lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 May 2019 15:16:41 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     Steven Price <steven.price@....com>
Cc:     Christoph Hellwig <hch@....de>, linux-kernel@...r.kernel.org,
        Mike Rapoport <rppt@...ux.ibm.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Will Deacon <will.deacon@....com>,
        Catalin Marinas <catalin.marinas@....com>
Subject: Re: Bad virt_to_phys since commit 54c7a8916a887f35

On Thu, May 16, 2019 at 03:05:31PM +0100, Steven Price wrote:
> On 16/05/2019 14:41, Mark Rutland wrote:
> > On Thu, May 16, 2019 at 02:38:20PM +0100, Mark Rutland wrote:
> >> Hi,
> >>
> >> Since commit:
> >>
> >>   54c7a8916a887f35 ("initramfs: free initrd memory if opening /initrd.image fails")
> > 
> > Ugh, I dropped a paragarph here.
> > 
> > Since that commit, I'm seeing a boot-time splat on arm64 when using
> > CONFIG_DEBUG_VIRTUAL. I'm running an arm64 syzkaller instance, and this
> > kills the VM, preventing further testing, which is unfortunate.
> > 
> > Mark.
> > 
> >> IIUC prior to that commit, we'd only attempt to free an intird if we had
> >> one, whereas now we do so unconditionally. AFAICT, in this case
> >> initrd_start has not been initialized (I'm not using an initrd or
> >> initramfs on my system), so we end up trying virt_to_phys() on a bogus
> >> VA in free_initrd_mem().
> >>
> >> Any ideas on the right way to fix this?
> 
> Your analysis looks right to me. In my review I'd managed to spot the
> change in behaviour when CONFIG_INITRAMFS_FORCE is set (the initrd is
> freed), but I'd overlooked what happens if initrd_start == 0 (the
> non-existent initrd is attempted to be freed).
> 
> I suspect the following is sufficient to fix the problem:
> 
> ----8<-----
> diff --git a/init/initramfs.c b/init/initramfs.c
> index 435a428c2af1..178130fd61c2 100644
> --- a/init/initramfs.c
> +++ b/init/initramfs.c
> @@ -669,7 +669,7 @@ static int __init populate_rootfs(void)
>  	 * If the initrd region is overlapped with crashkernel reserved region,
>  	 * free only memory that is not part of crashkernel region.
>  	 */
> -	if (!do_retain_initrd && !kexec_free_initrd())
> +	if (!do_retain_initrd && initrd_start && !kexec_free_initrd())
>  		free_initrd_mem(initrd_start, initrd_end);
>  	initrd_start = 0;
>  	initrd_end = 0;

That works for me. If you spin this as a real patch:

Tested-by: Mark Rutland <mark.rutland@....com>

As I mentioned, initrd_start has not been initialized at all, so I
suspect we should also update its declaration in init/do_mounts_initrd.c
such that it is guaranteed to be initialized to zero. We get away with
that today, but that won't necessarily hold with LTO and so on...

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ