lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250509074635.3187114-14-changyuanl@google.com>
Date: Fri,  9 May 2025 00:46:31 -0700
From: Changyuan Lyu <changyuanl@...gle.com>
To: akpm@...ux-foundation.org, linux-kernel@...r.kernel.org
Cc: anthony.yznaga@...cle.com, arnd@...db.de, ashish.kalra@....com, 
	benh@...nel.crashing.org, bp@...en8.de, catalin.marinas@....com, 
	corbet@....net, dave.hansen@...ux.intel.com, devicetree@...r.kernel.org, 
	dwmw2@...radead.org, ebiederm@...ssion.com, graf@...zon.com, hpa@...or.com, 
	jgowans@...zon.com, kexec@...ts.infradead.org, krzk@...nel.org, 
	linux-arm-kernel@...ts.infradead.org, linux-doc@...r.kernel.org, 
	linux-mm@...ck.org, luto@...nel.org, mark.rutland@....com, mingo@...hat.com, 
	pasha.tatashin@...een.com, pbonzini@...hat.com, peterz@...radead.org, 
	ptyadav@...zon.de, robh@...nel.org, rostedt@...dmis.org, rppt@...nel.org, 
	saravanak@...gle.com, skinsburskii@...ux.microsoft.com, tglx@...utronix.de, 
	thomas.lendacky@....com, will@...nel.org, x86@...nel.org, 
	Changyuan Lyu <changyuanl@...gle.com>
Subject: [PATCH v8 13/17] x86/boot: make sure KASLR does not step over KHO
 preserved memory

From: Alexander Graf <graf@...zon.com>

During kexec handover (KHO) memory contains data that should be
preserved and this data would be consumed by kexec'ed kernel.

To make sure that the preserved memory is not overwritten, KHO uses
"scratch regions" to bootstrap kexec'ed kernel. These regions are
guaranteed to not have any memory that KHO would preserve and are used as
the only memory the kernel sees during the early boot.

The scratch regions are passed in the setup_data by the first kernel with
other KHO parameters. If the setup_data contains the KHO parameters, limit
randomization to scratch areas only to make sure preserved memory won't get
overwritten.

Since all the pointers in setup_data are represented by u64, they require
double casting (first to unsigned long and then to the actual pointer type)
to compile on 32-bits. This looks goofy out of context, but it is
unfortunately the way that this is handled across the tree. There are at
least a dozen instances of casting like this.

Signed-off-by: Alexander Graf <graf@...zon.com>
Co-developed-by: Mike Rapoport (Microsoft) <rppt@...nel.org>
Signed-off-by: Mike Rapoport (Microsoft) <rppt@...nel.org>
Co-developed-by: Changyuan Lyu <changyuanl@...gle.com>
Signed-off-by: Changyuan Lyu <changyuanl@...gle.com>
---
 arch/x86/boot/compressed/kaslr.c | 50 +++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index f03d59ea6e40f..3b0948ad449f9 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -760,6 +760,49 @@ static void process_e820_entries(unsigned long minimum,
 	}
 }
 
+/*
+ * If KHO is active, only process its scratch areas to ensure we are not
+ * stepping onto preserved memory.
+ */
+static bool process_kho_entries(unsigned long minimum, unsigned long image_size)
+{
+	struct kho_scratch *kho_scratch;
+	struct setup_data *ptr;
+	struct kho_data *kho;
+	int i, nr_areas = 0;
+
+	if (!IS_ENABLED(CONFIG_KEXEC_HANDOVER))
+		return false;
+
+	ptr = (struct setup_data *)(unsigned long)boot_params_ptr->hdr.setup_data;
+	while (ptr) {
+		if (ptr->type == SETUP_KEXEC_KHO) {
+			kho = (struct kho_data *)(unsigned long)ptr->data;
+			kho_scratch = (void *)(unsigned long)kho->scratch_addr;
+			nr_areas = kho->scratch_size / sizeof(*kho_scratch);
+			break;
+		}
+
+		ptr = (struct setup_data *)(unsigned long)ptr->next;
+	}
+
+	if (!nr_areas)
+		return false;
+
+	for (i = 0; i < nr_areas; i++) {
+		struct kho_scratch *area = &kho_scratch[i];
+		struct mem_vector region = {
+			.start = area->addr,
+			.size = area->size,
+		};
+
+		if (process_mem_region(&region, minimum, image_size))
+			break;
+	}
+
+	return true;
+}
+
 static unsigned long find_random_phys_addr(unsigned long minimum,
 					   unsigned long image_size)
 {
@@ -775,7 +818,12 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 		return 0;
 	}
 
-	if (!process_efi_entries(minimum, image_size))
+	/*
+	 * During kexec handover only process KHO scratch areas that are known
+	 * not to contain any data that must be preserved.
+	 */
+	if (!process_kho_entries(minimum, image_size) &&
+	    !process_efi_entries(minimum, image_size))
 		process_e820_entries(minimum, image_size);
 
 	phys_addr = slots_fetch_random();
-- 
2.49.0.1015.ga840276032-goog


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ