| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 01:35:47 +0530
From: Vaibhav Jain <vaibhav@...ux.ibm.com>
To: linuxppc-dev@...ts.ozlabs.org, devicetree@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: Vaibhav Jain <vaibhav@...ux.ibm.com>,
Frank Rowand <frowand.list@...il.com>,
Prakhar Srivastava <prsriva@...ux.microsoft.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Rob Herring <robh@...nel.org>
Subject: [PATCH] powerpc: check previous kernel's ima-kexec-buffer against memory bounds
Presently ima_get_kexec_buffer() doesn't check if the previous kernel's
ima-kexec-buffer lies outside the addressable memory range. This can result
in a kernel panic if the new kernel is booted with 'mem=X' arg and the
ima-kexec-buffer was allocated beyond that range by the previous kernel.
The panic is usually of the form below:
$ sudo kexec --initrd initrd vmlinux --append='mem=16G'
<snip>
BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000
Faulting instruction address: 0xc000000000837974
Oops: Kernel access of bad area, sig: 11 [#1]
<snip>
NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0
LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160
Call Trace:
[c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160
[c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108
[c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120
[c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0
[c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec
[c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0
[c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64
Instruction dump:
f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330
7c0802a6 fb610198 7c9b2378 f80101d0 <a1240000> 2c090001 40820614 e9240010
---[ end trace 0000000000000000 ]---
Fix this issue by checking returned address/size of previous kernel's
ima-kexec-buffer against memblock's memory bounds.
Fixes: fee3ff99bc67("powerpc: Move arch independent ima kexec functions to
drivers/of/kexec.c")
Cc: Frank Rowand <frowand.list@...il.com>
Cc: Prakhar Srivastava <prsriva@...ux.microsoft.com>
Cc: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Cc: Thiago Jung Bauermann <bauerman@...ux.ibm.com>
Cc: Rob Herring <robh@...nel.org>
Signed-off-by: Vaibhav Jain <vaibhav@...ux.ibm.com>
---
drivers/of/kexec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c
index b9bd1cff1793..c73007eda52d 100644
--- a/drivers/of/kexec.c
+++ b/drivers/of/kexec.c
@@ -140,6 +140,13 @@ int ima_get_kexec_buffer(void **addr, size_t *size)
if (ret)
return ret;
+ /* if the ima-kexec-buffer goes beyond the addressable memory */
+ if (!memblock_is_region_memory(tmp_addr, tmp_size)) {
+ pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond memory\n",
+ tmp_addr, tmp_size);
+ return -EINVAL;
+ }
+
*addr = __va(tmp_addr);
*size = tmp_size;
--
2.35.1
Powered by blists - more mailing lists