lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160615190545.GA26071@www.outflux.net>
Date:	Wed, 15 Jun 2016 12:05:45 -0700
From:	Kees Cook <keescook@...omium.org>
To:	Ingo Molnar <mingo@...hat.com>
Cc:	linux-kernel@...r.kernel.org, Thomas Garnier <thgarnie@...gle.com>,
	x86@...nel.org, Borislav Petkov <bp@...e.de>,
	Matt Fleming <matt@...eblueprint.co.uk>,
	Toshi Kani <toshi.kani@....com>,
	Sai Praneeth <sai.praneeth.prakhya@...el.com>,
	Dexuan Cui <decui@...rosoft.com>,
	Christian Borntraeger <borntraeger@...ibm.com>,
	Chris Wilson <chris@...is-wilson.co.uk>
Subject: [PATCH] x86/mm: Do not reference phys addr beyond kernel

From: Thomas Garnier <thgarnie@...gle.com>

The new physical address randomized KASLR implementation can cause the
kernel to be aligned close to the end of physical memory. In this case,
_brk_end aligned to PMD will go beyond what is expected safe and hit
the assert in __phys_addr_symbol():

	VIRTUAL_BUG_ON(y >= KERNEL_IMAGE_SIZE);

Instead, perform an inclusive range check to avoid incorrectly triggering
the assert:

	kernel BUG at arch/x86/mm/physaddr.c:38!
	invalid opcode: 0000 [#1] SMP
	...
	RIP: 0010:[<ffffffffbe055721>] __phys_addr_symbol+0x41/0x50
	...
	Call Trace:
	[<ffffffffbe052eb9>] cpa_process_alias+0xa9/0x210
	[<ffffffffbe109011>] ? do_raw_spin_unlock+0xc1/0x100
	[<ffffffffbe051eef>] __change_page_attr_set_clr+0x8cf/0xbd0
	[<ffffffffbe201a4d>] ? vm_unmap_aliases+0x7d/0x210
	[<ffffffffbe05237c>] change_page_attr_set_clr+0x18c/0x4e0
	[<ffffffffbe0534ec>] set_memory_4k+0x2c/0x40
	[<ffffffffbefb08b3>] check_bugs+0x28/0x2a
	[<ffffffffbefa4f52>] start_kernel+0x49d/0x4b9
	[<ffffffffbefa4120>] ? early_idt_handler_array+0x120/0x120
	[<ffffffffbefa4423>] x86_64_start_reservations+0x29/0x2b
	[<ffffffffbefa4568>] x86_64_start_kernel+0x143/0x152

Signed-off-by: Thomas Garnier <thgarnie@...gle.com>
Signed-off-by: Kees Cook <keescook@...omium.org>
---
Needed before the KASLR improvement series can be finished.
---
 arch/x86/mm/pageattr.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
index 7a1f7bbf4105..379b5111ac6b 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -101,7 +101,8 @@ static inline unsigned long highmap_start_pfn(void)
 
 static inline unsigned long highmap_end_pfn(void)
 {
-	return __pa_symbol(roundup(_brk_end, PMD_SIZE)) >> PAGE_SHIFT;
+	/* Do not reference physical address outside the kernel. */
+	return __pa_symbol(roundup(_brk_end, PMD_SIZE) - 1) >> PAGE_SHIFT;
 }
 
 #endif
@@ -112,6 +113,12 @@ within(unsigned long addr, unsigned long start, unsigned long end)
 	return addr >= start && addr < end;
 }
 
+static inline int
+within_inclusive(unsigned long addr, unsigned long start, unsigned long end)
+{
+	return addr >= start && addr <= end;
+}
+
 /*
  * Flushing functions
  */
@@ -1316,7 +1323,8 @@ static int cpa_process_alias(struct cpa_data *cpa)
 	 * to touch the high mapped kernel as well:
 	 */
 	if (!within(vaddr, (unsigned long)_text, _brk_end) &&
-	    within(cpa->pfn, highmap_start_pfn(), highmap_end_pfn())) {
+	    within_inclusive(cpa->pfn, highmap_start_pfn(),
+			     highmap_end_pfn())) {
 		unsigned long temp_cpa_vaddr = (cpa->pfn << PAGE_SHIFT) +
 					       __START_KERNEL_map - phys_base;
 		alias_cpa = *cpa;
-- 
2.7.4


-- 
Kees Cook
Chrome OS & Brillo Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ