
+  0x00005555558266cc in arm64_unwind_frame (bt=0x7fffffffd8f0, frame=0x7fffffffd080) at
+  arm64.c:2821
+  2821            frame->fp = GET_STACK_ULONG(fp);
+  (gdb) bt
+  arm64.c:2821
+  out>) at main.c:1338
+  gdb_interface.c:81
+  (gdb) p /x *(struct bt_info*) 0x7fffffffd8f0
+  $3 = {task = 0xffffff81858aa500, flags = 0x0, instptr = 0xffffffdd76694450, stkptr =
+  0xffffffc008003f40, bptr = 0x0, stackbase = 0xffffffc027288000,
+    stacktop = 0xffffffc02728c000, stackbuf = 0x555556115a40, tc = 0x55559d16fdc0, hp = 0x0,
+  textlist = 0x0, ref = 0x0, frameptr = 0xffffffc008003f50,
+    call_target = 0x0, machdep = 0x0, debug = 0x0, eframe_ip = 0x0, radix = 0x0, cpumask =
+  0x0}
+  (gdb) p /x *(struct arm64_stackframe*) 0x7fffffffd080
+  $4 = {fp = 0xffffffc008003f50, sp = 0xffffffc008003f60, pc = 0xffffffdd76694450}
+  crash> bt -S 0xffffffc008003f50
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+  bt: non-process stack address for this task: ffffffc008003f50
+      (valid range: ffffffc027288000 - ffffffc02728c000)
+
+Check frame->fp value sufficiently before access it. Only frame->fp within
+the range of bt->stackbase and bt->stacktop will be regarded as valid.
+
+Signed-off-by: qiwu.chen <qiwu.chen@transsion.com>
+
+Conflict:NA
+Reference:https://github.com/crash-utility/crash/commit/af895b219876b293d551e6dec825aba3905c0588
+---
+ arm64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arm64.c b/arm64.c
+index b3040d7..624dba2 100644
+--- a/arm64.c
++++ b/arm64.c
+@@ -2814,7 +2814,7 @@ arm64_unwind_frame(struct bt_info *bt, struct arm64_stackframe *frame)
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
++	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	frame->sp = fp + 0x10;
+@@ -3024,7 +3024,7 @@ arm64_unwind_frame_v2(struct bt_info *bt, struct arm64_stackframe *frame,
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
++	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	if (CRASHDEBUG(1))
+-- 
+2.43.0
+
diff --git a/crash.spec b/crash.spec
index 95c9ff9..1a9830c 100644
--- a/crash.spec
+++ b/crash.spec
@@ -1,6 +1,6 @@
 Name: crash
 Version: 8.0.2
-Release: 1
+Release: 2
 Summary: Linux kernel crash utility.
 License: GPLv3
 URL: https://crash-utility.github.io
@@ -19,6 +19,8 @@ Patch5: 0004-riscv-support.patch
 %ifarch loongarch64
 Patch6: 0005-crash-add-loongarch-support.patch 
 %endif
+Patch7:	0006-arm64-Fix-again-segfault-in-arm64_is_kernel_exceptio.patch
+Patch8:	0007-arm64-fix-a-potential-segfault-when-unwind-frame.patch
 
 BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel texinfo libzstd-devel 
 BuildRequires: gcc gcc-c++ bison m4
@@ -84,6 +86,10 @@ install -D -m 0644 defs.h %{buildroot}%{_includedir}/%{name}/defs.h
 %{_mandir}/man8/crash.8*
 
 %changelog
+* Tue Jul 25 2023 chenhaixiang <chenhaixiang3@huawei.com> - 8.0.2-2
+- arm64: Fix again segfault in arm64_is_kernel_exception_frame()
+  when corrupt stack pointer address is given
+
 * Tue Jul 25 2023 chenhaixiang <chenhaixiang3@huawei.com> - 8.0.2-1
 - Update from master
 
-- 
Gitee