lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Oct 2009 09:17:51 -0400 From: Vivek Goyal <vgoyal@...hat.com> To: Jiri Slaby <jirislaby@...il.com> Cc: mingo@...hat.com, tglx@...utronix.de, hpa@...or.com, x86@...nel.org, linux-kernel@...r.kernel.org, "Eric W. Biederman" <ebiederm@...ssion.com>, Simon Horman <horms@...ge.net.au>, Paul Mundt <lethal@...ux-sh.org>, Ingo Molnar <mingo@...e.hu> Subject: Re: [PATCH v2 1/1] crash_dump: fix non-pae kdump kernel memory accesses On Mon, Oct 26, 2009 at 11:11:43AM +0100, Jiri Slaby wrote: > Non-PAE 32-bit dump kernels may wrap an address around 4G and > poke unwanted space. ptes there are 32-bit long, and since > pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped > and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. > > Don't allow this behavior in non-PAE kdump kernels by checking > pfns passed into copy_oldmem_page. In the case of failure, > userspace process gets EFAULT. > > [v2] > - fix comments > - move ifdefs inside the function > > Signed-off-by: Jiri Slaby <jirislaby@...il.com> > Cc: Vivek Goyal <vgoyal@...hat.com> > Cc: "Eric W. Biederman" <ebiederm@...ssion.com> > Cc: Simon Horman <horms@...ge.net.au> > Cc: Paul Mundt <lethal@...ux-sh.org> > Cc: Ingo Molnar <mingo@...e.hu> > --- Looks good to me. Acked-by: Vivek Goyal <vgoyal@...hat.com> Thanks Vivek > arch/x86/kernel/crash_dump_32.c | 19 +++++++++++++++++++ > 1 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c > index f7cdb3b..cd97ce1 100644 > --- a/arch/x86/kernel/crash_dump_32.c > +++ b/arch/x86/kernel/crash_dump_32.c > @@ -16,6 +16,22 @@ static void *kdump_buf_page; > /* Stores the physical address of elf header of crash image. */ > unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; > > +static inline bool is_crashed_pfn_valid(unsigned long pfn) > +{ > +#ifndef CONFIG_X86_PAE > + /* > + * non-PAE kdump kernel executed from a PAE one will crop high pte > + * bits and poke unwanted space counting again from address 0, we > + * don't want that. pte must fit into unsigned long. In fact the > + * test checks high 12 bits for being zero (pfn will be shifted left > + * by PAGE_SHIFT). > + */ > + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; > +#else > + return true; > +#endif > +} > + > /** > * copy_oldmem_page - copy one page from "oldmem" > * @pfn: page frame number to be copied > @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, > if (!csize) > return 0; > > + if (!is_crashed_pfn_valid(pfn)) > + return -EFAULT; > + > vaddr = kmap_atomic_pfn(pfn, KM_PTE0); > > if (!userbuf) { > -- > 1.6.4.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists