arm64: when walking onto the task stack, check sp & fp are in current->stack

When unwind_frame() reaches the bottom of the irq_stack, the last fp
points to the original task stack. unwind_frame() uses
IRQ_STACK_TO_TASK_STACK() to find the sp value. If either values is
wrong, we may end up walking a corrupt stack.

Check these values are sane by testing if they are both on the stack
pointed to by current->stack.

Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>

diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
index b947eeffa5b29419dd4b23b7a5b5a146e8e2f071..d916d5b6aef60d924070e66be9c1479be8fd3f7a 100644 (file)
--- a/arch/arm64/kernel/stacktrace.c
+++ b/arch/arm64/kernel/stacktrace.c
@@ -71,9 +71,17 @@ int notrace unwind_frame(struct stackframe *frame)
         * to task stack.
         * If we reach the end of the stack - and its an interrupt stack,
         * read the original task stack pointer from the dummy frame.
+        *
+        * Check the frame->fp we read from the bottom of the irq_stack,
+        * and the original task stack pointer are both in current->stack.
         */
-       if (frame->sp == irq_stack_ptr)
-               frame->sp = IRQ_STACK_TO_TASK_STACK(irq_stack_ptr);
+       if (frame->sp == irq_stack_ptr) {
+               unsigned long orig_sp = IRQ_STACK_TO_TASK_STACK(irq_stack_ptr);
+
+               if(object_is_on_stack((void *)orig_sp) &&
+                  object_is_on_stack((void *)frame->fp))
+                       frame->sp = orig_sp;
+       }
 
        return 0;
 }