lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170426070936.GB5381@dhcp-128-65.nay.redhat.com>
Date:   Wed, 26 Apr 2017 15:09:36 +0800
From:   Dave Young <dyoung@...hat.com>
To:     Xunlei Pang <xlpang@...hat.com>
Cc:     linux-kernel@...r.kernel.org, kexec@...ts.infradead.org,
        Baoquan He <bhe@...hat.com>, Petr Tesarik <ptesarik@...e.cz>,
        Eric Biederman <ebiederm@...ssion.com>,
        Hari Bathini <hbathini@...ux.vnet.ibm.com>,
        akpm@...ux-foundation.org,
        Michael Holzheu <holzheu@...ux.vnet.ibm.com>
Subject: Re: [PATCH v4 3/3] kdump: Protect vmcoreinfo data under the crash
 memory

On 04/20/17 at 07:39pm, Xunlei Pang wrote:
> Currently vmcoreinfo data is updated at boot time subsys_initcall(),
> it has the risk of being modified by some wrong code during system
> is running.
> 
> As a result, vmcore dumped may contain the wrong vmcoreinfo. Later on,
> when using "crash", "makedumpfile", etc utility to parse this vmcore,
> we probably will get "Segmentation fault" or other unexpected errors.
> 
> E.g. 1) wrong code overwrites vmcoreinfo_data; 2) further crashes the
> system; 3) trigger kdump, then we obviously will fail to recognize the
> crash context correctly due to the corrupted vmcoreinfo.
> 
> Now except for vmcoreinfo, all the crash data is well protected(including
> the cpu note which is fully updated in the crash path, thus its correctness
> is guaranteed). Given that vmcoreinfo data is a large chunk prepared for
> kdump, we better protect it as well.
> 
> To solve this, we relocate and copy vmcoreinfo_data to the crash memory
> when kdump is loading via kexec syscalls. Because the whole crash memory
> will be protected by existing arch_kexec_protect_crashkres() mechanism,
> we naturally protect vmcoreinfo_data from write(even read) access under
> kernel direct mapping after kdump is loaded.
> 
> Since kdump is usually loaded at the very early stage after boot, we can
> trust the correctness of the vmcoreinfo data copied.
> 
> On the other hand, we still need to operate the vmcoreinfo safe copy when
> crash happens to generate vmcoreinfo_note again, we rely on vmap() to map
> out a new kernel virtual address and update to use this new one instead in
> the following crash_save_vmcoreinfo().
> 
> BTW, we do not touch vmcoreinfo_note, because it will be fully updated
> using the protected vmcoreinfo_data after crash which is surely correct
> just like the cpu crash note.
> 
> Cc: Michael Holzheu <holzheu@...ux.vnet.ibm.com>
> Signed-off-by: Xunlei Pang <xlpang@...hat.com>
> ---
> v3->v4:
> -Rebased on the latest linux-next
> -Copy vmcoreinfo after machine_kexec_prepare()
> 
>  include/linux/crash_core.h |  2 +-
>  include/linux/kexec.h      |  2 ++
>  kernel/crash_core.c        | 17 ++++++++++++++++-
>  kernel/kexec.c             |  8 ++++++++
>  kernel/kexec_core.c        | 39 +++++++++++++++++++++++++++++++++++++++
>  kernel/kexec_file.c        |  8 ++++++++
>  6 files changed, 74 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/crash_core.h b/include/linux/crash_core.h
> index 7d6bc7b..5469adb 100644
> --- a/include/linux/crash_core.h
> +++ b/include/linux/crash_core.h
> @@ -23,6 +23,7 @@
>  
>  typedef u32 note_buf_t[CRASH_CORE_NOTE_BYTES/4];
>  
> +void crash_update_vmcoreinfo_safecopy(void *ptr);
>  void crash_save_vmcoreinfo(void);
>  void arch_crash_save_vmcoreinfo(void);
>  __printf(1, 2)
> @@ -54,7 +55,6 @@
>  	vmcoreinfo_append_str("PHYS_BASE=%lx\n", (unsigned long)value)
>  
>  extern u32 *vmcoreinfo_note;
> -extern size_t vmcoreinfo_size;
>  
>  Elf_Word *append_elf_note(Elf_Word *buf, char *name, unsigned int type,
>  			  void *data, size_t data_len);
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index c9481eb..3ea8275 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -181,6 +181,7 @@ struct kimage {
>  	unsigned long start;
>  	struct page *control_code_page;
>  	struct page *swap_page;
> +	void *vmcoreinfo_data_copy; /* locates in the crash memory */
>  
>  	unsigned long nr_segments;
>  	struct kexec_segment segment[KEXEC_SEGMENT_MAX];
> @@ -250,6 +251,7 @@ extern void *kexec_purgatory_get_symbol_addr(struct kimage *image,
>  int kexec_should_crash(struct task_struct *);
>  int kexec_crash_loaded(void);
>  void crash_save_cpu(struct pt_regs *regs, int cpu);
> +extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
>  
>  extern struct kimage *kexec_image;
>  extern struct kimage *kexec_crash_image;
> diff --git a/kernel/crash_core.c b/kernel/crash_core.c
> index 43cdb00..a29e9ad 100644
> --- a/kernel/crash_core.c
> +++ b/kernel/crash_core.c
> @@ -15,9 +15,12 @@
>  
>  /* vmcoreinfo stuff */
>  static unsigned char *vmcoreinfo_data;
> -size_t vmcoreinfo_size;
> +static size_t vmcoreinfo_size;
>  u32 *vmcoreinfo_note;
>  
> +/* trusted vmcoreinfo, e.g. we can make a copy in the crash memory */

May make it clearer like:
/* Trusted vmcoreinfo copy in the kdump reserved memory */

> +static unsigned char *vmcoreinfo_data_safecopy;
> +
>  /*
>   * parsing the "crashkernel" commandline
>   *
> @@ -323,11 +326,23 @@ static void update_vmcoreinfo_note(void)
>  	final_note(buf);
>  }
>  
> +void crash_update_vmcoreinfo_safecopy(void *ptr)
> +{
> +	if (ptr)
> +		memcpy(ptr, vmcoreinfo_data, vmcoreinfo_size);
> +
> +	vmcoreinfo_data_safecopy = ptr;
> +}
> +
>  void crash_save_vmcoreinfo(void)
>  {
>  	if (!vmcoreinfo_note)
>  		return;
>  
> +	/* Use the safe copy to generate vmcoreinfo note if have */
> +	if (vmcoreinfo_data_safecopy)
> +		vmcoreinfo_data = vmcoreinfo_data_safecopy;
> +
>  	vmcoreinfo_append_str("CRASHTIME=%ld\n", get_seconds());
>  	update_vmcoreinfo_note();
>  }
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index 980936a..e62ec4d 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -144,6 +144,14 @@ static int do_kexec_load(unsigned long entry, unsigned long nr_segments,
>  	if (ret)
>  		goto out;
>  
> +	/*
> +	 * Some architecture(like S390) may touch the crash memory before
> +	 * machine_kexec_prepare(), we must copy vmcoreinfo data after it.
> +	 */
> +	ret = kimage_crash_copy_vmcoreinfo(image);
> +	if (ret)
> +		goto out;
> +
>  	for (i = 0; i < nr_segments; i++) {
>  		ret = kimage_load_segment(image, &image->segment[i]);
>  		if (ret)
> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> index ae1a3ba..bac1b4f 100644
> --- a/kernel/kexec_core.c
> +++ b/kernel/kexec_core.c
> @@ -481,6 +481,40 @@ struct page *kimage_alloc_control_pages(struct kimage *image,
>  	return pages;
>  }
>  
> +int kimage_crash_copy_vmcoreinfo(struct kimage *image)
> +{
> +	struct page *vmcoreinfo_page;
> +	void *safecopy;
> +
> +	if (image->type != KEXEC_TYPE_CRASH)
> +		return 0;
> +
> +	/*
> +	 * For kdump, allocate one vmcoreinfo safe copy from the
> +	 * crash memory. as we have arch_kexec_protect_crashkres()
> +	 * after kexec syscall, we naturally protect it from write
> +	 * (even read) access under kernel direct mapping. But on
> +	 * the other hand, we still need to operate it when crash
> +	 * happens to generate vmcoreinfo note, hereby we rely on
> +	 * vmap for this purpose.
> +	 */
> +	vmcoreinfo_page = kimage_alloc_control_pages(image, 0);
> +	if (!vmcoreinfo_page) {
> +		pr_warn("Could not allocate vmcoreinfo buffer\n");
> +		return -ENOMEM;
> +	}
> +	safecopy = vmap(&vmcoreinfo_page, 1, VM_MAP, PAGE_KERNEL);
> +	if (!safecopy) {
> +		pr_warn("Could not vmap vmcoreinfo buffer\n");
> +		return -ENOMEM;
> +	}
> +
> +	image->vmcoreinfo_data_copy = safecopy;
> +	crash_update_vmcoreinfo_safecopy(safecopy);
> +
> +	return 0;
> +}
> +
>  static int kimage_add_entry(struct kimage *image, kimage_entry_t entry)
>  {
>  	if (*image->entry != 0)
> @@ -598,6 +632,11 @@ void kimage_free(struct kimage *image)
>  	if (image->file_mode)
>  		kimage_file_post_load_cleanup(image);
>  
> +	if (image->vmcoreinfo_data_copy) {
> +		crash_update_vmcoreinfo_safecopy(NULL);
> +		vunmap(image->vmcoreinfo_data_copy);
> +	}
> +

Should move above chunk before the freeing of the actual page?

>  	kfree(image);
>  }
>  
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b118735..f78f719 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -304,6 +304,14 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  	if (ret)
>  		goto out;
>  
> +	/*
> +	 * Some architecture(like S390) may touch the crash memory before
> +	 * machine_kexec_prepare(), we must copy vmcoreinfo data after it.
> +	 */
> +	ret = kimage_crash_copy_vmcoreinfo(image);
> +	if (ret)
> +		goto out;
> +
>  	ret = kexec_calculate_store_digests(image);
>  	if (ret)
>  		goto out;
> -- 
> 1.8.3.1
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Thanks
Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ