lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58CF3914.5030005@redhat.com>
Date:   Mon, 20 Mar 2017 10:06:12 +0800
From:   Xunlei Pang <xpang@...hat.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        Xunlei Pang <xlpang@...hat.com>
Cc:     Dave Young <dyoung@...hat.com>, akpm@...ux-foundation.org,
        kexec@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Baoquan He <bhe@...hat.com>
Subject: Re: [PATCH v2] kexec: Introduce vmcoreinfo signature verification

On 03/18/2017 at 01:22 AM, Eric W. Biederman wrote:
> Xunlei Pang <xlpang@...hat.com> writes:
>
>> Currently vmcoreinfo data is updated at boot time subsys_initcall(),
>> it has the risk of being modified by some wrong code during system
>> is running.
>>
>> As a result, vmcore dumped may contain the wrong vmcoreinfo. Later on,
>> when using "crash" or "makedumpfile"(etc) utility to parse this vmcore,
>> we probably will get "Segmentation fault" or other unexpected/confusing
>> errors.
> If this is a real concern and the previous discussion sounds like it is
> part of what we need to do is move the variable vmcoreinfo_note out
> of the kernel's .bss section.  And modify the code to regenerate
> and keep this information in something like the control page.
>
> Definitely something like this needs a page all to itself, and ideally
> far away from any other kernel data structures.  I clearly was not
> watching closely the data someone decided to keep this silly thing
> in the kernel's .bss section.
>
>> As vmcoreinfo is the most fundamental information for vmcore, we better
>> double check its correctness. Here we generate a signature(using crc32)
>> after it is saved, then verify it in crash_save_vmcoreinfo() to see if
>> the signature was broken, if so we have to re-save the vmcoreinfo data
>> to get the correct vmcoreinfo for kdump as possible as we can.
> Sigh.  We already have a sha256 that is supposed to cover this sort of
> thing.  The bug rather is that apparently it isn't covering this data.
> That sounds like what we should be fixing.
>
> Please let's not invent new mechanisms we have to maintain.  Let's
> reorganize this so this static data is protected like all other static
> data in the kexec-on-panic path.  We have good mechanims and good
> strategies for avoiding and detecting corruption we just need to use
> them.
>
> Eric
>

Yes, this idea looks way better, I will follow your suggestions, thanks!

Regards,
Xunlei

>
>> Signed-off-by: Xunlei Pang <xlpang@...hat.com>
>> ---
>> v1->v2:
>> - Keep crash_save_vmcoreinfo_init() because "makedumpfile --mem-usage"
>>   uses the information.
>> - Add crc32 verification for vmcoreinfo, re-save when failure.
>>
>>  arch/Kconfig        |  1 +
>>  kernel/kexec_core.c | 43 +++++++++++++++++++++++++++++++++++--------
>>  2 files changed, 36 insertions(+), 8 deletions(-)
>>
>> diff --git a/arch/Kconfig b/arch/Kconfig
>> index c4d6833..66eb296 100644
>> --- a/arch/Kconfig
>> +++ b/arch/Kconfig
>> @@ -4,6 +4,7 @@
>>  
>>  config KEXEC_CORE
>>  	bool
>> +	select CRC32
>>  
>>  config HAVE_IMA_KEXEC
>>  	bool
>> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
>> index bfe62d5..012acbe 100644
>> --- a/kernel/kexec_core.c
>> +++ b/kernel/kexec_core.c
>> @@ -38,6 +38,7 @@
>>  #include <linux/syscore_ops.h>
>>  #include <linux/compiler.h>
>>  #include <linux/hugetlb.h>
>> +#include <linux/crc32.h>
>>  
>>  #include <asm/page.h>
>>  #include <asm/sections.h>
>> @@ -53,9 +54,10 @@
>>  
>>  /* vmcoreinfo stuff */
>>  static unsigned char vmcoreinfo_data[VMCOREINFO_BYTES];
>> -u32 vmcoreinfo_note[VMCOREINFO_NOTE_SIZE/4];
>> +static u32 vmcoreinfo_sig;
>>  size_t vmcoreinfo_size;
>>  size_t vmcoreinfo_max_size = sizeof(vmcoreinfo_data);
>> +u32 vmcoreinfo_note[VMCOREINFO_NOTE_SIZE/4];
>>  
>>  /* Flag to indicate we are going to kexec a new kernel */
>>  bool kexec_in_progress = false;
>> @@ -1367,12 +1369,6 @@ static void update_vmcoreinfo_note(void)
>>  	final_note(buf);
>>  }
>>  
>> -void crash_save_vmcoreinfo(void)
>> -{
>> -	vmcoreinfo_append_str("CRASHTIME=%ld\n", get_seconds());
>> -	update_vmcoreinfo_note();
>> -}
>> -
>>  void vmcoreinfo_append_str(const char *fmt, ...)
>>  {
>>  	va_list args;
>> @@ -1402,7 +1398,7 @@ phys_addr_t __weak paddr_vmcoreinfo_note(void)
>>  	return __pa_symbol((unsigned long)(char *)&vmcoreinfo_note);
>>  }
>>  
>> -static int __init crash_save_vmcoreinfo_init(void)
>> +static void do_crash_save_vmcoreinfo_init(void)
>>  {
>>  	VMCOREINFO_OSRELEASE(init_uts_ns.name.release);
>>  	VMCOREINFO_PAGESIZE(PAGE_SIZE);
>> @@ -1474,6 +1470,37 @@ static int __init crash_save_vmcoreinfo_init(void)
>>  #endif
>>  
>>  	arch_crash_save_vmcoreinfo();
>> +}
>> +
>> +static u32 crash_calc_vmcoreinfo_sig(void)
>> +{
>> +	return crc32(~0, vmcoreinfo_data, vmcoreinfo_size);
>> +}
>> +
>> +static bool crash_verify_vmcoreinfo(void)
>> +{
>> +	if (crash_calc_vmcoreinfo_sig() == vmcoreinfo_sig)
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>> +void crash_save_vmcoreinfo(void)
>> +{
>> +	/* Re-save if verification fails */
>> +	if (!crash_verify_vmcoreinfo()) {
>> +		vmcoreinfo_size = 0;
>> +		do_crash_save_vmcoreinfo_init();
>> +	}
>> +
>> +	vmcoreinfo_append_str("CRASHTIME=%ld\n", get_seconds());
>> +	update_vmcoreinfo_note();
>> +}
>> +
>> +static int __init crash_save_vmcoreinfo_init(void)
>> +{
>> +	do_crash_save_vmcoreinfo_init();
>> +	vmcoreinfo_sig = crash_calc_vmcoreinfo_sig();
>>  	update_vmcoreinfo_note();
>>  
>>  	return 0;
> _______________________________________________
> kexec mailing list
> kexec@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ