lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 9 Sep 2014 08:53:29 -0700
From:	Kees Cook <keescook@...omium.org>
To:	Baoquan He <bhe@...hat.com>
Cc:	LKML <linux-kernel@...r.kernel.org>,
	Andi Kleen <ak@...ux.intel.com>,
	Ingo Molnar <mingo@...hat.com>,
	Thomas Deutschmann <whissi@...ssi.de>,
	Dave Young <dyoung@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Vivek Goyal <vgoyal@...hat.com>,
	WANG Chao <chaowang@...hat.com>
Subject: Re: [PATCH 1/4] kaslr: check user's config too when handle relocations

On Mon, Sep 8, 2014 at 11:24 PM, Baoquan He <bhe@...hat.com> wrote:
> On 09/05/14 at 10:11am, Kees Cook wrote:
>> I don't think this is correct. If you look at a02150610776 ("x86,
>> relocs: Move ELF relocation handling to C"), we always did relocations
>> on 32-bit when CONFIG_RELOCATABLE was set, so I think this will fail
>> badly on 32-bit. 64-bit only needs relocation when
>> CONFIG_RANDOMIZE_BASE is set, so this is probably what needs to be
>> tested here instead. I think a better option would be, in
>> decompress_kernel(), to compare output before and after
>> choose_kernel_location(). If it's the same on 64-bit,
>> handle_relocations() can be skipped. (Perhaps pass the before/after to
>> handle_relocations() and it can perform the logic.)
>>
>> -Kees
>
> Hi Kees,
>
> Checking handle_relocations() again, I just didn't notice it's mandatory
> to do the relocations handling in i386. So in this function delta is
> checked to see if it's a kaslr relocation handling. This might be a
> little confusing. But I am fine with it.
>
> Per your comment, you prefer to compare the output before and after
> choose_kernel_location(). That's also good, Lu Yinghai posted a draft
> patch in this way before, however the checking and the delta calculation
> are not correct. I changed that and test all cases, it works well. So
> do you like this it? If yes  I will repost it.
>
> From 13471bd838c52a0e143c2aee81e3863cfff585bd Mon Sep 17 00:00:00 2001
> From: Baoquan He <bhe@...hat.com>
> Date: Mon, 25 Aug 2014 14:57:43 +0800
> Subject: [PATCH] kaslr: check if kernel location is changed
>
> Signed-off-by: Baoquan He <bhe@...hat.com>
> ---
>  arch/x86/boot/compressed/misc.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
> index 57ab74d..887f404 100644
> --- a/arch/x86/boot/compressed/misc.c
> +++ b/arch/x86/boot/compressed/misc.c
> @@ -230,8 +230,9 @@ static void error(char *x)
>                 asm("hlt");
>  }
>
> -#if CONFIG_X86_NEED_RELOCS
> -static void handle_relocations(void *output, unsigned long output_len)
> +#ifdef CONFIG_X86_NEED_RELOCS
> +static void handle_relocations(void *output_orig, void *output,
> +                              unsigned long output_len)
>  {
>         int *reloc;
>         unsigned long delta, map, ptr;
> @@ -242,6 +243,9 @@ static void handle_relocations(void *output, unsigned long output_len)
>          * Calculate the delta between where vmlinux was linked to load
>          * and where it was actually loaded.
>          */
> +       if (output_orig == output)
> +               return;
> +

I still think this needs a test for the 32-bit case, since IUIC, it
requires relocations unconditionally.

-Kees

>         delta = min_addr - LOAD_PHYSICAL_ADDR;
>         if (!delta) {
>                 debug_putstr("No relocation needed... ");
> @@ -299,7 +303,8 @@ static void handle_relocations(void *output, unsigned long output_len)
>  #endif
>  }
>  #else
> -static inline void handle_relocations(void *output, unsigned long output_len)
> +static inline void handle_relocations(void *output_orig, void *output,
> +                                     unsigned long output_len)
>  { }
>  #endif
>
> @@ -360,6 +365,8 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
>                                   unsigned char *output,
>                                   unsigned long output_len)
>  {
> +       unsigned char *output_orig = output;
> +
>         real_mode = rmode;
>
>         sanitize_boot_params(real_mode);
> @@ -402,7 +409,7 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
>         debug_putstr("\nDecompressing Linux... ");
>         decompress(input_data, input_len, NULL, NULL, output, NULL, error);
>         parse_elf(output);
> -       handle_relocations(output, output_len);
> +       handle_relocations(output_orig, output, output_len);
>         debug_putstr("done.\nBooting the kernel.\n");
>         return output;
>  }
> --
> 1.8.5.3
>



-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ