lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.1.00.0801311514060.9204@apollo.tec.linutronix.de>
Date:	Thu, 31 Jan 2008 16:48:14 +0100 (CET)
From:	Thomas Gleixner <tglx@...utronix.de>
To:	Andi Kleen <ak@...e.de>
cc:	ebiederm@...ssion.com, vgoyal@...hat.com, mingo@...e.hu,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [1/9] Handle kernel near memory hole in
 clear_kernel_mapping

On Tue, 29 Jan 2008, Andi Kleen wrote:
> This was a long standing obscure problem in the relocatable kernel. The
> AMD GART driver needs to unmap part of the GART in the kernel direct mapping to 
> prevent cache corruption. With the relocatable kernel it is in theory possible 
> that the separate kernel text mapping straddles that area too. 
> 
> Normally it should not happen because GART tends to be >= 2GB, and the kernel 
> is normally not loaded that high, but it is possible in theory. 

This smells fishy.

>
....
>
> +#define overlaps(as, ae, bs, be) ((ae) >= (bs) && (as) <= (be))

inline function please and a bit more intuituive arrangement of
arguments.

> +void __init clear_kernel_mapping(unsigned long address, unsigned long size)
> +{
> +	int sh = PMD_SHIFT;
> +	unsigned long kernel = __pa(__START_KERNEL_map);
> +
> +	/*
> +	 * Note that we cannot unmap the kernel itself because the unmapped
> +	 * holes here are always at least 2MB aligned.

That's not enforced. The unmap code just does not split pages.

> +	 * This just applies to the trailing areas of the 40MB kernel mapping.

How is this ensured, that it only affects the end of the 40MB mapping ?

> +	 */
> +	if (overlaps(kernel >> sh, (kernel + KERNEL_TEXT_SIZE) >> sh,
> +			__pa(address) >> sh, __pa(address + size) >> sh)) {

This checks:

     (kernel_end + 1) >= gart_start && kernel_start <= gart_end

One off error:  kernel + KERNEL_TEXT_SIZE 
needs to be:    kernel + KERNEL_TEXT_SIZE - 1

Also there is no sanity check, whether the area is inside real kernel text.

> +		printk(KERN_WARNING
> +			"Kernel mapping at %lx within 2MB of memory hole\n",
> +				kernel);


> +		__clear_kernel_mapping(__START_KERNEL_map+__pa(address), size);

Doh! This is unmapping the wrong place. According to __phys_addr():

     paddr = vaddr - __START_KERNEL_map + phys_base;

Transformation:

     vaddr = padd + __START_KERNEL_map - phys_base;

Sigh. The clear_kernel_mapping() functionality is just another wreckaged
implementation of CPA.

We really should use CPA and have a function to mark entries not
present. Actually the DEBUG_PAGEALLOC code has one already. There are
sanity checks in the CPA code as well, which can be extended to cover
the GART unmap in a safe way.

Thanks,
	tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ