Description
In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel.
Product status
e424054000878d7eb11e44289242886d6e219d22 (git) before e3e33ac2eb69d595079a1a1e444c2fb98efdd42d
e424054000878d7eb11e44289242886d6e219d22 (git) before 7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150
e424054000878d7eb11e44289242886d6e219d22 (git) before 36dac9a3dda1f2bae343191bc16b910c603cac25
2.6.35
Any version before 2.6.35
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d
git.kernel.org/...c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150
git.kernel.org/...c/36dac9a3dda1f2bae343191bc16b910c603cac25