| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jul 2016 18:14:00 -0400
From: Kees Cook <keescook@...omium.org>
To: Ingo Molnar <mingo@...hat.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Thomas Garnier <thgarnie@...gle.com>,
"x86@...nel.org" <x86@...nel.org>, Borislav Petkov <bp@...e.de>,
Matt Fleming <matt@...eblueprint.co.uk>,
Toshi Kani <toshi.kani@....com>,
Sai Praneeth <sai.praneeth.prakhya@...el.com>,
Dexuan Cui <decui@...rosoft.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Chris Wilson <chris@...is-wilson.co.uk>
Subject: Re: [PATCH] x86/mm: Do not reference phys addr beyond kernel
On Wed, Jun 15, 2016 at 3:05 PM, Kees Cook <keescook@...omium.org> wrote:
> From: Thomas Garnier <thgarnie@...gle.com>
>
> The new physical address randomized KASLR implementation can cause the
> kernel to be aligned close to the end of physical memory. In this case,
> _brk_end aligned to PMD will go beyond what is expected safe and hit
> the assert in __phys_addr_symbol():
>
> VIRTUAL_BUG_ON(y >= KERNEL_IMAGE_SIZE);
>
> Instead, perform an inclusive range check to avoid incorrectly triggering
> the assert:
>
> kernel BUG at arch/x86/mm/physaddr.c:38!
> invalid opcode: 0000 [#1] SMP
> ...
> RIP: 0010:[<ffffffffbe055721>] __phys_addr_symbol+0x41/0x50
> ...
> Call Trace:
> [<ffffffffbe052eb9>] cpa_process_alias+0xa9/0x210
> [<ffffffffbe109011>] ? do_raw_spin_unlock+0xc1/0x100
> [<ffffffffbe051eef>] __change_page_attr_set_clr+0x8cf/0xbd0
> [<ffffffffbe201a4d>] ? vm_unmap_aliases+0x7d/0x210
> [<ffffffffbe05237c>] change_page_attr_set_clr+0x18c/0x4e0
> [<ffffffffbe0534ec>] set_memory_4k+0x2c/0x40
> [<ffffffffbefb08b3>] check_bugs+0x28/0x2a
> [<ffffffffbefa4f52>] start_kernel+0x49d/0x4b9
> [<ffffffffbefa4120>] ? early_idt_handler_array+0x120/0x120
> [<ffffffffbefa4423>] x86_64_start_reservations+0x29/0x2b
> [<ffffffffbefa4568>] x86_64_start_kernel+0x143/0x152
>
> Signed-off-by: Thomas Garnier <thgarnie@...gle.com>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> Needed before the KASLR improvement series can be finished.
Just checking on where this patch stands -- it's a needed bug fix for
the KASLR improvements that are already in -tip.
-Kees
> ---
> arch/x86/mm/pageattr.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
> index 7a1f7bbf4105..379b5111ac6b 100644
> --- a/arch/x86/mm/pageattr.c
> +++ b/arch/x86/mm/pageattr.c
> @@ -101,7 +101,8 @@ static inline unsigned long highmap_start_pfn(void)
>
> static inline unsigned long highmap_end_pfn(void)
> {
> - return __pa_symbol(roundup(_brk_end, PMD_SIZE)) >> PAGE_SHIFT;
> + /* Do not reference physical address outside the kernel. */
> + return __pa_symbol(roundup(_brk_end, PMD_SIZE) - 1) >> PAGE_SHIFT;
> }
>
> #endif
> @@ -112,6 +113,12 @@ within(unsigned long addr, unsigned long start, unsigned long end)
> return addr >= start && addr < end;
> }
>
> +static inline int
> +within_inclusive(unsigned long addr, unsigned long start, unsigned long end)
> +{
> + return addr >= start && addr <= end;
> +}
> +
> /*
> * Flushing functions
> */
> @@ -1316,7 +1323,8 @@ static int cpa_process_alias(struct cpa_data *cpa)
> * to touch the high mapped kernel as well:
> */
> if (!within(vaddr, (unsigned long)_text, _brk_end) &&
> - within(cpa->pfn, highmap_start_pfn(), highmap_end_pfn())) {
> + within_inclusive(cpa->pfn, highmap_start_pfn(),
> + highmap_end_pfn())) {
> unsigned long temp_cpa_vaddr = (cpa->pfn << PAGE_SHIFT) +
> __START_KERNEL_map - phys_base;
> alias_cpa = *cpa;
> --
> 2.7.4
>
>
> --
> Kees Cook
> Chrome OS & Brillo Security
--
Kees Cook
Chrome OS & Brillo Security
Powered by blists - more mailing lists