lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <TYCP286MB0895F65439037ED134FEA7DDBCD12@TYCP286MB0895.JPNP286.PROD.OUTLOOK.COM>
Date: Sat, 29 Jun 2024 12:49:08 +0800
From: Shiji Yang <yangshiji66@...look.com>
To: linux-mips@...r.kernel.org
Cc: Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
	Arnd Bergmann <arnd@...db.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Javier Martinez Canillas <javierm@...hat.com>,
	Khalid Aziz <khalid@...ehiking.org>,
	Baoquan He <bhe@...hat.com>,
	Jiaxun Yang <jiaxun.yang@...goat.com>,
	Serge Semin <fancer.lancer@...il.com>,
	linux-kernel@...r.kernel.org,
	Shiji Yang <yangshiji66@...look.com>,
	Mieczyslaw Nalewaj <namiltd@...oo.com>
Subject: [PATCH v3] mips: kernel: fix detect_memory_region() function

1. Do not use memcmp() on unallocated memory, as the new introduced
   fortify dynamic object size check[1] will return unexpected result.
2. Use a fixed pattern instead of a random function pointer as the
   magic value. "0xaa5555aa" has a large information entropy and is
   widely used in memory testing.
3. Flip the magic value and double check it to ensure memory overlap.

Tested on ralink/mt7620 and ath79/ar9344

[1] commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available")
Signed-off-by: Shiji Yang <yangshiji66@...look.com>
Tested-by: Mieczyslaw Nalewaj <namiltd@...oo.com>
---

changes:
v2 -> v3:
* Using CKSEG1ADDR_OR_64BIT() instead of excluding 64bit system.

* Using volatile pointer to get and compare u32 data.

v1: 
https://lore.kernel.org/all/TYAP286MB0315E609C476B86E22700626BC292@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM/

v2:
https://lore.kernel.org/all/TYCP286MB089598ABD1E2F66003D71EB8BCD52@TYCP286MB0895.JPNP286.PROD.OUTLOOK.COM/ 

 arch/mips/kernel/setup.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c
index 12a1a4ffb602..4197c7568f49 100644
--- a/arch/mips/kernel/setup.c
+++ b/arch/mips/kernel/setup.c
@@ -86,21 +86,26 @@ static struct resource bss_resource = { .name = "Kernel bss", };
 unsigned long __kaslr_offset __ro_after_init;
 EXPORT_SYMBOL(__kaslr_offset);
 
-static void *detect_magic __initdata = detect_memory_region;
-
 #ifdef CONFIG_MIPS_AUTO_PFN_OFFSET
 unsigned long ARCH_PFN_OFFSET;
 EXPORT_SYMBOL(ARCH_PFN_OFFSET);
 #endif
 
+#define MIPS_MEM_TEST_PATTERN		0xaa5555aa
+
 void __init detect_memory_region(phys_addr_t start, phys_addr_t sz_min, phys_addr_t sz_max)
 {
-	void *dm = &detect_magic;
+	u32 detect_magic;
+	volatile u32 *dm = (volatile u32 *)CKSEG1ADDR_OR_64BIT(&detect_magic);
 	phys_addr_t size;
 
 	for (size = sz_min; size < sz_max; size <<= 1) {
-		if (!memcmp(dm, dm + size, sizeof(detect_magic)))
-			break;
+		*dm = MIPS_MEM_TEST_PATTERN;
+		if (*dm == *(volatile u32 *)((void *)dm + size)) {
+			*dm = ~MIPS_MEM_TEST_PATTERN;
+			if (*dm == *(volatile u32 *)((void *)dm + size))
+				break;
+		}
 	}
 
 	pr_debug("Memory: %lluMB of RAM detected at 0x%llx (min: %lluMB, max: %lluMB)\n",
-- 
2.45.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ