lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1612140296-12546-1-git-send-email-giancarlo.ferrari89@gmail.com>
Date:   Mon,  1 Feb 2021 00:44:56 +0000
From:   Giancarlo Ferrari <giancarlo.ferrari89@...il.com>
To:     linux-arm-kernel@...ts.infradead.org, linux@...linux.org.uk
Cc:     linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
        rppt@...nel.org, penberg@...nel.org, geert@...ux-m68k.org,
        giancarlo.ferrari@...ia.com,
        Giancarlo Ferrari <giancarlo.ferrari89@...il.com>
Subject: [PATCH] ARM: kexec: Fix panic after TLB are invalidated

machine_kexec() need to set rw permission in text and rodata sections
to assign some variables (e.g. kexec_start_address). To do that at
the end (after flushing pdm in memory, etc.) it needs to invalidate
TLB [section] entries.

If during the TLB invalidation an interrupt occours, which might cause
a context switch, there is the risk to inject invalid TLBs, with ro
permissions.

When trying to assign .text labels, this lead to the following:

 Unable to handle kernel paging request at virtual address 80112f38
 pgd = fd7ef03e
 [80112f38] *pgd=0001141e(bad)
 Internal error: Oops: 80d [#1] PREEMPT SMP ARM
 ...

Signed-off-by: Giancarlo Ferrari <giancarlo.ferrari89@...il.com>
---
 arch/arm/kernel/machine_kexec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c
index 5d84ad3..23e8816 100644
--- a/arch/arm/kernel/machine_kexec.c
+++ b/arch/arm/kernel/machine_kexec.c
@@ -174,6 +174,13 @@ void machine_kexec(struct kimage *image)
 
 	reboot_code_buffer = page_address(image->control_code_page);
 
+	/*
+	 * If below part is not atomic TLB entries might be corrupted after TLB
+	 * invalidation, which leads to Data Abort in .text variable assignment
+	 */
+	raw_local_irq_disable();
+	local_fiq_disable();
+
 	/* Prepare parameters for reboot_code_buffer*/
 	set_kernel_text_rw();
 	kexec_start_address = image->start;
@@ -181,6 +188,9 @@ void machine_kexec(struct kimage *image)
 	kexec_mach_type = machine_arch_type;
 	kexec_boot_atags = image->arch.kernel_r2;
 
+	local_fiq_enable();
+	raw_local_irq_enable();
+
 	/* copy our kernel relocation code to the control code page */
 	reboot_entry = fncpy(reboot_code_buffer,
 			     &relocate_new_kernel,
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ