| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Oct 2015 16:07:41 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: "Lee, Chun-Yi" <joeyli.kernel@...il.com> Cc: Vivek Goyal <vgoyal@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, x86@...nel.org, Stephen Rothwell <sfr@...b.auug.org.au>, Viresh Kumar <viresh.kumar@...aro.org>, Takashi Iwai <tiwai@...e.de>, Jiang Liu <jiang.liu@...ux.intel.com>, Andy Lutomirski <luto@...nel.org>, Baoquan He <bhe@...hat.com>, linux-kernel@...r.kernel.org, kexec@...ts.infradead.org, "Lee, Chun-Yi" <jlee@...e.com> Subject: Re: [PATCH v3] kexec: fix out of the ELF headers buffer issue in syscall kexec_file_load() On Tue, 29 Sep 2015 20:58:57 +0800 "Lee, Chun-Yi" <joeyli.kernel@...il.com> wrote: > This patch modified the code in fill_up_crash_elf_data by using > walk_system_ram_res instead of walk_system_ram_range to count the max > number of crash memory ranges. That's because the walk_system_ram_range > filters out small memory regions that are resided in the same page, but > walk_system_ram_res does not. > > The oringial issue is page fault error that sometimes happened on big machines > when preparing ELF headers: > > [ 305.291522] BUG: unable to handle kernel paging request at ffffc90613fc9000 > [ 305.299621] IP: [<ffffffff8103d645>] prepare_elf64_ram_headers_callback+0x165/0x260 > [ 305.308300] PGD e000032067 PUD 6dcbec54067 PMD 9dc9bdeb067 PTE 0 > [ 305.315393] Oops: 0002 [#1] SMP > [...snip] > [ 305.420953] task: ffff8e1c01ced600 ti: ffff8e1c03ec2000 task.ti: ffff8e1c03ec2000 > [ 305.429292] RIP: 0010:[<ffffffff8103d645>] [<ffffffff8103d645>] prepare_elf64_ra > m_headers_callback+0x165/0x260 > [...snip] > > After tracing prepare_elf64_headers and prepare_elf64_ram_headers_callback, > the code uses walk_system_ram_res to fill-in crash memory regions information > to program header, so it counts those small memory regions that are resided in > a page area. But, when kernel was using walk_system_ram_range in > fill_up_crash_elf_data to count the number of crash memory regions, it filters > out small regions. I printed those small memory regions, for example: > > kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0 > > Base on the code in walk_system_ram_range, this memory region will be filtered > out: > > pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593 > end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593 > end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE > > So, the max_nr_ranges that's counted by kernel doesn't include small memory > regions. That causes the page fault issue happened in later code path for > preparing EFL headers. > > This issus is not easy to reproduce on small machines that don't have too > many CPUs because the allocated page aligned ELF buffer has more free space > to cover those small memory regions' PT_LOAD headers. > fyi, I added a cc:stable to my copy of this patch. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists