lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251201092020.88628d787ac7e66dd3c31a15@linux-foundation.org>
Date: Mon, 1 Dec 2025 09:20:20 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: henry.willard@...cle.com, Thomas Gleixner <tglx@...utronix.de>, Ingo
 Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
 <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin"
 <hpa@...or.com>, "Mike Rapoport (Microsoft)" <rppt@...nel.org>, Jiri Bohac
 <jbohac@...e.cz>, Sourabh Jain <sourabhjain@...ux.ibm.com>, Guo Weikang
 <guoweikang.kernel@...il.com>, Ard Biesheuvel <ardb@...nel.org>, Joel
 Granados <joel.granados@...nel.org>, Alexander Graf <graf@...zon.com>,
 Sohil Mehta <sohil.mehta@...el.com>, Mimi Zohar <zohar@...ux.ibm.com>,
 Jonathan McDowell <noodles@...com>, linux-kernel@...r.kernel.org,
 yifei.l.liu@...cle.com, stable@...r.kernel.org, Paul Webb
 <paul.x.webb@...cle.com>
Subject: Re: [PATCH] x86/kexec: Add a sanity check on previous kernel's ima
 kexec buffer

On Wed, 12 Nov 2025 11:30:02 -0800 Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com> wrote:

> When the second-stage kernel is booted via kexec with a limiting command
> line such as "mem=<size>", the physical range that contains the carried
> over IMA measurement list may fall outside the truncated RAM leading to
> a kernel panic.
> 
>     BUG: unable to handle page fault for address: ffff97793ff47000
>     RIP: ima_restore_measurement_list+0xdc/0x45a
>     #PF: error_code(0x0000) – not-present page
> 
> Other architectures already validate the range with page_is_ram(), as
> done in commit: cbf9c4b9617b ("of: check previous kernel's
> ima-kexec-buffer against memory bounds") do a similar check on x86.

Thanks.

> Cc: stable@...r.kernel.org
> Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec")

That was via the x86 tree so I assume the x86 team (Boris?) will be
processing this patch.

I'll put it into mm.git's mm-hotfixes branch for now, to get a bit of
testing and to generally track its progress.

> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -439,9 +439,23 @@ int __init ima_free_kexec_buffer(void)
>  
>  int __init ima_get_kexec_buffer(void **addr, size_t *size)
>  {
> +	unsigned long start_pfn, end_pfn;
> +
>  	if (!ima_kexec_buffer_size)
>  		return -ENOENT;
>  
> +	/*
> +	 * Calculate the PFNs for the buffer and ensure
> +	 * they are with in addressable memory.

"within" ;)

> +	 */
> +	start_pfn = PFN_DOWN(ima_kexec_buffer_phys);
> +	end_pfn = PFN_DOWN(ima_kexec_buffer_phys + ima_kexec_buffer_size - 1);
> +	if (!pfn_range_is_mapped(start_pfn, end_pfn)) {
> +		pr_warn("IMA buffer at 0x%llx, size = 0x%zx beyond memory\n",
> +			ima_kexec_buffer_phys, ima_kexec_buffer_size);
> +		return -EINVAL;
> +	}
> +
>  	*addr = __va(ima_kexec_buffer_phys);
>  	*size = ima_kexec_buffer_size;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ