lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20091027131750.GA10513@redhat.com>
Date:	Tue, 27 Oct 2009 09:17:51 -0400
From:	Vivek Goyal <vgoyal@...hat.com>
To:	Jiri Slaby <jirislaby@...il.com>
Cc:	mingo@...hat.com, tglx@...utronix.de, hpa@...or.com,
	x86@...nel.org, linux-kernel@...r.kernel.org,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Simon Horman <horms@...ge.net.au>,
	Paul Mundt <lethal@...ux-sh.org>, Ingo Molnar <mingo@...e.hu>
Subject: Re: [PATCH v2 1/1] crash_dump: fix non-pae kdump kernel memory
	accesses

On Mon, Oct 26, 2009 at 11:11:43AM +0100, Jiri Slaby wrote:
> Non-PAE 32-bit dump kernels may wrap an address around 4G and
> poke unwanted space. ptes there are 32-bit long, and since
> pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped
> and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page.
> 
> Don't allow this behavior in non-PAE kdump kernels by checking
> pfns passed into copy_oldmem_page. In the case of failure,
> userspace process gets EFAULT.
> 
> [v2]
> - fix comments
> - move ifdefs inside the function
> 
> Signed-off-by: Jiri Slaby <jirislaby@...il.com>
> Cc: Vivek Goyal <vgoyal@...hat.com>
> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
> Cc: Simon Horman <horms@...ge.net.au>
> Cc: Paul Mundt <lethal@...ux-sh.org>
> Cc: Ingo Molnar <mingo@...e.hu>
> ---

Looks good to me.

Acked-by: Vivek Goyal <vgoyal@...hat.com>

Thanks
Vivek

>  arch/x86/kernel/crash_dump_32.c |   19 +++++++++++++++++++
>  1 files changed, 19 insertions(+), 0 deletions(-)
> 
> diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c
> index f7cdb3b..cd97ce1 100644
> --- a/arch/x86/kernel/crash_dump_32.c
> +++ b/arch/x86/kernel/crash_dump_32.c
> @@ -16,6 +16,22 @@ static void *kdump_buf_page;
>  /* Stores the physical address of elf header of crash image. */
>  unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX;
>  
> +static inline bool is_crashed_pfn_valid(unsigned long pfn)
> +{
> +#ifndef CONFIG_X86_PAE
> +	/*
> +	 * non-PAE kdump kernel executed from a PAE one will crop high pte
> +	 * bits and poke unwanted space counting again from address 0, we
> +	 * don't want that. pte must fit into unsigned long. In fact the
> +	 * test checks high 12 bits for being zero (pfn will be shifted left
> +	 * by PAGE_SHIFT).
> +	 */
> +	return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn;
> +#else
> +	return true;
> +#endif
> +}
> +
>  /**
>   * copy_oldmem_page - copy one page from "oldmem"
>   * @pfn: page frame number to be copied
> @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
>  	if (!csize)
>  		return 0;
>  
> +	if (!is_crashed_pfn_valid(pfn))
> +		return -EFAULT;
> +
>  	vaddr = kmap_atomic_pfn(pfn, KM_PTE0);
>  
>  	if (!userbuf) {
> -- 
> 1.6.4.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ