linux/arch/mips
James Hogan 8b3c569a39 MIPS: stack protector: Fix per-task canary switch
Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
per task) was merged in v3.11 and introduced assembly in the MIPS resume
functions to update the value of the current canary in
__stack_chk_guard. However it used PTR_L resulting in a load of the
canary value, instead of PTR_LA to construct its address. The value is
intended to be random but is then treated as an address in the
subsequent LONG_S (store).

This was observed to cause a fault and panic:

CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
Oops[#1]:
...
$24   : 139fea20 1e1f7cb6
...
Call Trace:
[<8000cc0c>] resume+0xac/0x118
[<8034f2a4>] __schedule+0x5f8/0x78c
[<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
[<80348eec>] rest_init+0x74/0x84
[<804dc990>] start_kernel+0x43c/0x454
Code: 3c18804b  8f184030  8cb901f8 <af190000> 00c0e021  8cb002f0 8cb102f4  8cb202f8  8cb302fc

This can also be forced by modifying
arch/mips/include/asm/stackprotector.h so that the default
__stack_chk_guard value is more likely to be a bad (or unaligned)
pointer.

Fix it to use PTR_LA instead, to load the address of the canary value,
which the LONG_S can then use to write into it.

Reported-by: bobjones (via #mipslinux on IRC)
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Gregory Fong <gregory.0xf0@gmail.com>
Cc: linux-mips@linux-mips.org
Cc: stable@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/6026/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2013-10-07 15:31:04 +02:00
..
alchemy MIPS: Alchemy: MTX-1: fix incorrect placement of __initdata tag 2013-09-30 15:14:07 +02:00
ar7 MIPS: FW: Remove obsolete header file for MTI platforms. 2013-05-08 12:30:10 +02:00
ath79 MIPS: ath79: Switch to the clkdev framework 2013-09-03 23:22:18 +02:00
bcm47xx MIPS: Set default CPU type for BCM47XX platforms 2013-07-30 18:48:50 +02:00
bcm63xx MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
boot MIPS: Fix invalid symbolic link file 2013-09-19 17:04:35 +02:00
cavium-octeon MIPS: Optimize current_cpu_type() for better code. 2013-09-17 18:50:53 +02:00
cobalt MIPS: Idle: Consolidate all declarations in <asm/idle.h>. 2013-05-22 01:34:27 +02:00
configs MIPS: Lantiq: Add defconfig for xway SoC 2013-09-03 23:22:16 +02:00
dec MIPS: Optimize current_cpu_type() for better code. 2013-09-17 18:50:53 +02:00
emma
fw MIPS: sibyte: Declare the cfe_write() buffer as constant 2013-06-21 18:07:02 +02:00
include MIPS: cpu-features.h: s/MIPS53/MIPS64/ 2013-09-24 11:07:18 +02:00
jazz
jz4740 MIPS: jz4740: Correct clock gate bit for DMA controller 2013-07-05 11:40:53 +05:30
kernel MIPS: stack protector: Fix per-task canary switch 2013-10-07 15:31:04 +02:00
kvm Merge branch 'next' of git://git.kernel.org/pub/scm/virt/kvm/kvm 2013-09-04 18:15:06 -07:00
lantiq MIPS: Lantiq: Falcon: fix asc clock definition 2013-09-03 23:22:16 +02:00
lasat MIPS: Refactor load/entry address calculations 2013-09-03 17:58:37 +02:00
lib MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code 2013-07-14 19:36:51 -04:00
loongson MIPS: Loongson: Hide the pci code behind CONFIG_PCI 2013-09-03 15:27:39 +02:00
loongson1 MIPS: Idle: Consolidate all declarations in <asm/idle.h>. 2013-05-22 01:34:27 +02:00
math-emu MIPS: Remove unreachable break statements from cp1emu.c 2013-08-26 15:33:40 +02:00
mm MIPS: Fix forgotten preempt_enable() when CPU has inclusive pcaches 2013-10-02 10:58:50 +02:00
mti-malta MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
mti-sead3 MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
netlogic MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
oprofile MIPS: Optimize current_cpu_type() for better code. 2013-09-17 18:50:53 +02:00
pci MIPS: PCI: pci-bcm1480: Include missing vt.h header 2013-09-19 12:50:16 +02:00
pmcs-msp71xx MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code 2013-07-14 19:36:51 -04:00
pnx833x MIPS: PNX833x: PNX8335_PCI_ETHERNET_INT depends on CONFIG_SOC_PNX8335 2013-08-05 13:34:22 +02:00
power
powertv MIPS: powertv: Drop BOOTLOADER_DRIVER Kconfig symbol 2013-09-03 16:48:37 +02:00
ralink MIPS: Add driver for the built-in PCI controller of the RT3883 SoC 2013-09-04 19:17:21 +02:00
rb532
sgi-ip22
sgi-ip27 MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code 2013-07-14 19:36:51 -04:00
sgi-ip32
sibyte MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
sni MIPS: Cleanup CP0 PRId and CP1 FPIR register access masks 2013-09-18 20:25:19 +02:00
txx9 MIPS: TXx9: Fix build error if CONFIG_TOSHIBA_JMR3927 is not selected 2013-09-03 15:30:50 +02:00
vr41xx MIPS: Idle: Consolidate all declarations in <asm/idle.h>. 2013-05-22 01:34:27 +02:00
Kbuild KVM/MIPS32: Infrastructure/build files. 2013-05-08 03:55:34 +02:00
Kbuild.platforms MIPS: Delete Wind River ppmc eval board support. 2013-07-01 15:10:53 +02:00
Kconfig Remove GENERIC_HARDIRQ config option 2013-09-13 15:09:52 +02:00
Kconfig.debug consolidate per-arch stack overflow debugging options 2013-07-04 11:25:39 -07:00
Makefile MIPS: Remove useless comment about kprobe from arch/mips/Makefile 2013-09-18 18:37:48 +02:00