lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190621105449.fp7h7tsmpitvplyr@box>
Date:   Fri, 21 Jun 2019 13:54:49 +0300
From:   "Kirill A. Shutemov" <kirill@...temov.name>
To:     Baoquan He <bhe@...hat.com>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Kyle Pelton <kyle.d.pelton@...el.com>
Subject: Re: [PATCH] x86/mm: Handle physical-virtual alignment mismatch in
 phys_p4d_init()

On Fri, Jun 21, 2019 at 05:02:49PM +0800, Baoquan He wrote:
> Hi Kirill,
> 
> On 06/20/19 at 02:22pm, Kirill A. Shutemov wrote:
> > Kyle has reported that kernel crashes sometimes when it boots in
> > 5-level paging mode with KASLR enabled:
> 
> This is a great finding, thanks for the fix. I ever have modified codes
> to make them accommodate PMD level of randomization, this
> phys_p4d_init() part is included. Not sure why I missed it when later
> took PUD level randomization for 5-level.
> 
> https://github.com/baoquan-he/linux/commit/dc91f5292bf1f55666c9139b6621d830b5b38aa5
> 
> Have some concerns, please check.
> 
> > [    0.000000] WARNING: CPU: 0 PID: 0 at arch/x86/mm/init_64.c:87 phys_p4d_init+0x1d4/0x1ea
> ...... 
> > Kyle bisected the issue to commmit b569c1843498 ("x86/mm/KASLR: Reduce
> > randomization granularity for 5-level paging to 1GB")
> > 
> > The commit relaxes KASLR alignment requirements and it can lead to
> > mismatch bentween 'i' and 'p4d_index(vaddr)' inside the loop in
>            ^ between
> > phys_p4d_init(). The mismatch in its turn leads to clearing wrong p4d
> > entry and eventually to the oops.
> > 
> > The fix is to make phys_p4d_init() walk virtual address space, not
> > physical one.
> > 
> > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> > Reported-and-tested-by: Kyle Pelton <kyle.d.pelton@...el.com>
> > Fixes: b569c1843498 ("x86/mm/KASLR: Reduce randomization granularity for 5-level paging to 1GB")
> > Cc: Baoquan He <bhe@...hat.com>
> > ---
> >  arch/x86/mm/init_64.c | 39 ++++++++++++++++-----------------------
> >  1 file changed, 16 insertions(+), 23 deletions(-)
> > 
> > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
> > index 693aaf28d5fe..4628ac9105a2 100644
> > --- a/arch/x86/mm/init_64.c
> > +++ b/arch/x86/mm/init_64.c
> > @@ -671,41 +671,34 @@ static unsigned long __meminit
> >  phys_p4d_init(p4d_t *p4d_page, unsigned long paddr, unsigned long paddr_end,
> >  	      unsigned long page_size_mask, bool init)
> >  {
> > -	unsigned long paddr_next, paddr_last = paddr_end;
> > -	unsigned long vaddr = (unsigned long)__va(paddr);
> > -	int i = p4d_index(vaddr);
> > +	unsigned long vaddr, vaddr_start, vaddr_end, vaddr_next, paddr_last;
> > +
> > +	paddr_last = paddr_end;
> > +	vaddr = (unsigned long)__va(paddr);
> > +	vaddr_end = (unsigned long)__va(paddr_end);
> > +	vaddr_start = vaddr;
> 
> Variable vaddr_start is not used in this patch, redundent?

Yep. I'll drop it in v2.

> >  	if (!pgtable_l5_enabled())
> >  
> >  		return phys_pud_init((pud_t *) p4d_page, paddr, paddr_end,
> >  				     page_size_mask, init);
> >  
> > -	for (; i < PTRS_PER_P4D; i++, paddr = paddr_next) {
> > -		p4d_t *p4d;
> > +	for (; vaddr < vaddr_end; vaddr = vaddr_next) {
> > +		p4d_t *p4d = p4d_page + p4d_index(vaddr);
> >  		pud_t *pud;
> >  
> > -		vaddr = (unsigned long)__va(paddr);
> > -		p4d = p4d_page + p4d_index(vaddr);
> > -		paddr_next = (paddr & P4D_MASK) + P4D_SIZE;
> > +		vaddr_next = (vaddr & P4D_MASK) + P4D_SIZE;
> >  
> 
> The code block as below is to zero p4d entries which are not coverred by
> the current memory range, and if haven't been mapped already. It's
> clearred away in this patch, could you also mention it in log, and tell
> why it doesn't matter now?
> 
> If it doesn't matter, should we clear away the simillar code in
> phys_pud_init/phys_pmd_init/phys_pte_init? Maybe a prep patch to do the
> clean up?

It only matters for the levels that contains page table entries that can
point to pages, not page tables. There's no p4d or pgd huge pages on x86.
Otherwise we only leak page tables without any benefit.

We might have this on all leveles under p?d_large() condition and don't
touch page tables at all.

BTW, it all becomes rather risky for this late in the release cycle. Maybe
we should revert the original patch and try again later with more
comprehansive solution?

-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ