| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220607190741.GA3644258-robh@kernel.org>
Date: Tue, 7 Jun 2022 13:07:41 -0600
From: Rob Herring <robh@...nel.org>
To: Vaibhav Jain <vaibhav@...ux.ibm.com>
Cc: Prakhar Srivastava <prsriva@...ux.microsoft.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com>,
linux-kernel@...r.kernel.org,
Michael Ellerman <mpe@...erman.id.au>,
devicetree@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
Ritesh Harjani <ritesh.list@...il.com>,
Robin Murphy <robin.murphy@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Frank Rowand <frowand.list@...il.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Subject: Re: [PATCH v3] of: check previous kernel's ima-kexec-buffer against
memory bounds
On Tue, 31 May 2022 09:44:46 +0530, Vaibhav Jain wrote:
> Presently ima_get_kexec_buffer() doesn't check if the previous kernel's
> ima-kexec-buffer lies outside the addressable memory range. This can result
> in a kernel panic if the new kernel is booted with 'mem=X' arg and the
> ima-kexec-buffer was allocated beyond that range by the previous kernel.
> The panic is usually of the form below:
>
> $ sudo kexec --initrd initrd vmlinux --append='mem=16G'
>
> <snip>
> BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000
> Faulting instruction address: 0xc000000000837974
> Oops: Kernel access of bad area, sig: 11 [#1]
> <snip>
> NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0
> LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160
> Call Trace:
> [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160
> [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108
> [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120
> [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0
> [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec
> [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0
> [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64
> Instruction dump:
> f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330
> 7c0802a6 fb610198 7c9b2378 f80101d0 <a1240000> 2c090001 40820614 e9240010
> ---[ end trace 0000000000000000 ]---
>
> Fix this issue by checking returned PFN range of previous kernel's
> ima-kexec-buffer with page_is_ram() to ensure correct memory bounds.
>
> Fixes: 467d27824920 ("powerpc: ima: get the kexec buffer passed by the previous kernel")
> Cc: Frank Rowand <frowand.list@...il.com>
> Cc: Prakhar Srivastava <prsriva@...ux.microsoft.com>
> Cc: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
> Cc: Thiago Jung Bauermann <bauerman@...ux.ibm.com>
> Cc: Rob Herring <robh@...nel.org>
> Cc: Ritesh Harjani <ritesh.list@...il.com>
> Cc: Robin Murphy <robin.murphy@....com>
> Signed-off-by: Vaibhav Jain <vaibhav@...ux.ibm.com>
> ---
> Changelog
> ==========
> v3:
> * change the type for {start,end}_pfn to unsigned long [ Ritesh ]
> * Switched to page_is_ram() from pfn_vaild() [ Rob ]
>
> v2:
> * Instead of using memblock to determine the valid bounds use pfn_valid() to do
> so since memblock may not be available late after the kernel init. [ Mpe ]
> * Changed the patch prefix from 'powerpc' to 'of' [ Mpe ]
> * Updated the 'Fixes' tag to point to correct commit that introduced this
> function. [ Rob ]
> * Fixed some whitespace/tab issues in the patch description [ Rob ]
> * Added another check for checking ig 'tmp_size' for ima-kexec-buffer is > 0
> ---
> drivers/of/kexec.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
Applied, thanks!
Powered by blists - more mailing lists