From: Kristen Carlson Accardi <kristen@linux.intel.com>
To: keescook@chromium.org, tglx@linutronix.de, mingo@redhat.com,
bp@alien8.de, x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>
Cc: arjan@linux.intel.com, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, rick.p.edgecombe@intel.com,
Kristen Carlson Accardi <kristen@linux.intel.com>
Subject: [PATCH v5 06/10] x86/boot/compressed: Avoid duplicate malloc() implementations
Date: Wed, 23 Sep 2020 10:39:00 -0700 [thread overview]
Message-ID: <20200923173905.11219-7-kristen@linux.intel.com> (raw)
In-Reply-To: <20200923173905.11219-1-kristen@linux.intel.com>
From: Kees Cook <keescook@chromium.org>
The preboot malloc() (and free()) implementation in
include/linux/decompress/mm.h (which is also included by the
static decompressors) is static. This is fine when the only thing
interested in using malloc() is the decompression code, but the
x86 preboot environment uses malloc() in a couple places, leading to a
potential collision when the static copies of the available memory
region ("malloc_ptr") gets reset to the global "free_mem_ptr" value.
As it happens, the existing usage pattern happened to be safe because each
user did 1 malloc() and 1 free() before returning and were not nested:
extract_kernel() (misc.c)
choose_random_location() (kaslr.c)
mem_avoid_init()
handle_mem_options()
malloc()
...
free()
...
parse_elf() (misc.c)
malloc()
...
free()
Adding FGKASLR, however, will insert additional malloc() calls local to
fgkaslr.c in the middle of parse_elf()'s malloc()/free() pair:
parse_elf() (misc.c)
malloc()
if (...) {
layout_randomized_image(output, &ehdr, phdrs);
malloc() <- boom
...
else
layout_image(output, &ehdr, phdrs);
free()
To avoid collisions, there must be a single implementation of malloc().
Adjust include/linux/decompress/mm.h so that visibility can be
controlled, provide prototypes in misc.h, and implement the functions in
misc.c. This also results in a small size savings:
$ size vmlinux.before vmlinux.after
text data bss dec hex filename
8842314 468 178320 9021102 89a6ae vmlinux.before
8842240 468 178320 9021028 89a664 vmlinux.after
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kristen Carlson Accardi <kristen@linux.intel.com>
---
arch/x86/boot/compressed/kaslr.c | 4 ----
arch/x86/boot/compressed/misc.c | 3 +++
arch/x86/boot/compressed/misc.h | 2 ++
include/linux/decompress/mm.h | 12 ++++++++++--
4 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index dde7cb3724df..e811071ce5d2 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -32,10 +32,6 @@
#include <generated/utsrelease.h>
#include <asm/efi.h>
-/* Macros used by the included decompressor code below. */
-#define STATIC
-#include <linux/decompress/mm.h>
-
#ifdef CONFIG_X86_5LEVEL
unsigned int __pgtable_l5_enabled;
unsigned int pgdir_shift __ro_after_init = 39;
diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index e478e40fbe5a..dc396321eba8 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -28,6 +28,9 @@
/* Macros used by the included decompressor code below. */
#define STATIC static
+/* Define an externally visible malloc()/free(). */
+#define MALLOC_VISIBLE
+#include <linux/decompress/mm.h>
/*
* Provide definitions of memzero and memmove as some of the decompressors will
diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
index 726e264410ff..81fbc8d686fa 100644
--- a/arch/x86/boot/compressed/misc.h
+++ b/arch/x86/boot/compressed/misc.h
@@ -39,6 +39,8 @@
/* misc.c */
extern memptr free_mem_ptr;
extern memptr free_mem_end_ptr;
+extern void *malloc(int size);
+extern void free(void *where);
extern struct boot_params *boot_params;
void __putstr(const char *s);
void __puthex(unsigned long value);
diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
index 868e9eacd69e..9192986b1a73 100644
--- a/include/linux/decompress/mm.h
+++ b/include/linux/decompress/mm.h
@@ -25,13 +25,21 @@
#define STATIC_RW_DATA static
#endif
+/*
+ * When an architecture needs to share the malloc()/free() implementation
+ * between compilation units, it needs to have non-local visibility.
+ */
+#ifndef MALLOC_VISIBLE
+#define MALLOC_VISIBLE static
+#endif
+
/* A trivial malloc implementation, adapted from
* malloc by Hannu Savolainen 1993 and Matthias Urlichs 1994
*/
STATIC_RW_DATA unsigned long malloc_ptr;
STATIC_RW_DATA int malloc_count;
-static void *malloc(int size)
+MALLOC_VISIBLE void *malloc(int size)
{
void *p;
@@ -52,7 +60,7 @@ static void *malloc(int size)
return p;
}
-static void free(void *where)
+MALLOC_VISIBLE void free(void *where)
{
malloc_count--;
if (!malloc_count)
--
2.20.1
next prev parent reply other threads:[~2020-09-23 17:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 17:38 [PATCH v5 00/10] Function Granular KASLR Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 01/10] x86: tools/relocs: Support >64K section headers Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 02/10] x86/boot: Allow a "silent" kaslr random byte fetch Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 03/10] x86: Makefile: Add build and config option for CONFIG_FG_KASLR Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 04/10] x86: Make sure _etext includes function sections Kristen Carlson Accardi
2020-09-23 17:38 ` [PATCH v5 05/10] x86/tools: Add relative relocs for randomized functions Kristen Carlson Accardi
2020-09-23 17:39 ` Kristen Carlson Accardi [this message]
2020-09-23 17:39 ` [PATCH v5 07/10] x86: Add support for function granular KASLR Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 08/10] kallsyms: Hide layout Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 09/10] module: Reorder functions Kristen Carlson Accardi
2020-09-23 17:39 ` [PATCH v5 10/10] livepatch: only match unique symbols when using fgkaslr Kristen Carlson Accardi
2020-09-24 13:06 ` Miroslav Benes
2020-09-24 13:06 ` Miroslav Benes
2020-09-25 13:06 ` [PATCH v5 00/10] Function Granular KASLR Miroslav Benes
2020-09-25 13:06 ` Miroslav Benes
2020-09-28 17:31 ` Kristen Carlson Accardi
2020-09-28 17:31 ` Kristen Carlson Accardi
2020-09-29 18:58 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923173905.11219-7-kristen@linux.intel.com \
--to=kristen@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.