lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7a7a0106-fdd1-40ea-88b3-f803848e0e73@oracle.com>
Date: Mon, 29 Dec 2025 13:36:43 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: Borislav Petkov <bp@...en8.de>, Andrew Morton
 <akpm@...ux-foundation.org>,
        Jonathan McDowell <noodles@...com>
Cc: henry.willard@...cle.com, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        "Mike Rapoport (Microsoft)" <rppt@...nel.org>,
        Jiri Bohac <jbohac@...e.cz>, Sourabh Jain <sourabhjain@...ux.ibm.com>,
        Guo Weikang <guoweikang.kernel@...il.com>,
        Ard Biesheuvel <ardb@...nel.org>,
        Joel Granados <joel.granados@...nel.org>,
        Alexander Graf <graf@...zon.com>, Sohil Mehta <sohil.mehta@...el.com>,
        Mimi Zohar <zohar@...ux.ibm.com>, linux-kernel@...r.kernel.org,
        yifei.l.liu@...cle.com, stable@...r.kernel.org,
        Paul Webb <paul.x.webb@...cle.com>
Subject: Re: [PATCH] x86/kexec: Add a sanity check on previous kernel's ima
 kexec buffer

Hi all,

On 01/12/25 23:49, Borislav Petkov wrote:
> On Mon, Dec 01, 2025 at 09:20:20AM -0800, Andrew Morton wrote:
>> On Wed, 12 Nov 2025 11:30:02 -0800 Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com> wrote:
>>
>>> When the second-stage kernel is booted via kexec with a limiting command
>>> line such as "mem=<size>", the physical range that contains the carried
>>> over IMA measurement list may fall outside the truncated RAM leading to
>>> a kernel panic.
>>>
>>>      BUG: unable to handle page fault for address: ffff97793ff47000
>>>      RIP: ima_restore_measurement_list+0xdc/0x45a
>>>      #PF: error_code(0x0000) – not-present page
>>>
>>> Other architectures already validate the range with page_is_ram(), as
>>> done in commit: cbf9c4b9617b ("of: check previous kernel's
>>> ima-kexec-buffer against memory bounds") do a similar check on x86.
> 
> Then why isn't there a ima_validate_range() function there which everyone
> calls instead of the same check being replicated everywhere?
> 

Thanks for the reviews.

Sure, have tried this, will send a V2 with a generic helper.

>>> Cc: stable@...r.kernel.org
>>> Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec")
>>
>> That was via the x86 tree so I assume the x86 team (Boris?) will be
>> processing this patch.
> 
> Yeah, it is on my to-deal-with-after-the-merge-window pile.
> 
> But since you've forced my hand... :-P
> 
>> I'll put it into mm.git's mm-hotfixes branch for now, to get a bit of
>> testing and to generally track its progress.
>>
>>> --- a/arch/x86/kernel/setup.c
>>> +++ b/arch/x86/kernel/setup.c
>>> @@ -439,9 +439,23 @@ int __init ima_free_kexec_buffer(void)
>>>   
>>>   int __init ima_get_kexec_buffer(void **addr, size_t *size)
>>>   {
>>> +	unsigned long start_pfn, end_pfn;
>>> +
>>>   	if (!ima_kexec_buffer_size)
>>>   		return -ENOENT;
>>>   
>>> +	/*
>>> +	 * Calculate the PFNs for the buffer and ensure
>>> +	 * they are with in addressable memory.
>>
>> "within" ;)
>>

Thanks for spotting.

>>> +	 */
>>> +	start_pfn = PFN_DOWN(ima_kexec_buffer_phys);
>>> +	end_pfn = PFN_DOWN(ima_kexec_buffer_phys + ima_kexec_buffer_size - 1);
>>> +	if (!pfn_range_is_mapped(start_pfn, end_pfn)) {
>>> +		pr_warn("IMA buffer at 0x%llx, size = 0x%zx beyond memory\n",
> 
> This error message needs to be made a lot more user-friendly.
> 
> And pls do a generic helper as suggested above which ima code calls.
> 

Will do, thanks for the suggestion.

> And by looking at the diff, there are two ima_get_kexec_buffer() functions in
> the tree which could use some unification too ontop.
> 

In drivers/of/kexec.c we have:

int __init ima_get_kexec_buffer(void **addr, size_t *size)
{
         int ret, len;
         unsigned long tmp_addr;
         unsigned long start_pfn, end_pfn;
         size_t tmp_size;
         const void *prop;

         prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
         if (!prop)
                 return -ENOENT;

         ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
         if (ret)
                 return ret;

         /* Do some sanity on the returned size for the ima-kexec buffer */
         if (!tmp_size)
                 return -ENOENT;

         /*
          * Calculate the PFNs for the buffer and ensure
          * they are with in addressable memory.
          */
         start_pfn = PHYS_PFN(tmp_addr);
         end_pfn = PHYS_PFN(tmp_addr + tmp_size - 1);
         if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) {
                 pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond 
memory\n",
                         tmp_addr, tmp_size);
                 return -EINVAL;
         }

         *addr = __va(tmp_addr);
         *size = tmp_size;

         return 0;
}

In arch/x86/kernel/setup.c we have something like:

int __init ima_get_kexec_buffer(void **addr, size_t *size)
{
         if (!ima_kexec_buffer_size)
                 return -ENOENT;

         *addr = __va(ima_kexec_buffer_phys);
         *size = ima_kexec_buffer_size;

         return 0;
}

I will try to generalize common parts in another patch.

Will send a V2 adding ima_validate_range() helper.

Thanks,
Harshit.

> Right?
> 
> Thx.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ