elf/coredump: add sanity checks for stack pointer

stack pointer may be invalid value if in SMP mode, add sanity checks to avoid invalid access Signed-off-by: chao an <anchao@xiaomi.com>
2023-05-24 22:38:50 +08:00 · 2023-05-24 22:38:50 +08:00 · 78006f9824
parent 50d1de93ed
commit 78006f9824
1 changed files with 44 additions and 9 deletions
--- a/binfmt/libelf/libelf_coredump.c
+++ b/binfmt/libelf/libelf_coredump.c
@ -335,16 +335,32 @@ static void elf_emit_note(FAR struct elf_dumpinfo_s *cinfo)
 static void elf_emit_tcb_stack(FAR struct elf_dumpinfo_s *cinfo,
                               FAR struct tcb_s *tcb)
 {
-  FAR void *buf;
+  FAR void *buf = NULL;
+  uintptr_t sp;
  size_t len;

  if (running_task() != tcb)
    {
-      len = ((uintptr_t)tcb->stack_base_ptr + tcb->adj_stack_size) -
-            up_getusrsp(tcb->xcp.regs);
-      buf = (FAR void *)up_getusrsp(tcb->xcp.regs);
+      sp = up_getusrsp(tcb->xcp.regs);
+
+      if (sp > (uintptr_t)tcb->stack_base_ptr &&
+          sp < (uintptr_t)tcb->stack_base_ptr + tcb->adj_stack_size)
+        {
+          len = ((uintptr_t)tcb->stack_base_ptr +
+                            tcb->adj_stack_size) - sp;
+          buf = (FAR void *)sp;
+        }
+#ifdef CONFIG_STACK_COLORATION
+      else
+        {
+          len = up_check_tcbstack(tcb);
+          buf = (FAR void *)((uintptr_t)tcb->stack_base_ptr +
+                             (tcb->adj_stack_size - len));
+        }
+#endif
    }
-  else
+
+  if (buf == NULL)
    {
      buf = (FAR void *)tcb->stack_alloc_ptr;
      len = tcb->adj_stack_size +
@ -422,13 +438,32 @@ static void elf_emit_tcb_phdr(FAR struct elf_dumpinfo_s *cinfo,
                              FAR struct tcb_s *tcb,
                              FAR Elf_Phdr *phdr, off_t *offset)
 {
+  uintptr_t sp;
+
+  phdr->p_vaddr = 0;
+
  if (running_task() != tcb)
    {
-      phdr->p_filesz = (uintptr_t)(tcb->stack_base_ptr +
-                       tcb->adj_stack_size) - up_getusrsp(tcb->xcp.regs);
-      phdr->p_vaddr  = up_getusrsp(tcb->xcp.regs);
+      sp = up_getusrsp(tcb->xcp.regs);
+
+      if (sp > (uintptr_t)tcb->stack_base_ptr &&
+          sp < (uintptr_t)tcb->stack_base_ptr + tcb->adj_stack_size)
+        {
+          phdr->p_filesz = ((uintptr_t)tcb->stack_base_ptr +
+                           tcb->adj_stack_size) - sp;
+          phdr->p_vaddr  = sp;
+        }
+#ifdef CONFIG_STACK_COLORATION
+      else
+        {
+          phdr->p_filesz = up_check_tcbstack(tcb);
+          phdr->p_vaddr  = (uintptr_t)tcb->stack_base_ptr +
+                           (tcb->adj_stack_size - phdr->p_filesz);
+        }
+#endif
    }
-  else
+
+  if (phdr->p_vaddr == 0)
    {
      phdr->p_vaddr  = (uintptr_t)tcb->stack_alloc_ptr;
      phdr->p_filesz = tcb->adj_stack_size +