| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <de576537-d524-aa2e-adc0-3fa969e4ffe2@suse.com>
Date: Fri, 30 Nov 2018 13:19:40 +0100
From: Juergen Gross <jgross@...e.com>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, hpa@...or.com,
dave.hansen@...ux.intel.com, luto@...nel.org, peterz@...radead.org,
boris.ostrovsky@...cle.com, bhe@...hat.com, x86@...nel.org,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] x86/mm: Fix guard hole handling
On 30/11/2018 13:11, Kirill A. Shutemov wrote:
> On Fri, Nov 30, 2018 at 12:03:33PM +0000, Juergen Gross wrote:
>> On 30/11/2018 12:57, Kirill A. Shutemov wrote:
>>> There is a guard hole at the beginning of kernel address space, also
>>> used by hypervisors. It occupies 16 PGD entries.
>>>
>>> We do not state the reserved range directly, but calculate it relative
>>> to other entities: direct mapping and user space ranges.
>>>
>>> The calculation got broken by recent change in kernel memory layout: LDT
>>> remap range is now mapped before direct mapping and makes the calculation
>>> invalid.
>>>
>>> The breakage leads to crash on Xen dom0 boot[1].
>>>
>>> State the reserved range directly. It's part of kernel ABI (hypervisors
>>> expect it to be stable) and must not depend on changes in the rest of
>>> kernel memory layout.
>>>
>>> [1] https://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03313.html
>>>
>>> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
>>> Reported-by: Hans van Kranenburg <Hans.van.Kranenburg@...dix.com>
>>> Fixes: d52888aa2753 ("x86/mm: Move LDT remap out of KASLR region on 5-level paging")
>>> ---
>>> arch/x86/include/asm/pgtable_64_types.h | 5 +++++
>>> arch/x86/mm/dump_pagetables.c | 8 ++++----
>>> arch/x86/xen/mmu_pv.c | 11 ++++++-----
>>> 3 files changed, 15 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
>>> index 84bd9bdc1987..13aef22cee18 100644
>>> --- a/arch/x86/include/asm/pgtable_64_types.h
>>> +++ b/arch/x86/include/asm/pgtable_64_types.h
>>> @@ -111,6 +111,11 @@ extern unsigned int ptrs_per_p4d;
>>> */
>>> #define MAXMEM (1UL << MAX_PHYSMEM_BITS)
>>>
>>> +#define GUARD_HOLE_PGD_ENTRY -256UL
>>> +#define GUARD_HOLE_SIZE (16UL << PGDIR_SHIFT)
>>> +#define GUARD_HOLE_BASE_ADDR (LDT_PGD_ENTRY << PGDIR_SHIFT)
>>
>> s/LDT_PGD_ENTRY/GUARD_HOLE_PGD_ENTRY/
>
> Ughh..
>
>>>From 4308d560cc2874a9f596512bcb4c601b2450653d Mon Sep 17 00:00:00 2001
> From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
> Date: Fri, 30 Nov 2018 14:29:42 +0300
> Subject: [PATCH 1/2] x86/mm: Fix guard hole handling
>
> There is a guard hole at the beginning of kernel address space, also
> used by hypervisors. It occupies 16 PGD entries.
>
> We do not state the reserved range directly, but calculate it relative
> to other entities: direct mapping and user space ranges.
>
> The calculation got broken by recent change in kernel memory layout: LDT
> remap range is now mapped before direct mapping and makes the calculation
> invalid.
>
> The breakage leads to crash on Xen dom0 boot[1].
>
> State the reserved range directly. It's part of kernel ABI (hypervisors
> expect it to be stable) and must not depend on changes in the rest of
> kernel memory layout.
>
> [1] https://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03313.html
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> Reported-by: Hans van Kranenburg <Hans.van.Kranenburg@...dix.com>
> Fixes: d52888aa2753 ("x86/mm: Move LDT remap out of KASLR region on 5-level paging")
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
Reviewed-by: Juergen Gross <jgross@...e.com>
Juergen
Powered by blists - more mailing lists