| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jul 2021 19:00:51 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Sergei Trofimovich <slyfox@...too.org>
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
Kees Cook <keescook@...omium.org>,
Alexander Potapenko <glider@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Vlastimil Babka <vbabka@...e.cz>, bowsingbetee@...me
Subject: Re: [PATCH] mm: page_alloc: fix page_poison=1 /
INIT_ON_ALLOC_DEFAULT_ON interaction
On Mon, 12 Jul 2021 22:58:16 +0100 Sergei Trofimovich <slyfox@...too.org> wrote:
> To reproduce the failure we need the following system:
> - kernel command: page_poison=1 init_on_free=0 init_on_alloc=0
> - kernel config:
> * CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
> * CONFIG_INIT_ON_FREE_DEFAULT_ON=y
> * CONFIG_PAGE_POISONING=y
>
> 0000000085629bdd: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0000000022861832: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000000c597f5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> CPU: 11 PID: 15195 Comm: bash Kdump: loaded Tainted: G U O 5.13.1-gentoo-x86_64 #1
> Hardware name: System manufacturer System Product Name/PRIME Z370-A, BIOS 2801 01/13/2021
> Call Trace:
> dump_stack+0x64/0x7c
> __kernel_unpoison_pages.cold+0x48/0x84
> post_alloc_hook+0x60/0xa0
> get_page_from_freelist+0xdb8/0x1000
> __alloc_pages+0x163/0x2b0
> __get_free_pages+0xc/0x30
> pgd_alloc+0x2e/0x1a0
> ? dup_mm+0x37/0x4f0
> mm_init+0x185/0x270
> dup_mm+0x6b/0x4f0
> ? __lock_task_sighand+0x35/0x70
> copy_process+0x190d/0x1b10
> kernel_clone+0xba/0x3b0
> __do_sys_clone+0x8f/0xb0
> do_syscall_64+0x68/0x80
> ? do_syscall_64+0x11/0x80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Before the 51cba1eb ("init_on_alloc: Optimize static branches")
> init_on_alloc never enabled static branch by default. It could
> only be enabed explicitly by init_mem_debugging_and_hardening().
>
> But after the 51cba1eb static branch could already be enabled
> by default. There was no code to ever disable it. That caused
> page_poison=1 / init_on_free=1 conflict.
>
> This change extends init_mem_debugging_and_hardening() to also
> disable static branch disabling.
>
> ...
>
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -840,18 +840,22 @@ void init_mem_debugging_and_hardening(void)
> }
> #endif
>
> - if (_init_on_alloc_enabled_early) {
> - if (page_poisoning_requested)
> + if (_init_on_alloc_enabled_early ||
> + IS_ENABLED(CONFIG_INIT_ON_ALLOC_DEFAULT_ON)) {
> + if (page_poisoning_requested) {
> pr_info("mem auto-init: CONFIG_PAGE_POISONING is on, "
> "will take precedence over init_on_alloc\n");
> - else
> + static_branch_disable(&init_on_alloc);
> + } else
> static_branch_enable(&init_on_alloc);
> }
> - if (_init_on_free_enabled_early) {
> - if (page_poisoning_requested)
> + if (_init_on_free_enabled_early ||
> + IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON)) {
> + if (page_poisoning_requested) {
> pr_info("mem auto-init: CONFIG_PAGE_POISONING is on, "
> "will take precedence over init_on_free\n");
> - else
> + static_branch_disable(&init_on_free);
> + } else
> static_branch_enable(&init_on_free);
> }
>
I'm thinking this is sufficiently serious and sufficiently reported to
warrant a cc:stable backport. Agree?
Powered by blists - more mailing lists