search

phoenix-rtos / phoenix-rtos-project

Sample project using Phoenix-RTOS
https://phoenix-rtos.com
BSD 3-Clause "New" or "Revised" License
45 stars 32 forks source link

kernel: faulty userspace signal handler causes kernel to crash #1200

Open badochov opened 1 month ago

badochov commented 1 month ago

This program setting signal handler to a function causing segmentation fault results in kernel crashing.

#include <sys/threads.h>

void bad(void)
{
    volatile int *oops = NULL;
    *oops = 42;
}

int main(void)
{
    signalHandle(bad, 0, 0xffffffffUL);

    bad();

    return 0;
}

Run on: armv8r52-mps3an536-qemu

Exception log

Exception: 4 #Abort
 r0=1fffff90  r1=10029ea8  r2=10029eb0  r3=10029eb0
 r4=1002a000  r5=00000110  r6=2003522d  r7=10028000
 r8=200000e8  r9=20059938 r10=00000000  fp=10029fac
 ip=00000001  sp=10029e10  lr=10002db1  pc=10000288
psr=200000ff dfs=00000a10 dfa=1fffff98 ifs=00000000
ifa=00000000

lr points to: https://github.com/phoenix-rtos/phoenix-rtos-kernel/blob/6624da07bc3e92b83ac0124375dc83565e6516a3/hal/armv8r/cpu.c#L114

The architecture doesn't matter, the root cause is, that when kernel encounters a segmentation fault or an illegal instruction in the process it calls the process' signal handler. If the signal handler is itself faulty it causes infinite loop of putting signal context onto the process stack. After the stack is filled, and ussually all data and text is overridden, kernel tries to put signal context into unmapped memory.

badochov commented 1 month ago

Probably best solution would be to introduce user stack bounds check before any interaction.