From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>, Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Joerg Roedel <jroedel@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Toshi Kani <toshi.kani@hpe.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH] x86/mm: Fix preallocated PMD stack array
Date: Mon, 8 Oct 2018 16:54:34 -0700 [thread overview]
Message-ID: <20181008235434.GA35035@beast> (raw)
While trying to remove VLAs in pgd_alloc(), a typo was made and a use
of PREALLOCATED_PMDS was replaced with the new MAX_PREALLOCATED_USER_PMDS
(note "...USER..."). Instead, we also need a new MAX_PREALLOCATED_PMDS.
This adds it and fixes the stack array size.
Without this fix, 32-bit kernels would trip the stack protector at boot:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.19.0-rc6+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
Call Trace:
dump_stack+0x66/0x95
panic+0x94/0x1dd
__stack_chk_fail+0x1e/0x20
? pgd_alloc+0x29e/0x2a0
pgd_alloc+0x29e/0x2a0
mm_init.isra.60+0x1ec/0x210
mm_alloc+0x30/0x40
__do_execve_file+0x378/0x930
? __do_execve_file+0x108/0x930
? kmem_cache_alloc+0x123/0x220
do_execve+0x2c/0x30
run_init_process+0x31/0x36
? rest_init+0xb0/0xb0
try_to_run_init_process+0x11/0x33
? rest_init+0xb0/0xb0
kernel_init+0x9e/0xda
ret_from_fork+0x2e/0x38
Kernel Offset: disabled
---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0 ]---
Reported-by: Borislav Petkov <bp@alien8.de>
Fixes: 1be3f247c288 ("x86/mm: Avoid VLA in pgd_alloc()")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/mm/pgtable.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
index 386b43e3e0ac..59274e2c1ac4 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -115,6 +115,8 @@ static inline void pgd_list_del(pgd_t *pgd)
#define UNSHARED_PTRS_PER_PGD \
(SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
+#define MAX_UNSHARED_PTRS_PER_PGD \
+ max_t(size_t, KERNEL_PGD_BOUNDARY, PTRS_PER_PGD)
static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
@@ -181,6 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
* and initialize the kernel pmds here.
*/
#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
+#define MAX_PREALLOCATED_PMDS MAX_UNSHARED_PTRS_PER_PGD
/*
* We allocate separate PMDs for the kernel part of the user page-table
@@ -211,6 +214,7 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
/* No need to prepopulate any pagetable entries in non-PAE modes. */
#define PREALLOCATED_PMDS 0
+#define MAX_PREALLOCATED_PMDS 0
#define PREALLOCATED_USER_PMDS 0
#define MAX_PREALLOCATED_USER_PMDS 0
#endif /* CONFIG_X86_PAE */
@@ -431,7 +435,7 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
{
pgd_t *pgd;
pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
- pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];
+ pmd_t *pmds[MAX_PREALLOCATED_PMDS];
pgd = _pgd_alloc();
--
2.17.1
--
Kees Cook
Pixel Security
next reply other threads:[~2018-10-08 23:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-08 23:54 Kees Cook [this message]
2018-10-09 7:03 ` [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc() tip-bot for Kees Cook
2018-10-09 7:58 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008235434.GA35035@beast \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=jroedel@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=toshi.kani@hpe.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.