When checking for the valid value of the frame pointer, verify that it
belongs to the kernel stack address range for the thread. Right now, code checks that new frame is not farther then KSTACK_PAGES pages from the current frame, which allows the address to point past the top of the stack. Reviewed by: andrew, emaste, markj Differential revision: https://reviews.freebsd.org/D3108 Sponsored by: The FreeBSD Foundation MFC after: 2 weeks
This commit is contained in:
parent
2eb95738be
commit
67db66d5ea
@ -40,7 +40,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <vm/pmap.h>
|
||||
|
||||
static void
|
||||
stack_capture(struct stack *st, register_t rbp)
|
||||
stack_capture(struct thread *td, struct stack *st, register_t rbp)
|
||||
{
|
||||
struct amd64_frame *frame;
|
||||
vm_offset_t callpc;
|
||||
@ -56,8 +56,8 @@ stack_capture(struct stack *st, register_t rbp)
|
||||
if (stack_put(st, callpc) == -1)
|
||||
break;
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)rbp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= td->td_kstack +
|
||||
td->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
@ -74,7 +74,7 @@ stack_save_td(struct stack *st, struct thread *td)
|
||||
panic("stack_save_td: running");
|
||||
|
||||
rbp = td->td_pcb->pcb_rbp;
|
||||
stack_capture(st, rbp);
|
||||
stack_capture(td, st, rbp);
|
||||
}
|
||||
|
||||
void
|
||||
@ -83,5 +83,5 @@ stack_save(struct stack *st)
|
||||
register_t rbp;
|
||||
|
||||
__asm __volatile("movq %%rbp,%0" : "=r" (rbp));
|
||||
stack_capture(st, rbp);
|
||||
stack_capture(curthread, st, rbp);
|
||||
}
|
||||
|
@ -89,8 +89,8 @@ dtrace_getpcstack(pc_t *pcstack, int pcstack_limit, int aframes,
|
||||
}
|
||||
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)rbp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= curthread->td_kstack +
|
||||
curthread->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
@ -469,8 +469,8 @@ dtrace_getstackdepth(int aframes)
|
||||
break;
|
||||
depth++;
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)rbp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= curthread->td_kstack +
|
||||
curthread->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
|
@ -92,8 +92,8 @@ dtrace_getpcstack(pc_t *pcstack, int pcstack_limit, int aframes,
|
||||
}
|
||||
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)ebp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= curthread->td_kstack +
|
||||
curthread->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
@ -485,8 +485,8 @@ dtrace_getstackdepth(int aframes)
|
||||
break;
|
||||
depth++;
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)ebp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= curthread->td_kstack +
|
||||
curthread->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <vm/pmap.h>
|
||||
|
||||
static void
|
||||
stack_capture(struct stack *st, register_t ebp)
|
||||
stack_capture(struct thread *td, struct stack *st, register_t ebp)
|
||||
{
|
||||
struct i386_frame *frame;
|
||||
vm_offset_t callpc;
|
||||
@ -56,8 +56,8 @@ stack_capture(struct stack *st, register_t ebp)
|
||||
if (stack_put(st, callpc) == -1)
|
||||
break;
|
||||
if (frame->f_frame <= frame ||
|
||||
(vm_offset_t)frame->f_frame >=
|
||||
(vm_offset_t)ebp + KSTACK_PAGES * PAGE_SIZE)
|
||||
(vm_offset_t)frame->f_frame >= td->td_kstack +
|
||||
td->td_kstack_pages * PAGE_SIZE)
|
||||
break;
|
||||
frame = frame->f_frame;
|
||||
}
|
||||
@ -74,7 +74,7 @@ stack_save_td(struct stack *st, struct thread *td)
|
||||
panic("stack_save_td: running");
|
||||
|
||||
ebp = td->td_pcb->pcb_ebp;
|
||||
stack_capture(st, ebp);
|
||||
stack_capture(td, st, ebp);
|
||||
}
|
||||
|
||||
void
|
||||
@ -83,5 +83,5 @@ stack_save(struct stack *st)
|
||||
register_t ebp;
|
||||
|
||||
__asm __volatile("movl %%ebp,%0" : "=r" (ebp));
|
||||
stack_capture(st, ebp);
|
||||
stack_capture(curthread, st, ebp);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user