| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Oct 2019 01:38:56 +0000
From: "d.hatayama@...itsu.com" <d.hatayama@...itsu.com>
To: 'lijiang' <lijiang@...hat.com>, Simon Horman <horms@...ge.net.au>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"jgross@...e.com" <jgross@...e.com>,
"Thomas.Lendacky@....com" <Thomas.Lendacky@....com>,
"bhe@...hat.com" <bhe@...hat.com>,
"x86@...nel.org" <x86@...nel.org>,
"kexec@...ts.infradead.org" <kexec@...ts.infradead.org>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"bp@...en8.de" <bp@...en8.de>,
"ebiederm@...ssion.com" <ebiederm@...ssion.com>,
"hpa@...or.com" <hpa@...or.com>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"dyoung@...hat.com" <dyoung@...hat.com>,
"vgoyal@...hat.com" <vgoyal@...hat.com>
Subject: RE: [PATCH 1/2 v5] x86/kdump: always reserve the low 1MiB when the
crashkernel option is specified
> -----Original Message-----
> From: lijiang [mailto:lijiang@...hat.com]
> Sent: Friday, October 25, 2019 10:31 AM
> To: Simon Horman <horms@...ge.net.au>; Hatayama, Daisuke/畑山 大輔
> <d.hatayama@...itsu.com>
> Cc: linux-kernel@...r.kernel.org; jgross@...e.com; Thomas.Lendacky@....com;
> bhe@...hat.com; x86@...nel.org; kexec@...ts.infradead.org;
> dhowells@...hat.com; mingo@...hat.com; bp@...en8.de; ebiederm@...ssion.com;
> hpa@...or.com; tglx@...utronix.de; dyoung@...hat.com; vgoyal@...hat.com
> Subject: Re: [PATCH 1/2 v5] x86/kdump: always reserve the low 1MiB when the
> crashkernel option is specified
>
> 在 2019年10月24日 19:33, lijiang 写道:
> > 在 2019年10月24日 18:07, Simon Horman 写道:
> >> Hi Linbo,
> >>
> >> thanks for your patch.
> >>
> >> On Wed, Oct 23, 2019 at 10:19:11PM +0800, Lianbo Jiang wrote:
> >>> Kdump kernel will reuse the first 640k region because the real mode
> >>> trampoline has to work in this area. When the vmcore is dumped, the
> >>> old memory in this area may be accessed, therefore, kernel has to
> >>> copy the contents of the first 640k area to a backup region so that
> >>> kdump kernel can read the old memory from the backup area of the
> >>> first 640k area, which is done in the purgatory().
> >>>
> >>> But, the current handling of copying the first 640k area runs into
> >>> problems when SME is enabled, kernel does not properly copy these
> >>> old memory to the backup area in the purgatory(), thereby, kdump
> >>> kernel reads out the encrypted contents, because the kdump kernel
> >>> must access the first kernel's memory with the encryption bit set
> >>> when SME is enabled in the first kernel. Please refer to this link:
> >>>
> >>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204793
> >>>
> >>> Finally, it causes the following errors, and the crash tool gets
> >>> invalid pointers when parsing the vmcore.
> >>>
> >>> crash> kmem -s|grep -i invalid
> >>> kmem: dma-kmalloc-512: slab:ffffd77680001c00 invalid
> freepointer:a6086ac099f0c5a4
> >>> kmem: dma-kmalloc-512: slab:ffffd77680001c00 invalid
> freepointer:a6086ac099f0c5a4
> >>> crash>
> >>>
> >>> To avoid the above errors, when the crashkernel option is specified,
> >>> lets reserve the remaining low 1MiB memory(after reserving real mode
> >>> memory) so that the allocated memory does not fall into the low 1MiB
> >>> area, which makes us not to copy the first 640k content to a backup
> >>> region in purgatory(). This indicates that it does not need to be
> >>> included in crash dumps or used for anything except the processor
> >>> trampolines that must live in the low 1MiB.
> >>>
> >>> Signed-off-by: Lianbo Jiang <lijiang@...hat.com>
> >>> ---
> >>> BTW:I also tried to fix the above problem in purgatory(), but there
> >>> are too many restricts in purgatory() context, for example: i can't
> >>> allocate new memory to create the identity mapping page table for
> >>> SME situation.
> >>>
> >>> Currently, there are two places where the first 640k area is needed,
> >>> the first one is in the find_trampoline_placement(), another one is
> >>> in the reserve_real_mode(), and their content doesn't matter.
> >>>
> >>> In addition, also need to clean all the code related to the backup
> >>> region later.
> >>>
> >>> arch/x86/realmode/init.c | 2 ++
> >>> include/linux/kexec.h | 2 ++
> >>> kernel/kexec_core.c | 13 +++++++++++++
> >>> 3 files changed, 17 insertions(+)
> >>>
> >>> diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
> >>> index 7dce39c8c034..064cc79a015d 100644
> >>> --- a/arch/x86/realmode/init.c
> >>> +++ b/arch/x86/realmode/init.c
> >>> @@ -3,6 +3,7 @@
> >>> #include <linux/slab.h>
> >>> #include <linux/memblock.h>
> >>> #include <linux/mem_encrypt.h>
> >>> +#include <linux/kexec.h>
> >>>
> >>> #include <asm/set_memory.h>
> >>> #include <asm/pgtable.h>
> >>> @@ -34,6 +35,7 @@ void __init reserve_real_mode(void)
> >>>
> >>> memblock_reserve(mem, size);
> >>> set_real_mode_mem(mem);
> >>> + kexec_reserve_low_1MiB();
> >>> }
> >>>
> >>> static void __init setup_real_mode(void)
> >>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> >>> index 1776eb2e43a4..30acf1d738bc 100644
> >>> --- a/include/linux/kexec.h
> >>> +++ b/include/linux/kexec.h
> >>> @@ -306,6 +306,7 @@ extern void __crash_kexec(struct pt_regs *);
> >>> extern void crash_kexec(struct pt_regs *);
> >>> int kexec_should_crash(struct task_struct *);
> >>> int kexec_crash_loaded(void);
> >>> +void __init kexec_reserve_low_1MiB(void);
> >>> void crash_save_cpu(struct pt_regs *regs, int cpu);
> >>> extern int kimage_crash_copy_vmcoreinfo(struct kimage *image);
> >>>
> >>> @@ -397,6 +398,7 @@ static inline void __crash_kexec(struct pt_regs *regs)
> { }
> >>> static inline void crash_kexec(struct pt_regs *regs) { }
> >>> static inline int kexec_should_crash(struct task_struct *p) { return 0; }
> >>> static inline int kexec_crash_loaded(void) { return 0; }
> >>> +static inline void __init kexec_reserve_low_1MiB(void) { }
> >>> #define kexec_in_progress false
> >>> #endif /* CONFIG_KEXEC_CORE */
> >>>
> >>> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
> >>> index 15d70a90b50d..5bd89f1fee42 100644
> >>> --- a/kernel/kexec_core.c
> >>> +++ b/kernel/kexec_core.c
> >>> @@ -37,6 +37,7 @@
> >>> #include <linux/compiler.h>
> >>> #include <linux/hugetlb.h>
> >>> #include <linux/frame.h>
> >>> +#include <linux/memblock.h>
> >>>
> >>> #include <asm/page.h>
> >>> #include <asm/sections.h>
> >>> @@ -70,6 +71,18 @@ struct resource crashk_low_res = {
> >>> .desc = IORES_DESC_CRASH_KERNEL
> >>> };
> >>>
> >>> +/*
> >>> + * When the crashkernel option is specified, only use the low
> >>> + * 1MiB for the real mode trampoline.
> >>> + */
> >>> +void __init kexec_reserve_low_1MiB(void)
> >>> +{
> >>> + if (strstr(boot_command_line, "crashkernel=")) {
> >>
> >> Could you comment on the issue of using strstr which
> >> was raised by Hatayama-san in response to an earlier revision
> >> of this patch?
> >>
> >
> > Thank you, Simon and Hatayama-san. Lets talk about it here.
> >
> >> strstr() matches for example,
> ANYEXTRACHARACTERScrashkernel=ANYEXTRACHARACTERS.
> >>
> >> Is it enough to use cmdline_find_option_bool()?
> >>
> >
> > The cmdline_find_option_bool() will find a boolean option, but the
> crashkernel option
> > is not a boolean option, maybe it looks odd. So, should we use the
> cmdline_find_option()
> > better?
> >
> > +#include <asm/cmdline.h>
> >
> > void __init kexec_reserve_low_1MiB(void)
> > {
> > - if (strstr(boot_command_line, "crashkernel=")) {
> > + char buffer[4];
> > +
> > + if (cmdline_find_option(boot_command_line, "crashkernel=",
> > + buffer, sizeof(buffer))) {
> Maybe it is simpler as follow:
>
> + if (cmdline_find_option(boot_command_line, "crashkernel=",
> + NULL, 0)) {
>
> Any thoughts?
I wrote a test kernel module and it works as expected.
static int __init testmod_init(void)
{
char cmdline1[] = "x y crashkernel z";
char cmdline2[] = "x y crashkernel=128M z";
printk("\"1: %d\n",
cmdline_find_option_bool(cmdline1, "crashkernel"));
printk("\"2: %d\n",
cmdline_find_option_bool(cmdline1, "crashkernel="));
printk("\"3: %d\n",
cmdline_find_option_bool(cmdline2, "crashkernel"));
printk("\"4: %d\n",
cmdline_find_option_bool(cmdline2, "crashkernel="));
printk("\"5: %d\n",
cmdline_find_option(cmdline1, "crashkernel", NULL, 0));
printk("\"6: %d\n",
cmdline_find_option(cmdline1, "crashkernel=", NULL, 0));
printk("\"7: %d\n",
cmdline_find_option(cmdline2, "crashkernel", NULL, 0));
printk("\"8: %d\n",
cmdline_find_option(cmdline2, "crashkernel=", NULL, 0));
return 0;
}
# dmesg | tail
[85335.355459] "7: 4
[85335.356923] "8: -1
[85349.763849] "1: 5
[85349.765128] "2: 0
[85349.766159] "3: 0
[85349.767145] "4: 0
[85349.768157] "5: -1
[85349.769259] "6: -1
[85349.770423] "7: 4
[85349.771512] "8: -1
>
> Thanks
> Lianbo
> > memblock_reserve(0, 1<<20);
> > pr_info("Reserving the low 1MiB of memory for
> crashkernel\n");
> > }
> >
> > And here, no need to parse the arguments of crashkernel(sometimes, which has
> a
> > complicated syntax), so the size of buffer should be enough. What's your
> opinion?
> >
> > Thanks
> > Lianbo
> >
> >> Thanks in advance!
> >>
> >>> + memblock_reserve(0, 1<<20);
> >>> + pr_info("Reserving the low 1MiB of memory for
> crashkernel\n");
> >>> + }
> >>> +}
> >>> +
> >>> int kexec_should_crash(struct task_struct *p)
> >>> {
> >>> /*
> >>> --
> >>> 2.17.1
> >>>
> >>>
> >>> _______________________________________________
> >>> kexec mailing list
> >>> kexec@...ts.infradead.org
> >>> http://lists.infradead.org/mailman/listinfo/kexec
> >>>
View attachment "testmod.c" of type "text/plain" (5863 bytes)
Download attachment "Makefile" of type "application/octet-stream" (272 bytes)
Powered by blists - more mailing lists