arm64:fix a potential segfault when unwind frame

0006-arm64-fix-a-potential-segfault-when-unwind-frame.patch

@@ -0,0 +1,71 @@
+From af895b219876b293d551e6dec825aba3905c0588 Mon Sep 17 00:00:00 2001
+From: "qiwu.chen" <qiwu.chen@transsion.com>
+Date: Wed, 24 Jul 2024 01:36:09 +0000
+Subject: [PATCH] arm64: fix a potential segfault when unwind frame
+
+The range of frame->fp is checked insufficiently, which may lead to a wrong
+next fp. As a result, bt->stackbuf will be accessed out of range, and segfault.
+
+  crash> bt
+  [Detaching after fork from child process 11409]
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+   #0 [ffffffc008003f50] local_cpu_stop at ffffffdd7669444c
+
+  Thread 1 "crash" received signal SIGSEGV, Segmentation fault.
+  0x00005555558266cc in arm64_unwind_frame (bt=0x7fffffffd8f0, frame=0x7fffffffd080) at
+  arm64.c:2821
+  2821            frame->fp = GET_STACK_ULONG(fp);
+  (gdb) bt
+  arm64.c:2821
+  out>) at main.c:1338
+  gdb_interface.c:81
+  (gdb) p /x *(struct bt_info*) 0x7fffffffd8f0
+  $3 = {task = 0xffffff81858aa500, flags = 0x0, instptr = 0xffffffdd76694450, stkptr =
+  0xffffffc008003f40, bptr = 0x0, stackbase = 0xffffffc027288000,
+    stacktop = 0xffffffc02728c000, stackbuf = 0x555556115a40, tc = 0x55559d16fdc0, hp = 0x0,
+  textlist = 0x0, ref = 0x0, frameptr = 0xffffffc008003f50,
+    call_target = 0x0, machdep = 0x0, debug = 0x0, eframe_ip = 0x0, radix = 0x0, cpumask =
+  0x0}
+  (gdb) p /x *(struct arm64_stackframe*) 0x7fffffffd080
+  $4 = {fp = 0xffffffc008003f50, sp = 0xffffffc008003f60, pc = 0xffffffdd76694450}
+  crash> bt -S 0xffffffc008003f50
+  PID: 7661     TASK: ffffff81858aa500  CPU: 4    COMMAND: "sh"
+  bt: non-process stack address for this task: ffffffc008003f50
+      (valid range: ffffffc027288000 - ffffffc02728c000)
+
+Check frame->fp value sufficiently before access it. Only frame->fp within
+the range of bt->stackbase and bt->stacktop will be regarded as valid.
+
+Signed-off-by: qiwu.chen <qiwu.chen@transsion.com>
+
+Conflict: NA
+Reference: https://github.com/crash-utility/crash/commit/af895b219876b293d551e6dec825aba3905c0588
+---
+ arm64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arm64.c b/arm64.c
+index b3040d7..624dba2 100644
+--- a/arm64.c
++++ b/arm64.c
+@@ -2814,7 +2814,7 @@ arm64_unwind_frame(struct bt_info *bt, struct arm64_stackframe *frame)
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
++	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	frame->sp = fp + 0x10;
+@@ -3024,7 +3024,7 @@ arm64_unwind_frame_v2(struct bt_info *bt, struct arm64_stackframe *frame,
+ 	low  = frame->sp;
+ 	high = (low + stack_mask) & ~(stack_mask);
+ 
+-	if (fp < low || fp > high || fp & 0xf)
++	if (fp < low || fp > high || fp & 0xf || !INSTACK(fp, bt))
+ 		return FALSE;
+ 
+ 	if (CRASHDEBUG(1))
+-- 
+2.33.0
+

crash.spec

@@ -1,6 +1,6 @@
 Name: crash
 Version: 8.0.4
-Release: 6
+Release: 7
 Summary: Linux kernel crash utility.
 License: GPLv3
 URL: https://crash-utility.github.io
@@ -13,6 +13,7 @@ Patch2: 0002-crash-8.0.2-sw.patch
 Patch3: 0003-crash-8.0.4-add-support-for-loongarch64.patch
 Patch4: 0004-support-vmp_area_list-replaced-with-VMALLOC_START.patch
 Patch5: 0005-gdb-ignore-Wenum-constexpr-conversion-in-enum-flags.patch
+Patch6: 0006-arm64-fix-a-potential-segfault-when-unwind-frame.patch
 
 BuildRequires: ncurses-devel zlib-devel lzo-devel snappy-devel texinfo libzstd-devel 
 BuildRequires: gcc gcc-c++ bison m4
@@ -54,6 +55,7 @@ created by manufacturer-specific firmware.
 %patch4 -p1
 %endif
 %patch5 -p1
+%patch6 -p1
 
 %build
 cp %{SOURCE1} .
@@ -88,6 +90,9 @@ install -D -m 0644 defs.h %{buildroot}%{_includedir}/%{name}/defs.h
 %{_mandir}/man8/crash.8*
 
 %changelog
+* Tue Nov 12 2024 wangxiao <wangxiao184@h-partners.com> - 8.0.4-7
+- arm64: fix a potential segfault when unwind frame
+
 * Fri Oct 25 2024 duanchenghao <duanchenghao@kylinos.cn> - 8.0.4-6
 - Fix crash vmlinux /proc/kcore failed for loongarch64