[PATCH] x86/mm: Fix preallocated PMD stack array

From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>, Arnd Bergmann <arnd@arndb.de>,
	Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Joerg Roedel <jroedel@suse.de>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Toshi Kani <toshi.kani@hpe.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] x86/mm: Fix preallocated PMD stack array
Date: Mon, 8 Oct 2018 16:54:34 -0700	[thread overview]
Message-ID: <20181008235434.GA35035@beast> (raw)

While trying to remove VLAs in pgd_alloc(), a typo was made and a use
of PREALLOCATED_PMDS was replaced with the new MAX_PREALLOCATED_USER_PMDS
(note "...USER..."). Instead, we also need a new MAX_PREALLOCATED_PMDS.
This adds it and fixes the stack array size.

Without this fix, 32-bit kernels would trip the stack protector at boot:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W         4.19.0-rc6+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
Call Trace:
 dump_stack+0x66/0x95
 panic+0x94/0x1dd
 __stack_chk_fail+0x1e/0x20
 ? pgd_alloc+0x29e/0x2a0
 pgd_alloc+0x29e/0x2a0
 mm_init.isra.60+0x1ec/0x210
 mm_alloc+0x30/0x40
 __do_execve_file+0x378/0x930
 ? __do_execve_file+0x108/0x930
 ? kmem_cache_alloc+0x123/0x220
 do_execve+0x2c/0x30
 run_init_process+0x31/0x36
 ? rest_init+0xb0/0xb0
 try_to_run_init_process+0x11/0x33
 ? rest_init+0xb0/0xb0
 kernel_init+0x9e/0xda
 ret_from_fork+0x2e/0x38
Kernel Offset: disabled
---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0 ]---

Reported-by: Borislav Petkov <bp@alien8.de>
Fixes: 1be3f247c288 ("x86/mm: Avoid VLA in pgd_alloc()")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/mm/pgtable.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
index 386b43e3e0ac..59274e2c1ac4 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -115,6 +115,8 @@ static inline void pgd_list_del(pgd_t *pgd)
 
 #define UNSHARED_PTRS_PER_PGD				\
 	(SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
+#define MAX_UNSHARED_PTRS_PER_PGD			\
+	max_t(size_t, KERNEL_PGD_BOUNDARY, PTRS_PER_PGD)
 
 
 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
@@ -181,6 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
  * and initialize the kernel pmds here.
  */
 #define PREALLOCATED_PMDS	UNSHARED_PTRS_PER_PGD
+#define MAX_PREALLOCATED_PMDS	MAX_UNSHARED_PTRS_PER_PGD
 
 /*
  * We allocate separate PMDs for the kernel part of the user page-table
@@ -211,6 +214,7 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
 
 /* No need to prepopulate any pagetable entries in non-PAE modes. */
 #define PREALLOCATED_PMDS	0
+#define MAX_PREALLOCATED_PMDS	0
 #define PREALLOCATED_USER_PMDS	 0
 #define MAX_PREALLOCATED_USER_PMDS 0
 #endif	/* CONFIG_X86_PAE */
@@ -431,7 +435,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
 {
 	pgd_t *pgd;
 	pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
-	pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];
+	pmd_t *pmds[MAX_PREALLOCATED_PMDS];
 
 	pgd = _pgd_alloc();
 
-- 
2.17.1


-- 
Kees Cook
Pixel Security
