From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Neeraj Upadhyay <neeraju@codeaurora.org>,
Srinivas Ramana <sramana@codeaurora.org>,
Will Deacon <will.deacon@arm.com>
Subject: [PATCH 4.9 71/88] arm64: kaslr: Fix up the kernel image alignment
Date: Tue, 28 Mar 2017 14:31:26 +0200 [thread overview]
Message-ID: <20170328122751.563231612@linuxfoundation.org> (raw)
In-Reply-To: <20170328122748.656530096@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neeraj Upadhyay <neeraju@codeaurora.org>
commit afd0e5a876703accb95894f23317a13e2c49b523 upstream.
If kernel image extends across alignment boundary, existing
code increases the KASLR offset by size of kernel image. The
offset is masked after resizing. There are cases, where after
masking, we may still have kernel image extending across
boundary. This eventually results in only 2MB block getting
mapped while creating the page tables. This results in data aborts
while accessing unmapped regions during second relocation (with
kaslr offset) in __primary_switch. To fix this problem, round up the
kernel image size, by swapper block size, before adding it for
correction.
For example consider below case, where kernel image still crosses
1GB alignment boundary, after masking the offset, which is fixed
by rounding up kernel image size.
SWAPPER_TABLE_SHIFT = 30
Swapper using section maps with section size 2MB.
CONFIG_PGTABLE_LEVELS = 3
VA_BITS = 39
_text : 0xffffff8008080000
_end : 0xffffff800aa1b000
offset : 0x1f35600000
mask = ((1UL << (VA_BITS - 2)) - 1) & ~(SZ_2M - 1)
(_text + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7c
(_end + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
offset after existing correction (before mask) = 0x1f37f9b000
(_text + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
(_end + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
offset (after mask) = 0x1f37e00000
(_text + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7c
(_end + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
new offset w/ rounding up = 0x1f38000000
(_text + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
(_end + offset) >> SWAPPER_TABLE_SHIFT = 0x3fffffe7d
Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR")
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/kaslr.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/arch/arm64/kernel/kaslr.c
+++ b/arch/arm64/kernel/kaslr.c
@@ -131,11 +131,15 @@ u64 __init kaslr_early_init(u64 dt_phys,
/*
* The kernel Image should not extend across a 1GB/32MB/512MB alignment
* boundary (for 4KB/16KB/64KB granule kernels, respectively). If this
- * happens, increase the KASLR offset by the size of the kernel image.
+ * happens, increase the KASLR offset by the size of the kernel image
+ * rounded up by SWAPPER_BLOCK_SIZE.
*/
if ((((u64)_text + offset + modulo_offset) >> SWAPPER_TABLE_SHIFT) !=
- (((u64)_end + offset + modulo_offset) >> SWAPPER_TABLE_SHIFT))
- offset = (offset + (u64)(_end - _text)) & mask;
+ (((u64)_end + offset + modulo_offset) >> SWAPPER_TABLE_SHIFT)) {
+ u64 kimg_sz = _end - _text;
+ offset = (offset + round_up(kimg_sz, SWAPPER_BLOCK_SIZE))
+ & mask;
+ }
if (IS_ENABLED(CONFIG_KASAN))
/*
next prev parent reply other threads:[~2017-03-28 13:01 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 12:30 [PATCH 4.9 00/88] 4.9.19-stable review Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 01/88] net/openvswitch: Set the ipv6 source tunnel key address attribute correctly Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 02/88] net: bcmgenet: Do not suspend PHY if Wake-on-LAN is enabled Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 03/88] net: properly release sk_frag.page Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 04/88] amd-xgbe: Fix jumbo MTU processing on newer hardware Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 05/88] openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 06/88] net: unix: properly re-increment inflight counter of GC discarded candidates Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 08/88] net: vrf: Reset rt6i_idev in local dst after put Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 09/88] net/mlx5: Add missing entries for set/query rate limit commands Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 10/88] net/mlx5e: Use the proper UAPI values when offloading TC vlan actions Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 11/88] net/mlx5: Increase number of max QPs in default profile Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 12/88] net/mlx5e: Count GSO packets correctly Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 13/88] net/mlx5e: Count LRO " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 14/88] ipv6: make sure to initialize sockc.tsflags before first use Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 15/88] net: bcmgenet: remove bcmgenet_internal_phy_setup() Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 16/88] ipv4: provide stronger user input validation in nl_fib_input() Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 17/88] socket, bpf: fix sk_filter use after free in sk_clone_lock Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 18/88] tcp: initialize icsk_ack.lrcvtime at session start time Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 19/88] Input: ALPS - fix V8+ protocol handling (73 03 28) Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 20/88] Input: ALPS - fix trackstick button handling on V8 devices Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 21/88] Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 22/88] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 23/88] Input: iforce - validate number of endpoints before using them Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 24/88] Input: ims-pcu " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 25/88] Input: hanwang " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 26/88] Input: yealink " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 27/88] Input: cm109 " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 28/88] Input: kbtab " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 29/88] Input: sur40 " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 30/88] ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 31/88] ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 32/88] ALSA: hda - Adding a group of pin definition to fix headset problem Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 33/88] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 36/88] usb: gadget: f_uvc: Fix SuperSpeed companion descriptors wBytesPerInterval Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 37/88] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 38/88] USB: uss720: fix NULL-deref at probe Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 39/88] USB: lvtest: " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 40/88] USB: idmouse: " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 41/88] USB: wusbcore: " Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 42/88] usb: musb: cppi41: dont check early-TX-interrupt for Isoch transfer Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 43/88] usb: hub: Fix crash after failure to read BOS descriptor Greg Kroah-Hartman
2017-03-28 12:30 ` [PATCH 4.9 44/88] USB: usbtmc: add missing endpoint sanity check Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 45/88] USB: usbtmc: fix probe error path Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 46/88] uwb: i1480-dfu: fix NULL-deref at probe Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 47/88] uwb: hwa-rc: " Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 48/88] mmc: ushc: " Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 49/88] iio: adc: ti_am335x_adc: fix fifo overrun recovery Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 50/88] iio: sw-device: Fix config group initialization Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 51/88] iio: hid-sensor-trigger: Change get poll value function order to avoid sensor properties losing after resume from S3 Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 52/88] iio: magnetometer: ak8974: remove incorrect __exit markups Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 53/88] parport: fix attempt to write duplicate procfiles Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 54/88] ext4: mark inode dirty after converting inline directory Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 55/88] ext4: lock the xattr block before checksuming it Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 56/88] powerpc/64s: Fix idle wakeup potential to clobber registers Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 57/88] mmc: sdhci-of-at91: Support external regulators Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 58/88] mmc: sdhci-of-arasan: fix incorrect timeout clock Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 59/88] mmc: sdhci: Do not disable interrupts while waiting for clock Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 60/88] mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 61/88] hwrng: amd - Revert managed API changes Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 62/88] hwrng: geode " Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 63/88] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module clock Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 64/88] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 65/88] mwifiex: pcie: dont leak DMA buffers when removing Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 66/88] crypto: ccp - Assign DMA commands to the channels CCP Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 67/88] xen/acpi: upload PM state from init-domain to Xen Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 68/88] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 69/88] Revert "ARM: at91/dt: sama5d2: Use new compatible for ohci node" Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 70/88] ARM: at91: pm: cpu_idle: switch DDR to power-down mode Greg Kroah-Hartman
2017-03-28 12:31 ` Greg Kroah-Hartman [this message]
2017-03-28 12:31 ` [PATCH 4.9 72/88] cpufreq: Restore policy min/max limits on CPU online Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 73/88] cgroup, net_cls: iterate the fds of only the tasks which are being migrated Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 74/88] blk-mq: dont complete un-started request in timeout handler Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 75/88] libceph: force GFP_NOIO for socket allocations Greg Kroah-Hartman
2017-03-29 8:09 ` Michal Hocko
2017-03-28 12:31 ` [PATCH 4.9 76/88] drm/amdgpu: reinstate oland workaround for sclk Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 77/88] auxdisplay: img-ascii-lcd: add missing sentinel entry in img_ascii_lcd_matches Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 78/88] jbd2: dont leak memory if setting up journal fails Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 79/88] intel_th: Dont leak module refcount on failure to activate Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 80/88] Drivers: hv: vmbus: Dont leak channel ids Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 81/88] Drivers: hv: vmbus: Dont leak memory when a channel is rescinded Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 82/88] libceph: dont set weight to IN when OSD is destroyed Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 83/88] device-dax: fix pmd/pte fault fallback handling Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 84/88] drm/bridge: analogix dp: Fix runtime PM state on driver bind Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 85/88] nl80211: fix dumpit error path RTNL deadlocks Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 86/88] drm: reference count event->completion Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 87/88] fbcon: Fix vc attr at deinit Greg Kroah-Hartman
2017-03-28 12:31 ` [PATCH 4.9 88/88] crypto: algif_hash - avoid zero-sized array Greg Kroah-Hartman
2017-03-28 19:39 ` [PATCH 4.9 00/88] 4.9.19-stable review Shuah Khan
2017-03-29 4:48 ` Guenter Roeck
[not found] ` <58daa23e.4b542e0a.1135a.4d6e@mx.google.com>
[not found] ` <m2o9wl9ozj.fsf@baylibre.com>
2017-03-29 5:47 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170328122751.563231612@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neeraju@codeaurora.org \
--cc=sramana@codeaurora.org \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.